Welcome to this month’s blog post! In this post, you’ll learn strategies for rotating secrets in Google Cloud Platform’s (GCP) Secret Manager. While GCP provides a built-in mechanism for scheduling secret rotation, the actual implementation is left to you. After defining strategies for secret rotation, we’ll walk through some examples of how you can implement these strategies.
GCP Secret Manager
First, let’s discuss the GCP Secret Manager. Google Cloud Secret Manager is a service that securely stores, manages, and accesses sensitive information such as API keys, passwords, and certificates. It centralizes secret management with features such as strong encryption, access control, and versioning. Secret Manager is designed to integrate seamlessly with other GCP services, making it a popular choice for organizations using GCP infrastructure. While there are a ton of important features in Secret Manager, we’ll be covering one that it lacks, and that’s managed secret rotation. If you’re familiar with other secret managers like AWS’s Secret Manager, you know that it comes with a native method to manage your secret rotation. Let’s focus on implementing a custom approach using automated rotation scheduling, Pub/Sub, and Cloud Run functions.
Why is Rotation Important?
Secret rotation is essential for maintaining security and minimizing risks associated with long-lived secrets. Regularly rotating secrets reduce the chances of unauthorized access if a secret is inadvertently exposed.
GCP Secret Manager allows you to configure a rotation schedule for any secret. While this doesn’t perform the rotation automatically, it triggers a Pub/Sub event that notifies your application when it’s time to rotate. From there, you can use Cloud Run or another service to generate new secrets, update dependent systems, and mark the new version as active.
Let’s dive into the strategies for implementing secret rotation.
Choosing the Right Strategy
The strategy you choose for rotating secrets depends on your use case. For simple scenarios, where secrets are not in constant use, a straightforward approach works well. For more complex, high-availability systems, you’ll need a careful, staged approach to ensure uninterrupted service. We’ll cover both below.
Secret Rotation Strategies
Simple Rotation
The simple rotation strategy involves generating a new version of a secret and replacing the old one immediately. This approach is suitable for secrets that are easy to update across your applications without downtime.
Steps:
- Generate a new version of the secret.
- Update applications to use the new secret.
- Disable or delete the old version of the secret.
Example Use Case: Rotating an API key for a service that your application accesses infrequently.
High Availability Rotation
The high availability rotation strategy is designed for secrets that are in constant use, such as database credentials or API keys for critical services. This strategy minimizes downtime by staging versions before making them active.
Steps:
- Add a New Pending Secret: Generate a new secret version and mark it as pending.
- Update the System: Update the dependent system (e.g., database) to use the new secret.
- Test the New Credential: Ensure the new secret works as expected.
- Mark as Active: Mark the new secret as active by updating the CURRENT alias.
Example Use Case: Rotating database credentials while maintaining active connections.
To wrap things up, managing secrets effectively is a critical component of securing any cloud-based application, and while GCP Secret Manager provides excellent tools for storing and accessing secrets, it requires custom solutions for secret rotation. By implementing strategies such as the simple rotation for straightforward use cases and the high availability approach for more complex scenarios, you can ensure your systems remain secure and operational during rotations. Leveraging GCP’s Pub/Sub notifications and Cloud Run functions allows for powerful automation. Whether you’re rotating API keys or database credentials, the strategies and examples provided in this post serve as a robust foundation for managing secrets securely and efficiently in GCP.
Link to example code for various rotation strategies – https://gist.github.com/Robert-Labrada/55350cd815049c20faa375f5340546bc
