How to secure and manage secrets using Google Cloud KMS
Let’s jump right in. We all know it’s a bad idea to store application secrets within our code. So why we are storing there it still? Let’s take an example.
We could store those secrets in a file and add it to the gitignore so it’s not added to version control. But there are a couple of hurdles:
- How do we manage those secrets?
- What happens when the local copy is deleted?
- How do we share it with other developers?
- How do we manage versioning of those secrets during changes and an audit log of who changed what?
A lot of questions! So we end up storing it within the code since it’s too much complexity to deal with.
For a big application or application which needs a higher level of security, we can use Production grade secret management services like Hashicorp Vault.
In this article, we will look at a decent approach in dealing with secrets while still achieving better security. We are going to achieve this using Google KMS + Git + IAM+ automation.
The idea is not new. This is what we are going to do:
- We are going to store the encrypted version of plaintext in version control using Google KMS
- We will use KMS IAM to allow appropriate users to manage secrets for each environment by granting encrypt/decrypt roles
- We’ll deploy the application with encrypted secret files
- We will allow permission for the server to decrypt secrets for each environment
- At runtime, we’ll load encrypted files, decrypt using KMS APIs and use it.
Cloud KMS is a cloud-hosted key management service that lets you manage cryptographic keys for your cloud services. You can generate, use, rotate, and destroy cryptographic keys. Cloud KMS is integrated with Cloud IAM and Cloud Audit Logging so that you can manage permissions on individual keys and monitor how these are used.