Google Secret Manager native implementation in Cloud Functions

Sorry for the poor illustration, my graphic designer is doing a round the world trip

What’s here?

Introduction

Usability (natives vs library)

Performance (natives vs library)

Security (natives vs library)

Implementation

Introduction

Google Cloud Functions are independent functions using independent code in an independent environment.

Usability

Native implementation should naturally be preferred.

from google.cloud import secretmanagerclient = secretmanager.SecretManagerServiceClient()NAME_SECRET = "projects/xxx/secrets/medium_secret/versions/latest"response = client.access_secret_version(request={"name": NAME_SECRET})MEDIUM_SECRET = response.payload.data.decode("UTF-8")print("Secret : {}".format(MEDIUM_SECRET))
import os MEDIUM_SECRET = os.getenv('MEDIUM_SECRET')print("Secret : {}".format(MEDIUM_SECRET))

Performance

For this article, I compared performances between a google cloud function with secrets mounted as a volume and one using secret manager client library.

Security

What is the most secure between native integration (as mounted volume or environment variable) and Secret Manager client library ?

Implementation

Mandatory for the three methods ⇒ Creating the secret

Using CLI

gcloud services enable secretmanager.googleapis.com cloudfunctions.googleapis.com
echo -n "A cray cray secret created from command line" | \\
gcloud secrets create medium_secret \\
--data-file=- \\
--replication-policy automatic
gcloud secrets add-iam-policy-binding medium_secret --role roles/secretmanager.secretAccessor --member <serviceAccount:your-project@appspot.gserviceaccount.com>

Secret Mounted as volume

Function (python)

gcloud functions deploy medium_secret_volume \
--region=europe-west2 \
--trigger-http \
--entry-point medium_secret_volume \
--runtime python38 \
--set-secrets '/secrets/medium_secret=projects/xxxxxxxxxx/secrets/medium_secret:latest'

Secret as Environment variable

Function (python)

gcloud functions deploy medium_secret_env \
--region=europe-west2 \
--trigger-http \
--entry-point medium_secret_env \
--runtime python38 \
--set-secrets 'MEDIUM_SECRET_ENV=projects/xxxxxxxxxx/secrets/medium_secret:latest'

Secret Manager client library

Function (python)

google-cloud-secret-manager==2.0.0
gcloud functions deploy medium_secret_package\
--region=europe-west2 \
--trigger-http \
--entry-point medium_secret_volume \
--runtime python38

Conclusion

It’s time to make a choice…

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Beranger Natanelic

Beranger Natanelic

Future Unicorn Founder — Using tech for good