×

How to store secrets in Google Cloud Platform using Berglas

In this blog we show you how to store secrets in Google Cloud Platform using Berglas. Berglas combines the features of Google Cloud Storage, Google Key Management Serviceand Google Identity and Access management to create a secret store. It stores secrets safely and needs explicit authorization to access them. Google Cloud Platform logs any access to the secrets in the audit trail.

After downloading and installing Berglas you start by creating a secret store.

Creating a secret store

To create a secret store in your GCP project, type:

berglas bootstrap \
           --project ${PROJECT_ID} \
           --bucket ${BUCKET_ID}

This will create the bucket in which it stores secrets and a KMS key to encrypt them. The name of the key is berglas-key. The bucket is versioned and access for project editors and viewers is revoked. Now you can add a secrets.

Adding a secret

To add a secret to the store, type:

berglas create \
	${BUCKET_ID}/oracle/scott/password tiger \
  	--key projects/${PROJECT_ID}/locations/global/keyRings/berglas/cryptoKeys/berglas-key

To view the content, type:

$ berglas access ${BUCKET_ID}/oracle/scott/password
tiger

The secret is not acccessible to anyone yet.

Granting access

To grant access, type:

$ berglas grant \
	${BUCKET_ID}/oracle/scott/password \
	--member domain:binx.io
Successfully granted permission on [oracle/scott/password] to: 
- domain:binx.io

You can grant access to this secret to any authenticated identity from Google IAM. To view who has received read access, type:

$ gsutil acl get gs://${BUCKET_ID}/oracle/scott/password
[
  {
    "email": "markvanholsteijn@binx.io",
    "entity": "user-markvanholsteijn@binx.io",
    "role": "OWNER"
  },
  {
    "domain": "binx.io",
    "entity": "domain-binx.io",
    "role": "READER"
  }
]

The grant command also binds the decrypter role to the domain on the KMS key:

$ gcloud kms keys get-iam-policy berglas-key \
	--location global --keyring berglas
bindings:
- members:
  - domain:binx.io
  role: roles/cloudkms.cryptoKeyDecrypter
etag: BwWPi725v10=
version: 1

So, now anybody in the domain binx.io can read the object and decrypt it’s content. When somebody from the domain binx.io read the secret, GCS logs this in the audit trail.

View the audit trail

To view who accessed your secrets, you can consult data access audit log:

$ gcloud logging read projects/${PROJECT_ID}/logs/cloudaudit.googleapis.com%2Fdata_access
---
insertId: ezqliye5onps
logName: projects/******-***/logs/cloudaudit.googleapis.com%2Fdata_access
protoPayload:
  '@type': type.googleapis.com/google.cloud.audit.AuditLog
  authenticationInfo:
    principalEmail: markvanholsteijn@binx.io
  authorizationInfo:
  - granted: true
    permission: storage.objects.get
    resource: projects/_/buckets/******-***-secrets/objects/oracle/scott/password
    resourceAttributes: {}
  - granted: true
    permission: storage.objects.getIamPolicy
    resource: projects/_/buckets/******-***-secrets/objects/oracle/scott/password
    resourceAttributes: {}
  methodName: storage.objects.get
  requestMetadata:
    callerIp: ****:***:***f:*:****:d***:****:d***
    callerSuppliedUserAgent: berglas/0.2.0 (+https://github.com/GoogleCloudPlatform/berglas),gzip(gfe)
    destinationAttributes: {}
    requestAttributes: {}
  resourceLocation:
    currentLocations:
    - us
  resourceName: projects/_/buckets/******-***-secrets/objects/oracle/scott/password
  serviceName: storage.googleapis.com
  status: {}
receiveTimestamp: '2019-08-07T19:28:14.495129561Z'

To access the secret from an application, berglas offers different integrations.

Application Integrations

Berglas offers a easy integrations for applications in App Engine, Cloud Run, Cloud Functions, Cloud Build and Kubernetes. We recommend checking out the different examples on Berglas integrations

Conclusion

As you have seen, Berglas combines the features of Google Cloud Storage, Google Key Management Serviceand Google Identity and Access management to create a secret store. It stores secrets safely and needs explicit authorization to access them. Google Cloud Platform logs any access to the secrets in the audit trail.

Picture of Mark van Holsteijn
Mark van Holsteijn
CTO