Google Cloud - Vaults storing, User Name and Passwords

Question

I have a windows server on google Cloud, and a local user and password must be created to be able to run the application.

I would like to store those credentials into a vault in google cloud? is it such a service in google cloud? so when ansible deploys authenticates with those credentials

in AWS we have parameter store, but i am not too sure in google cloud.. any idea much appreciated.

KMS vault, but not really a password manager

Answer 1

As of December 2019, the preferred way to store and manage secrets on Google Cloud is Secret Manager:

$ echo -n "ABCD1234" | gcloud beta secrets create "my-api-key" \
  --data-file=- \
  --replication-policy "automatic"

Then access secrets from your code:

function getSecret() {
  const [version] = await client.accessSecretVersion({
    name:"projects/<YOUR-PROJECT-ID>/secrets/my-api-key/versions/1",
  });

  // auth is "ABCD1234"
  const auth = version.payload.data.toString('utf-8');
  return auth
}

The service account will need roles/secretmanager.secretAccessor permissions.

Answer 2

No real solution. You can store your login/password encrypted and decrypt them at runtime with Cloud KMS. You can also have a look to Berglas wrote by Seth Vargo (Google Cloud Dev Advocate) that work in Go (and a wrapper exists for all the languages), and a Python3 lib that I wrote if you prefer using it programmatically

Anyway, stay tuned, something is coming... a day!