Managing Secrets with Google Secret Manager

Overview

Google Secret Manager is a secure and convenient way to store and manage sensitive information such as API keys, database credentials, and other secrets. It ensures that sensitive data is stored securely while allowing controlled access via authentication and permissions.

This guide covers how to access secrets using different methods and provides code snippets to help integrate Google Secret Manager into your applications.

Ways to Manage and Access Secrets

There are multiple ways to retrieve secrets stored in Google Secret Manager:

1. Using Google Cloud Console (UI)

Navigate to Google Cloud Console → Secret Manager
Select the secret you want to access
View or manage versions of the secret

2. Using gcloud CLI

You can retrieve secret values directly from the command line using gcloud:

gcloud secrets versions access 1 --secret=TYPESENSE_ADMIN_CONFIG --project=814713613964

Replace 1 with the required version number
Replace TYPESENSE_ADMIN_CONFIG with the desired secret name
Replace 814713613964 with your GCP project ID

3. Using @google-cloud/secret-manager npm Package

For Node.js applications, the @google-cloud/secret-manager package provides an easy way to programmatically retrieve secrets.

Installation

To install the package, run:

npm install @google-cloud/secret-manager

Code Example

import { SecretManagerServiceClient } from '@google-cloud/secret-manager';

const client = new SecretManagerServiceClient({
  keyFile: 'src/@config/config.firebase.service.account.json',
});

export const getSecretValue = async (projectId: string, secretName: string, version = 'latest') => {
  try {
    const secretPath = `projects/${projectId}/secrets/${secretName}/versions/${version}`;
    const [versionData] = await client.accessSecretVersion({
      name: secretPath,
    });

    return versionData?.payload?.data?.toString();
  } catch (error) {
    console.error(`Failed to retrieve secret ${secretName}:`, error);
    throw error;
  }
};

// Example usage
getSecretValue('814713613964', 'TYPESENSE_ADMIN_CONFIG', '1');

This function fetches the latest or specified version of a secret from Google Secret Manager.
The secret value is retrieved and returned as a string.

Key Features of Google Secret Manager

✅ Versioning of Secrets – Each secret can have multiple versions, allowing rollback if needed.

✅ Audit Logging – Tracks access and modifications to secrets for security monitoring.

✅ Automatic Rotation – Supports automated secret rotation to enhance security.

✅ File-Based Secret Loading – Secrets can be loaded from files during deployment.

✅ Flexible Data Storage – Supports storing secrets as text, JSON, or Base64-encoded data.

For a full list of features, visit Google Secret Manager.

Using secrets in GitHub Actions Workflow

1. Reading the secret and consuming in the workflow

name: Deploy

on:
  push:
    branches:
      - master

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v3

      - name: Authenticate with Google Cloud
        uses: google-github-actions/auth@v1
        with:
          credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}

      - name: Retrieve Secret from Google Secret Manager
        run: |
          SECRET_VALUE=$(gcloud secrets versions access latest --secret=MY_SECRET --project=${{ secrets.GCP_PROJECT_ID }})
          echo "MY_SECRET=${SECRET_VALUE}" >> $GITHUB_ENV

      - name: Deploy Application
        run: |
          echo "Deploying with secret: $MY_SECRET"

This workflow authenticates with Google Cloud, retrieves the secret, and uses it during deployment.
Secrets are stored in GitHub Actions’ runtime environment.

2. Assigning secrets to be consumed by the service

         service: ${{ steps.SERVICE_NAME.outputs.string }}
          image: gcr.io/${{ env.PROJECT_ID }}/${{ steps.SERVICE_NAME.outputs.string }}:${{  github.sha }}
          region: ${{ env.REGION }}
          secrets: |-
            TYPESENSE_ADMIN_CONFIG=TYPESENSE_ADMIN_CONFIG:latest
            HF_TOKEN=HF_TOKEN:latest

TYPESENSE_ADMIN_CONFIG and HF_TOKEN are the secrets in secret manager, latest version of them will be read by the service.

Conclusion

Google Secret Manager provides a secure, scalable, and easy-to-use solution for managing application secrets. Whether using the UI, CLI, or programmatic access, it ensures that sensitive data is protected while remaining accessible to authorized applications and users.

Status: Accepted
Category: Protected
Authored By: Vishwa & Gladson on Mar 4, 2025
Spike: VN-15706

Revisions.

Overview​

Ways to Manage and Access Secrets​

1. Using Google Cloud Console (UI)​

2. Using gcloud CLI​

3. Using @google-cloud/secret-manager npm Package​

Using secrets in GitHub Actions Workflow​

1. Reading the secret and consuming in the workflow​

2. Assigning secrets to be consumed by the service​

Conclusion​