Manage application secrets

This page describes some best practices for managing secrets for applications you deploy to Google Kubernetes Engine or GKE Enterprise clusters using Cloud Deploy.

Because injecting application secrets into deployment artifacts introduces security risks, avoid managing secrets from within Cloud Deploy pipelines.

Secrets consumed in this way should be generated, managed, and rotated outside of the scope of Cloud Deploy.

Secrets, in this context, refer to sensitive data such as database credentials, API keys, certificates, or passwords.

Kubernetes secrets

Kubernetes Secrets are secure objects that store sensitive data, such as passwords, OAuth tokens, and SSH keys in your clusters, separate from Pods. Secrets are similar to ConfigMaps, but are intended to hold confidential data.

Because Kubernetes Secrets are not secure by default, without encryption, the approaches described in this document do not use them.

Managing secrets for use with Cloud Deploy

This section describes how to manage secrets for applications that you deploy using Cloud Deploy.

The following are two approaches to secrets management with GKE or GKE Enterprise:

Google Secret Manager

Secret Manager is a fully managed, multi-region Google Cloud service that securely stores API keys, passwords, and other sensitive data.

Secrets from Secret Manager can be accessed from the cluster using the client library and Workload Identity authentication, or using the Secrets Store CSI driver.

To use Secret Manager for your application:

  1. Create a secret using Secret Manager.

  2. Reference the secret from your application code using the SDK.

You can specify additional metadata for the secret using environment variables, for example secret version, or application environment (such as dev, staging, prod).

If the deployment process for a specific feature includes provisioning of infrastructure, then create or update the secret using Secret Manager as part of the provisioning process, before deploying the application.

For more information on managing Kubernetes secrets with Secret Manager, see Using Secret Manager with other products .

Hashicorp Vault

Hashicorp Vault is a popular and widely used open source tool for managing secrets. Google Cloud has extensive integrations and support for Vault, along with other Hashicorp tools such as Terraform.

You can configure Vault within your Kubernetes cluster as follows:

  1. Access Vault secrets through the API and authenticate using Workload Identity.

  2. Inject Secrets into your Kubernetes Pods using Vault Agent containers.

  3. Use the Vault CSI Provider to consume those secrets.

What's next