is it possible to automatically rotate the secrets in google secret manager

Question

I am not able to find the options to automatically rotate the secrets in google secret manager. if any options available please share here. Thanks in advance

Answer 1

You need to use Cloud Functions in order to automate

Answer 2

TL;DR Secret manager doesn't rotate automatically secret (as Hashicorp Vault can do).

You have feature on Secret Manager to help you to manage the rotation, such as secret rotation deadline, or secret notifications. That features generate messages in a PubSub topic. Then you have to plug something, like a Cloud Functions or a Cloud Run to consume the PubSub messages.

Note: A friend of mine released that article. you can take inspiration of it (the Secret Manager rotation deadline feature doesn't exist when he implemented that solution in his company)

Answer 3

Here's the documentation on recommended methods of rotating secrets and rotation policies within Secrets Manager.

If your secrets are keys for doing stuff inside of Google cloud and are not regarding connecting to other services external to GCP, I would avoid using secrets.

A lot of Google services can run with different service accounts that shouldn't have keys.

Where you can't run as a service that has all the privilege you require within GCP, you can assign the privilege to perform account impersonation to impersonate other accounts that have the privilege to do the thing you need to do (which generates a short lived token under the hood).