In this blog we show you how to store secrets in Google Cloud Platform using Berglas. Berglas combines
the features of Google Cloud Storage, Google Key Management Serviceand Google Identity and Access management to create a secret store.
It stores secrets safely and needs explicit authorization to access them. Google Cloud Platform logs any access to the secrets in the audit trail.
After downloading and installing Berglas you start by creating a secret store.
Creating a secret store
To create a secret store in your GCP project, type:
berglas bootstrap \
--project ${PROJECT_ID} \
--bucket ${BUCKET_ID}
This will create the bucket in which it stores secrets and a KMS key to encrypt them. The name of the key is berglas-key
. The bucket is versioned and access for project editors and viewers is revoked. Now you can add a secrets.
Adding a secret
To add a secret to the store, type:
berglas create \
${BUCKET_ID}/oracle/scott/password tiger \
--key projects/${PROJECT_ID}/locations/global/keyRings/berglas/cryptoKeys/berglas-key
To view the content, type:
$ berglas access ${BUCKET_ID}/oracle/scott/password
tiger
The secret is not acccessible to anyone yet.
Granting access
To grant access, type:
$ berglas grant \
${BUCKET_ID}/oracle/scott/password \
--member domain:binx.io
Successfully granted permission on [oracle/scott/password] to:
- domain:binx.io
You can grant access to this secret to any authenticated identity from Google IAM.
To view who has received read access, type:
$ gsutil acl get gs://${BUCKET_ID}/oracle/scott/password
[
{
"email": "markvanholsteijn@binx.io",
"entity": "user-markvanholsteijn@binx.io",
"role": "OWNER"
},
{
"domain": "binx.io",
"entity": "domain-binx.io",
"role": "READER"
}
]
The grant command also binds the decrypter role to the domain on the KMS key:
$ gcloud kms keys get-iam-policy berglas-key \
--location global --keyring berglas
bindings:
- members:
- domain:binx.io
role: roles/cloudkms.cryptoKeyDecrypter
etag: BwWPi725v10=
version: 1
So, now anybody in the domain binx.io
can read the object and decrypt it’s content. When
somebody from the domain binx.io
read the secret, GCS logs this in the audit trail.
View the audit trail
To view who accessed your secrets, you can consult data access audit log:
$ gcloud logging read projects/${PROJECT_ID}/logs/cloudaudit.googleapis.com%2Fdata_access
---
insertId: ezqliye5onps
logName: projects/******-***/logs/cloudaudit.googleapis.com%2Fdata_access
protoPayload:
'@type': type.googleapis.com/google.cloud.audit.AuditLog
authenticationInfo:
principalEmail: markvanholsteijn@binx.io
authorizationInfo:
- granted: true
permission: storage.objects.get
resource: projects/_/buckets/******-***-secrets/objects/oracle/scott/password
resourceAttributes: {}
- granted: true
permission: storage.objects.getIamPolicy
resource: projects/_/buckets/******-***-secrets/objects/oracle/scott/password
resourceAttributes: {}
methodName: storage.objects.get
requestMetadata:
callerIp: ****:***:***f:*:****:d***:****:d***
callerSuppliedUserAgent: berglas/0.2.0 (+https://github.com/GoogleCloudPlatform/berglas),gzip(gfe)
destinationAttributes: {}
requestAttributes: {}
resourceLocation:
currentLocations:
- us
resourceName: projects/_/buckets/******-***-secrets/objects/oracle/scott/password
serviceName: storage.googleapis.com
status: {}
receiveTimestamp: '2019-08-07T19:28:14.495129561Z'
To access the secret from an application, berglas offers different integrations.
Application Integrations
Berglas offers a easy integrations for applications in App Engine, Cloud Run,
Cloud Functions, Cloud Build and Kubernetes. We recommend checking out the
different examples on Berglas integrations
Conclusion
As you have seen, Berglas combines
the features of Google Cloud Storage, Google Key Management Serviceand Google Identity and Access management to create a secret store.
It stores secrets safely and needs explicit authorization to access them. Google Cloud Platform logs any access to the secrets in the audit trail.