GCPcloud~5 mins

Secret Manager for credentials in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Storing passwords and keys directly in your app is risky. Secret Manager lets you keep these sensitive details safe and separate from your code. It helps you control who can see or use your secrets.

When you need to store database passwords securely for your app.

When you want to keep API keys safe and avoid exposing them in code.

When multiple team members need controlled access to sensitive credentials.

When you want to update secrets without changing your app code.

When you want to audit who accessed your secrets and when.

Commands

This command creates a new secret named 'my-db-password' with automatic replication across Google Cloud regions for reliability.

Terminal

gcloud secrets create my-db-password --replication-policy="automatic"

Expected OutputExpected

Created secret [my-db-password].

→

--replication-policy - Defines how the secret is replicated across regions.

This command adds a new version to the 'my-db-password' secret with the value 'SuperSecret123'. The echo command sends the secret value to the gcloud command.

Terminal

echo -n "SuperSecret123" | gcloud secrets versions add my-db-password --data-file=-

Expected OutputExpected

Added secret version: 1

→

--data-file=- - Reads secret data from standard input.

This command retrieves the latest version of the secret 'my-db-password' so your app or user can use the stored password.

Terminal

gcloud secrets versions access latest --secret=my-db-password

Expected OutputExpected

SuperSecret123

→

--secret - Specifies which secret to access.

This command gives user Alice permission to access the 'my-db-password' secret, controlling who can see the secret.

Terminal

gcloud secrets add-iam-policy-binding my-db-password --member="user:alice@example.com" --role="roles/secretmanager.secretAccessor"

Expected OutputExpected

Updated IAM policy for secret [my-db-password].

→

--member - Specifies the user or group to grant access.

→

--role - Defines the permission level for the member.

Key Concept

If you remember nothing else from this pattern, remember: keep secrets out of your code and use Secret Manager to store and control access safely.

Common Mistakes

Storing secrets directly in environment variables or code files.

This exposes sensitive data to anyone who can see the code or environment, risking leaks.

Use Secret Manager to store secrets securely and access them at runtime.

Not setting proper permissions on secrets, allowing everyone to access them.

Anyone with access can read or change secrets, causing security breaches.

Grant access only to specific users or services with the least privilege needed.

Hardcoding secret values when adding versions instead of using secure input methods.

Hardcoding can accidentally expose secrets in command history or logs.

Use input redirection or environment variables to add secrets without exposing them.

Summary

Create a secret with 'gcloud secrets create' to store sensitive data safely.

Add secret values as versions using 'gcloud secrets versions add' with secure input.

Retrieve secrets with 'gcloud secrets versions access' when your app needs them.

Control who can access secrets by setting IAM policies with 'gcloud secrets add-iam-policy-binding'.