How to secure and manage secrets using Google Cloud KMS
Let’s jump right in. We all know it’s a bad idea to store application secrets within our code. So why we are storing there it still? Let’s take an example.
We could store those secrets in a file and add it to the gitignore so it’s not added to version control. But there are a couple of hurdles:
- How do we manage those secrets?
- What happens when the local copy is deleted?
- How do we share it with other developers?
- How do we manage versioning of those secrets during changes and an audit log of who changed what?
A lot of questions! So we end up storing it within the code since it’s too much complexity to deal with.
For a big application or application which needs a higher level of security, we can use Production grade secret management services like Hashicorp Vault.
In this article, we will look at a decent approach in dealing with secrets while still achieving better security. We are going to achieve this using Google KMS + Git + IAM+ automation.
The idea is not new. This is what we are going to do:
- We are going to store the encrypted version of plaintext in version control using Google KMS
