Open in app

Sign in

Write

Sign in

Secret Manager: protect your secrets from inside threats

guillaume blaquiere
Google Cloud - Community
Published in
4 min readMar 25, 2021

The secrets are the ultimate piece to protect: password, API Keys, private keys, root certificates,… There are several types of secrets but all needs to be kept safe and private. On Google Cloud, Secret Manager service helps to achieve this by keeping the secrets encrypted and protected by IAM.

IAM secret protection

Out of the box, Secret Manager offers a fine grained policy to grant access on individual secrets to enforce the least privilege principle. Like this, only the accounts (user account, or service account) that need to access to some secrets are allowed to reach them, but they can’t access the other secrets, even inside the same project.
It’s true for the accessor role (to read the secret), but also for creating new secret versions for instance.

Seth Vargo has released a great video on that topic.

However, the difficulties begin when several set of users need to administrate the secrets. Let’s say :

  • A DevOps team which manages the certificates resources, the database, and the secrets related to them.
  • A Development team which use API keys to access to third party service and needs to keep this secret safe.

All the project longs, some secrets no longer exist and must be created by each teams, in their perimeter. And because the secrets no longer exist, you can’t grant IAM role on them and achieve least privilege as described before.

So the teams have a Secret Manager admin role at the project level, and thus, can view and delete any secrets in the project!

How to achieve the least privilege principle when 2 teams work on the same project?

There are solutions, such as “Create a new project” or “Let all the secrets creation done by the DevOps team”.
Yes, but there is another way: IAM conditions.

IAM conditions on Secret Manager

The IAM service has a feature named “condition”. Obviously explicit, you can grant role only in the condition is met.

To apply that on our use case, there are 2 requirements

  • The users account (or groups) haven’t legacy roles (Viewer, Owner, Editor). IAM conditions can’t be applied on legacy roles.
  • Each group of users use a naming convention and prefix all the secrets with the same value. For instance, devops- for the devops team and dev- for the dev team.

Then, use IAM condition to configure the access.

  • The devops accounts have only access to the devops- prefixed secrets
  • The developer accounts have only access to the dev- prefixed secrets

Go to the IAM page and click on the add button. For the dev team, you can have that

Click on Add condition. Select the Resource -> Name type of condition

Then the operator Starts with and finally the secret prefix

!!! STOP !!!

It won’t work. Several reasons

  • The value must be the fully qualified name of the secret with this pattern
projects/<projectNb>/secrets/dev-

Note that the project number is required, not the project ID!!

  • The rule means “You have the Secret Manager Admin role when the full name of the secret starts with…”. But, when you want to create a secret, the secret name no longer exists, you are going to create it! So you also need the role when no secret exists

Correct IAM condition expression

To solve that, you need to express the opposite:

  • The developer accounts don’t have access to the devops- prefixed secrets

For that, you need to go to the condition Editor tab, and enter this condition

!(resource.name.startsWith("projects/<projectNb>/secrets/devops-"))

Name the condition, save it and validate the IAM roles.

If you prefer the CLI, you can do that like this

gcloud projects add-iam-policy-binding <projectId> \
  --condition=expression='!(resource.name.startsWith("projects/<pojectNb>/secrets/devops"))',\
title='no devops secret access' \
  --role=roles/secretmanager.admin \
  --member=group:dev-accounts@gblaquiere.dev

Now, the developer accounts don’t have access to the devops secrets, with the condition that the devops teams name correctly the secrets.
And the developer accounts can also create new secrets

Protect your secrets, anytime

With Secret Manager, your secrets are safe and you can trust this service.

However, you need to configure smartly your roles and permissions on your project to prevent secret leaks and thus security breaches, even from inside.

IAM condition is an elegant way to achieve this use case and can do much more!

Security
Google Cloud Platform
Gcp Secret Manager
Iam Services
Gcp Security Operations

--

--

guillaume blaquiere
Google Cloud - Community

Written by guillaume blaquiere

2.8K Followers
Writer for

GDE cloud platform, Group Data Architect @Carrefour, speaker, writer and polyglot developer, Google Cloud platform 3x certified, serverless addict and Go fan.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams