gsm-buddy can be used to fetch secrets from GCP Secret Manager as a group which is not currently supported by GCP Secret Manager.
- Fetch secrets for an app prior to it's deployment
- Run
gsm-buddyas a sidecar of an application to feed secrets periodically
curl -sSL https://github.com/yamaszone/gcp-secret-manager-buddy/releases/download/v0.1.2/gcp-secret-manager-buddy-v0.1.2-$(
bash -c '[[ $OSTYPE == darwin* ]] && echo darwin || echo linux'
)-amd64 -o gsm-buddy && chmod a+x gsm-buddy && sudo mv gsm-buddy /usr/local/bin/
Download executable from releases page
project_id=my-gcp-project-id
sa_name=secrets-manager-reader-foo
iam_account="${sa_name}@${project_id}.iam.gserviceaccount.com"
gcloud iam service-accounts create "$sa_name" --display-name "$sa_name"
gcloud projects add-iam-policy-binding "$project_id" --member "serviceAccount:${iam_account}" --role "roles/secretmanager.viewer"
gcloud projects add-iam-policy-binding "$project_id" --member "serviceAccount:${iam_account}" --role "roles/secretmanager.secretAccessor"
gcloud iam service-accounts keys create --iam-account "$iam_account" ~/${sa_name}-key.json
export GOOGLE_APPLICATION_CREDENTIALS=~/${sa_name}-key.json
cat input.json
{
"KEY1":"gsm-secret-ID1",
"KEY2":"gsm-secret-ID2"
}
gsm-buddy get -i input.json -p my-gcp-project
{
"KEY1":"secret-value1",
"KEY2":"secret-value2"
}
gsm-buddy can be run as a stub by setting export GSM_IS_STUB=yes. This will bypass GCP Secret Manager communication and will simply output the content of the input file. This is useful for the following scenarios:
- iterate on the
gsm-buddyitself stubbing out the GCP Secret Manager - allow
gsm-buddyto work for situations where GCP Secret Manager is unreachable
cat input.json
{
"KEY1":"secret-value1",
"KEY2":"secret-value2"
}
gsm-buddy get -i input.json -p my-gcp-project
{
"KEY1":"secret-value1",
"KEY2":"secret-value2"
}
- gsm-buddy:
gsm-buddy get -i secret-ids-sample.json -p tntprod - gcloud:
for i in $(gcloud secrets list --format="value(name)" --filter=""); do echo $i=$(gcloud secrets versions access latest --secret $i); done
| Tool | Time | Operation |
|---|---|---|
| gsm-buddy | (0.835s+1.105s+0.866s)/3=0.935s |
Average of 3 reads |
| gcloud | (4.887s+5.123s+4.853s)/3=4.954s |
Average of 3 reads |
NOTE: gcloud secret fetch method runs serially while gsm-buddy parallelize the fetch request. The secret fetch time will increase linearly for gcloud. For example, gcloud can take ~50s while gsm-buddy can take ~1s to fetch 10 secrets.