Back to Details

gcp-secret-manager

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

GCP Secret Manager

GCP Secret Manager

Store and manage secrets securely in Google Cloud Platform.
在Google Cloud Platform中安全存储和管理密钥。

When to Use This Skill

何时使用该技能

Use this skill when:
  • Managing secrets in GCP
  • Integrating with GKE workloads
  • Storing API keys and credentials
  • Implementing secret rotation
在以下场景使用本技能:
  • 在GCP中管理密钥
  • 与GKE工作负载集成
  • 存储API密钥和凭证
  • 实现密钥轮换

Prerequisites

前提条件

  • GCP project
  • gcloud CLI configured
  • Secret Manager API enabled
  • GCP项目
  • 已配置gcloud CLI
  • 已启用Secret Manager API

Basic Operations

基础操作

bash
undefined
bash
undefined

Create secret

Create secret

echo -n "secret123" | gcloud secrets create db-password --data-file=-
echo -n "secret123" | gcloud secrets create db-password --data-file=-

Access secret

Access secret

gcloud secrets versions access latest --secret=db-password
gcloud secrets versions access latest --secret=db-password

Add new version

Add new version

echo -n "newsecret" | gcloud secrets versions add db-password --data-file=-
echo -n "newsecret" | gcloud secrets versions add db-password --data-file=-

List secrets

List secrets

gcloud secrets list
undefined
gcloud secrets list
undefined

Application Integration

应用集成

python
from google.cloud import secretmanager

client = secretmanager.SecretManagerServiceClient()
name = f"projects/my-project/secrets/db-password/versions/latest"
response = client.access_secret_version(request={"name": name})
secret = response.payload.data.decode("UTF-8")
python
from google.cloud import secretmanager

client = secretmanager.SecretManagerServiceClient()
name = f"projects/my-project/secrets/db-password/versions/latest"
response = client.access_secret_version(request={"name": name})
secret = response.payload.data.decode("UTF-8")

GKE Integration

GKE集成

yaml
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: gcp-secrets
spec:
  provider: gcp
  parameters:
    secrets: |
      - resourceName: "projects/my-project/secrets/db-password/versions/latest"
        path: "db-password"
yaml
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: gcp-secrets
spec:
  provider: gcp
  parameters:
    secrets: |
      - resourceName: "projects/my-project/secrets/db-password/versions/latest"
        path: "db-password"

Best Practices

最佳实践

  • Use Workload Identity for GKE
  • Implement IAM least-privilege
  • Enable audit logging
  • Use secret versions for rollback
  • Integrate with Cloud KMS for encryption
  • 为GKE使用Workload Identity
  • 实现IAM最小权限原则
  • 启用审计日志
  • 使用密钥版本进行回滚
  • 与Cloud KMS集成进行加密

Related Skills

相关技能

  • hashicorp-vault - Multi-cloud secrets
  • gcp-gke - GKE integration
  • hashicorp-vault - 多云密钥管理
  • gcp-gke - GKE集成