Dan Holevoet
Reputation: 9183
How should I store secrets for use in Google Cloud Platform?
If I had credentials I need to store in Google Compute Engine or Google App Engine for use at build time, how should I store them? Is there something better than storing them in code, or in a bucket?
Upvotes: 2
Views: 2010
Answers (2)
sethvargo
Reputation: 26997
As of December 2019, you should store secrets with Google Secret Manager:
$ echo "ABC1234..." | gcloud beta secrets create "my-api-key" \
--data-file=- \
--replication-policy "automatic"
You can use the Secret Manager REST APIs to access secrets, or a client library.
Upvotes: 1
Dan Holevoet
Reputation: 9183
One option is to encrypt the secrets with a key from Cloud KMS, and store them either in a storage bucket or keep them in the binary. This lets you manage permissions and logging on the key, to indirectly manage who accesses the secret.
Upvotes: 2
Related Questions
- How to handle secrets in Google App Engine?
- How do I store a private key using Google Cloud's Cloud KMS?
- How to keep secrets hidden from gcloud project administrator?
- How to securely store and manage Google Cloud Storage key (json file)
- Storing Secrets as cloud build environment variables
- How should I create service accounts for accessing secrets between GCP projects with Google KMS?
- Storing Application Default Credentials securely in KMS
- Is there a way to store secrets in GCP, similar to Azure vault?
- How should I store access tokens generated by another application using Google Cloud KMS?
- Google cloud KMS store custom keys