Using Google Cloud Secret Manager with Okteto
Google Cloud Secret Manager stores API keys, passwords, certificates, and other sensitive data in your GCP account. Okteto can retrieve these secrets when deploying your application, so your Development and Preview Environments use the same secret store as the rest of your infrastructure and developers never handle the secret values directly.
This tutorial deploys the okteto-community/gcp-secret-manager sample application: a Go web server that reads its configuration from an .env file created at deploy time from a secret stored in Secret Manager.
Prerequisites
- Admin access to an Okteto instance
- A GCP project with the Secret Manager API enabled
- The gcloud CLI installed and authenticated against your GCP project
- The Okteto CLI installed and configured
Giving your Okteto instance access to your GCP account
Okteto authenticates to GCP with a dedicated service account whose key you store as Admin Variables. Admin Variables are available to the deploy commands of every Development and Preview Environment in your Okteto instance.
- Create a service account for your Okteto instance. Grant it the minimum set of permissions it needs — for this tutorial, the
Secret Manager Secret Accessorrole is enough. - Create a service account key and save it locally.
- In the Okteto Admin Dashboard, navigate to Admin → Variables and create the following Admin Variables:
GCP_PROJECT_ID: the ID of the GCP project you are usingGCP_SERVICE_KEY: the base64-encoded value of the service account key you created
You can generate the base64 value of the key with:
base64 -i <path-to-your-service-account-key>.json
If you prefer not to manage long-lived service account keys, you can configure keyless authentication with Workload Identity Federation instead. The rest of this tutorial uses the service account key approach.
Creating the secret
The sample application expects a secret named top-secret-information containing an .env file with two values. Create a local file with the secret content:
echo -e "MY_NAME=cindy\nMY_COLOR=valencia green" > top-secret-information.txt
Create the secret in Secret Manager:
gcloud secrets create top-secret-information --replication-policy="automatic"
Upload the file as the first version of the secret:
gcloud secrets versions add top-secret-information --data-file=top-secret-information.txt
Verify the secret by retrieving it:
gcloud secrets versions access latest --secret=top-secret-information
Deploying the Development Environment
Clone the sample repository and deploy it:
git clone https://github.com/okteto-community/gcp-secret-manager.git
cd gcp-secret-manager
okteto deploy
You can also deploy the repository directly from the Okteto UI.
The deploy section of the okteto.yaml in the sample repository authenticates to GCP using the Admin Variables you created, downloads the secret into an .env file, and deploys the application with it:
deploy:
# this image already contains the gcloud CLI, so developers don't need to
# install or configure anything except the Okteto CLI
image: google/cloud-sdk:alpine
commands:
- name: Configure GCP credentials
command: |
echo ${GCP_SERVICE_KEY} | base64 -d | gcloud auth activate-service-account --key-file=-
gcloud --quiet config set project ${GCP_PROJECT_ID}
- name: Create the .env file using the secrets stored in Secret Manager
command: gcloud secrets versions access "latest" --secret=top-secret-information > .env-okteto
- name: Deploy the application
command: okteto deploy --file docker-compose.yaml
When the deploy finishes, open the endpoint Okteto created for you from the Okteto UI. The application reads MY_NAME and MY_COLOR from the .env file built from your secret:
Hi, my name is cindy, and my favorite color is valencia green
To use a different secret in your own application, change the --secret flag in the deploy command to the name of your secret. Secrets are downloaded only during deployment — rotate a secret in Secret Manager and redeploy to pick up the new value.