[How to] manage secrets with GCP Secrets Manager

How To Series

Managing sensitive application secrets is a critical aspect of modern DevOps workflows. With Google Kubernetes Engine (GKE) and Google Secrets Manager, you can ensure secrets are securely stored and seamlessly injected into your applications. Leveraging GitLab CI/CD makes this process even more streamlined by automating the creation, updating, and distribution of secrets.

In this post, we will explore how to manage application-specific secrets in Google Secrets Manager.

Why Use Google Secrets Manager?

Google Secrets Manager (GSM) provides a centralized, secure, and managed way to store, access, and audit secrets like API keys, database passwords, and sensitive configuration details.

Key Benefits:

1. Security: Secrets are encrypted at rest and in transit.
2. Access Control: Uses Google IAM policies to enforce granular permissions.
3. Versioning: Easily manage and roll back secrets with built-in version control.
4. Auditability: Provides detailed logs for all secret access and modifications.

By integrating GSM with GKE and GitLab CI/CD, you can reduce the risks associated with hardcoding secrets or managing them in plain text.

GitLab CI/CD Workflow for Managing Secrets

Overview

The GitLab CI/CD pipeline will:

1. Check if the application-specific secret exists in GCP Secrets Manager.
2. If not, create and store the secret in GCP Secrets Manager.
3. Update the secret in GCP Secrets Manager if it already exists.
4. Fetch the secret from GCP Secrets Manager and inject it into GKE as Secrets or ConfigMaps.

Step 1: Set Up Google Secrets Manager

1. Enable the Secret Manager API in your GCP project.
2. Assign appropriate IAM roles (e.g., Secret Manager Admin) to the GitLab CI/CD service account.

Step 2: Define GitLab CI/CD Variables

In your GitLab project, set the following CI/CD variables:

• GCP_PROJECT_ID: Your GCP project ID.
• GCP_SERVICE_ACCOUNT_KEY: Base64-encoded service account key for authentication.
• APPLICATION_SECRET_KEY: The key for your application is secret.
• SECRET_VALUE: The value to store in GSM if creating or updating a secret.

Step 3: GitLab CI/CD Pipeline Configuration

Here’s a sample .gitlab-ci.yml file for managing and injecting secrets

stages:
  - setup
  - deploy

variables:
  GKE_NAMESPACE: "default" # Change to your namespace
  GKE_SECRET_NAME: "app-secret"

before_script:
  - echo "$GCP_SERVICE_ACCOUNT_KEY" | base64 -d > /tmp/gcp-key.json
  - gcloud auth activate-service-account --key-file=/tmp/gcp-key.json
  - gcloud config set project $GCP_PROJECT_ID

setup_secrets:
  stage: setup
  script:
    # Check if secret exists in GSM
    - |
      SECRET_EXISTS=$(gcloud secrets describe $APPLICATION_SECRET_KEY --format="value(name)" || true)
      if [[ -z "$SECRET_EXISTS" ]]; then
        echo "Creating secret in GSM..."
        echo -n "$SECRET_VALUE" | gcloud secrets create $APPLICATION_SECRET_KEY --data-file=-
      else
        echo "Updating secret in GSM..."
        echo -n "$SECRET_VALUE" | gcloud secrets versions add $APPLICATION_SECRET_KEY --data-file=-
      fi
    # Fetch the latest secret value and store in GKE Secret
    - echo "Fetching secret from GSM..."
    - SECRET=$(gcloud secrets versions access latest --secret=$APPLICATION_SECRET_KEY)
    - echo "Storing secret in GKE..."
    - kubectl create secret generic $GKE_SECRET_NAME --from-literal=$APPLICATION_SECRET_KEY="$SECRET" --namespace=$GKE_NAMESPACE --dry-run=client -o yaml | kubectl apply -f -

deploy_application:
  stage: deploy
  script:
    # Deploy application using Helm or kubectl
    - echo "Deploying application..."
    - kubectl apply -f deployment.yaml

Step 4: Consume secrets in your Application

For applications to consume the secrets, inject them into environment variables or configuration files:

Example Snippet [values.yaml]

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  namespace: default
spec:
  replicas: 1
  template:
    spec:
      containers:
        - name: my-app
          image: my-app-image:latest
          env:
            - name: APPLICATION_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: app-secret
                  key: APPLICATION_SECRET_KEY

---

By combining GKE, Google Secrets Manager, and GitLab CI/CD, you can build a robust workflow to manage and use application secrets securely. This approach strengthens your application’s security posture and simplifies the development and deployment process.

Do you use a similar setup or have additional tips? Share your thoughts in the comments!

---

Note: This is not a complete guide on how to deploy an application to GKE using Gitlab CI/CD. This is just to showcase how to use GCP Secrets Manager to manage your config secrets.

---

A Note from the writer

Welcome to my How-to Tech Blog Series, where I break down technical tasks into simple, actionable steps. Whether you’re coding in your favorite language, navigating the complexities of cloud technologies, or tackling day-to-day programming challenges, this series aims to provide clear and concise solutions. Stay tuned for quick guides that empower you to solve problems and enhance your skills!