~Engineers solve problems, I solve engineer's problems 🤘
So finally Gcloud launched its own secret manager as a service. I got to know from Seth Vargo’s tweet, who btw, if you don’t follow, has given some great talks around DevOps and generally on technology. Before this, Gcloud did not have anything around this to compete with AWS Secret manager and Hashicorp Vault. Of course you could use both of these and integrate with your Gcloud resources. But after this, the integration is seamless.
Secret Manager allows you to store multiple version of a secret and only the permitted IAM role account can access or edit them, according to the permissions given to the role.
gcloud beta secrets create secret-key --replication-policy="automatic"
A version is the secret value. Versioning is a good concept here in gcloud which can make rotation much easier.
gcloud beta secrets versions add "secret-key" --data-file secret-key.txt
gcloud beta secrets versions access 1 --secret="secret-key"
There is a bunch of other things also that you can easily do, like listing, describing and managing secrets and editing permissions of who can access them. There is official documentation very well written.
Overall its a good choice if you are looking for a seamless effective secret manager to manage your applications environment variables for example. The price is $0.06 so you should keep in mind when you architect your infrastructure for example try to inject secrets in containers at deploy time rather than accessing them every time at runtime.