Reputation: 354
How would you access Google Secret Manager from an external environment?
I have googled quite heavily the last couple of hours to see if I could use Google Secret Manager from an external service like AWS Lambda or my local PC. I could not find anything helpful, or something that describes properly the steps to do so.
I do not want to play with the APIs and end up doing the authenticating via OAuth myself, I wish to use the client library. How would I go about doing so?
I have so far referred to the following links:
- https://cloud.google.com/secret-manager/docs/configuring-secret-manager - Describes setting up secret manager, and prompts you to set up Google Cloud SDK.
- https://cloud.google.com/sdk/docs/initializing - Describes setting up the cloud SDK (doesn't seem like I get some kind of config file that helps me to point my client library to the correct GCP project)
The issue I have is that it doesn't seem like I get access to some form of credential that I can use with the client library that consumes the secret manager service of a particular GCP project. Something like a service account token or a means of authenticating and consuming the service from an external environment.
Any help is appreciated, it just feels like I'm missing something. Or is it simply impossible to do so?
PS: Why am I using GCP secret manager when AWS offers a similar service? The latter is too expensive.
Upvotes: 0
Views: 2076
Answers (1)
Reputation: 355
I think that your question applies to all GCP services, there isn't anything that is specific to Secret Manager.
As you mentioned, https://cloud.google.com/docs/authentication/getting-started documents how to create and use a Service Account. But this approach has the downside that now you need to figure out to store the service account key (yet another Secret!)
If you're planning to access GCP Secret Manager from AWS you can consider using: https://cloud.google.com/iam/docs/configuring-workload-identity-federation#aws which uses identity federation to map an AWS service account to a GCP service account, without the need to store an extra Secret somewhere.
Upvotes: 2
Related Questions
- Can't access secret in GCP Secret Manager
- Google Apps Scripts accessing Secret Manager
- google cloud secret is there or not
- Not able to access gcp secret manager from standalone go application
- accessing secret from google secret manager
- How to use a Google Secret in a deployed Cloud Run Service (managed)?
- Problems on Accessing Secret Manager on Google Cloud
- Access secret manager from cloud function in GCP. What IAM settings to use?
- Accessing Google Secrets from an application running on a Google Cloud VM instance - Assigning Cloud APIs to VM
- How to enable Google Cloud Secrets Manager using gcloud command line interface?