27.06.2022

Storing Secrets on GCP

Distributing secrets (such as API keys and connection strings) is a common task for web applications and their development teams.

 

The GCP (Google Cloud Platform) provides a service for storing secrets in a secure way. This allows the end users to focus on the application itself and not on managing secrets, rotating keys and other security-related tasks.

 

But how can we access the secrets from GCP, both locally for developers and from a cloud service for end users?

 

We mostly use C# in the backend, so we went ahead and wrote an open-source package which injects the secrets into the Microsoft.Extensions.Configuration. This package is called Neolution.Extensions.Configuration.GoogleSecrets and can be found on GitHub
https://github.com/neolution-ch/Neolution.Extensions.Configuration.GoogleSecrets

The NuGet package is available on NuGet.org  https://www.nuget.org/packages/Neolution.Extensions.Configuration.GoogleSecrets/

 

Cloud Usage

If your service runs inside a GCP service, you don’t have to worry about authorisation at all and can simply use the  Neolution.Extensions.Configuration.GoogleSecrets package in the Program.cs file.

For example


public static IHostBuilder CreateHostBuilder(string[] args)
{
    return Host.CreateDefaultBuilder(args)
        ...
        .ConfigureAppConfiguration((_, configuration) =>
        {
            configuration.AddGoogleSecrets(options =>
            {
                options.ProjectName = "your-project-id";
            });
        });
}

 

Local Usage

If you want to use the secrets locally, you have two options.

1. Use the gcloud command line tool to login into your GCP account and set the application default credentials:

  
gcloud auth login
gcloud auth application-default login

 

Now the application default credentials are set and you can use the Neolution.Extensions.Configuration.GoogleSecrets package as described above.

 

2. Use the GOOGLE_APPLICATION_CREDENTIALS environment variable to set the path to the credentials file. This can for example point to a service account json file. More information can be found here:

https://cloud.google.com/docs/authentication/getting-started#setting_the_environment_variable

 

With these two approaches, it’s easy to manage secrets both locally and in the cloud. Gone are the days where we had to share secrets manually across teams. It’s also really easy to manage permissions with this approach, because we create a project on GCP for each environment (production, staging, etc.). So, it's easy to define which user should have access to which environment and its secrets.