What if I want to store my service accounts credentials into GCP's secret manager to be used by my applications

To reach a secret stored in GCP's Secret Manager I need a user with the permission todo that, like for instance a SA+roles/secretManages.Accessor. There's no other way we can access the secrets from secret manager. Right?

Is it safe to assume that giving a GCP default account the role above would be safe? projnumber-compute@developer.gserviceaccount.com - Compute Engine default service account

With the above I could potentially build an app to get the secret using the default account and then authenticate with the credential(pseudo-code):

project = "myproject"
# The lines below will use the default account
client = secretmanager.SecretManagerServiceClient()
request = {"name": f"projects/11111111/secrets/mysecret/versions/latest"}
response = client.access_secret_version(request)

payload = response.payload.data.decode("UTF-8")
json_acct_info = json.loads(payload)

# Then use the credential from another SA to authenticate and list buckets
credentials = service_account.Credentials.from_service_account_info(json_acct_info)
storage_client = storage.Client(credentials=credentials, project=project)
buckets = list(storage_client.list_buckets())

Is this safe? :-)

1 answer

  • answered 2021-06-16 18:27 ingernet

    Yes, this is secure. The act of storing credentials in Google Secret Manager is the whole point of Google Secret Manager.

    However, there are two things you can do in addition to this act that will improve the security of your app:

    1. Create a custom service account rather than using the default Compute Engine SA. Using a custom SA makes its name harder to guess, and harder to use in a brute force attack.
    2. If you do pull down creds into temporary JSON keyfile, make sure to delete the keyfile as part of your script as soon as you're done using it. (Obviously, don't delete the secret from GSM, or you'll have a whole other set of problems to deal with.)