Secret Management
Last updated
Was this helpful?
Last updated
Was this helpful?
Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud.
You can finely control CRUD permissions for an account (user account, service account, a Google Group) to a secret. See the for more information.
Add the Spring Cloud GCP Secret Manager starter:
Secret Manager can be configured during Bootstrap phase, via bootstrap.properties
. The starter automatically enables Secret Manager integration. But you can also disable it by configuring spring.cloud.gcp.secretmanager.enabled=false
in a different Spring Boot profile.
You can access individual secrets in stored in Secret Manager by looking up property keys with the sm://
prefix.
You can inject the secret value by using the Value
annotation.
You can refer to the secret value like any other properties, and reference the secret values in a properties
file.
Mapping properties this way, rather than hard-coding the Secret Manager property key using @Value
annotation can be help you utilize multiple profiles.
For example, you can have application-dev.properties
with:
And, for production, create an application-prod.properties
with:
Form
Example
Short
sm://order-db-password
Short - Versioned
sm://order-db-password/1
Short - Project Scoped and Versioned
sm://your-project/order-db-password/1
Long - Project Scoped
sm://projects/your-project/order-db-password/1
Long - Fully Qualified
sm://projects/your-project/secrets/order-db-password/versions/1
Use Spring Boot Profile to differentiate local development profile vs deployed environments. For example, for local development, you can hard-code test credentials/values, but for the cloud environment, you can use a different profile.
Configure the default profile to disable Secret Manager
Hard-code the local test credentials with the value as usual.
Configure the production profile to enable Secret Manager.
Configure production profile to retrieve the credential from Secret Manager.
Start your application with the profile, for example:
You can easily get value from Secret Manager by using .
Read documentation for more details.