Devs using Google Cloud who feel like it could really do with some better secret management can now head over to their accounts and take the currently in beta Secret Manager service for a spin.
Up until now, GC customers could always resort to command line tool Berglas to store and retrieve confidential data such as API keys and credentials. Secret Manager however is more of an integrated service, more along the lines of what Google’s competitors offer as part of their platforms, like AWS Secrets Manager or Azure Key Vault. Berglas friends can breathe easy, though, since the open source helper apparently isn’t meant to go anywhere soon and using both tools in combination is an option.
However, the last Berglas version also contained a migrate command for those looking to move their secrets to the new service. Secret Manager has an API and client libraries for secret creation, with Cloud SDK being an alternative. For data encryption TLS (in transit) and AES-256-bit encryption keys (at rest) is used.
Secret Manager comes with features such as global names and replications, audit logging and first class versioning, some of which stem from initial feedback on the service. The fact that secret names are global within a project for example is meant to help with regionalisation issues. Since compliance guidelines might call for secret data to be stored in special regions though, replication policies let customers decide whether Google should automatically choose where to replicate secrets to or provide a list of allowed regions themselves.
Out of the box access to secrets is only granted to project owners. Other roles must be granted permission first and there’s audit logging in place which can be used to find slightly off access patterns which could hint on security breaches. Secret Manager also versions secret data with secret versions, making operations replicable, and offers ways of pinning specific versions as well as an alias for the most recent version of a secret.
Although Secret Manager is still in beta with limited support, it isn’t free to use. Currently users will be charged $0.03 per 10,000 operations and $0.06 per active secret version per regional replica per month. More information can be found in the products docs.