How to store secrets in Google Cloud Platform using Berglas

In this blog we show you how to store secrets in Google Cloud Platform using Berglas. Berglas combines
the features of Google Cloud Storage, Google Key Management Serviceand Google Identity and Access management to create a secret store.
It stores secrets safely and needs explicit authorization to access them. Google Cloud Platform logs any access to the secrets in the audit trail.

After downloading and installing Berglas you start by creating a secret store.

Creating a secret store

To create a secret store in your GCP project, type:

berglas bootstrap <span style="color:#b84">\
</span><span style="color:#b84"></span>           --project <span style="color:#b84">${</span><span style="color:#008080">PROJECT_ID</span><span style="color:#b84">}</span> <span style="color:#b84">\
</span><span style="color:#b84"></span>           --bucket <span style="color:#b84">${</span><span style="color:#008080">BUCKET_ID</span><span style="color:#b84">}</span>

This will create the bucket in which it stores secrets and a KMS key to encrypt them. The name of the key is berglas-key. The bucket is versioned and access for project editors and viewers is revoked. Now you can add a secrets.

Adding a secret

To add a secret to the store, type:

berglas create <span style="color:#b84">\
</span><span style="color:#b84"></span> <span style="color:#b84">${</span><span style="color:#008080">BUCKET_ID</span><span style="color:#b84">}</span>/oracle/scott/password tiger <span style="color:#b84">\
</span><span style="color:#b84"></span>     --key projects/<span style="color:#b84">${</span><span style="color:#008080">PROJECT_ID</span><span style="color:#b84">}</span>/locations/global/keyRings/berglas/cryptoKeys/berglas-key

To view the content, type:

$ berglas access <span style="color:#b84">${</span><span style="color:#008080">BUCKET_ID</span><span style="color:#b84">}</span>/oracle/scott/password
tiger

The secret is not acccessible to anyone yet.

Granting access

To grant access, type:

$ berglas grant <span style="color:#b84">\
</span><span style="color:#b84"></span> <span style="color:#b84">${</span><span style="color:#008080">BUCKET_ID</span><span style="color:#b84">}</span>/oracle/scott/password <span style="color:#b84">\
</span><span style="color:#b84"></span> --member domain:binx.io
Successfully granted permission on <span style="font-weight:bold">[</span>oracle/scott/password<span style="font-weight:bold">]</span> to: 
- domain:binx.io

You can grant access to this secret to any authenticated identity from Google IAM.
To view who has received read access, type:

$ gsutil acl get gs://<span style="color:#b84">${</span><span style="color:#008080">BUCKET_ID</span><span style="color:#b84">}</span>/oracle/scott/password
<span style="font-weight:bold">[</span>
  <span style="font-weight:bold">{</span>
    <span style="color:#b84">"email"</span>: <span style="color:#b84">"markvanholsteijn@binx.io"</span>,
    <span style="color:#b84">"entity"</span>: <span style="color:#b84">"user-markvanholsteijn@binx.io"</span>,
    <span style="color:#b84">"role"</span>: <span style="color:#b84">"OWNER"</span>
  <span style="font-weight:bold">}</span>,
  <span style="font-weight:bold">{</span>
    <span style="color:#b84">"domain"</span>: <span style="color:#b84">"binx.io"</span>,
    <span style="color:#b84">"entity"</span>: <span style="color:#b84">"domain-binx.io"</span>,
    <span style="color:#b84">"role"</span>: <span style="color:#b84">"READER"</span>
  <span style="font-weight:bold">}</span>
<span style="font-weight:bold">]</span>

The grant command also binds the decrypter role to the domain on the KMS key:

$ gcloud kms keys get-iam-policy berglas-key <span style="color:#b84">\
</span><span style="color:#b84"></span> --location global --keyring berglas
bindings:
- members:
  - domain:binx.io
  role: roles/cloudkms.cryptoKeyDecrypter
etag: <span style="color:#008080">BwWPi725v10</span><span style="font-weight:bold">=</span>
version: <span style="color:#099">1</span>

So, now anybody in the domain binx.io can read the object and decrypt it’s content. When
somebody from the domain binx.io read the secret, GCS logs this in the audit trail.

View the audit trail

To view who accessed your secrets, you can consult data access audit log:

$ gcloud logging <span style="color:#999">read</span> projects/<span style="color:#b84">${</span><span style="color:#008080">PROJECT_ID</span><span style="color:#b84">}</span>/logs/cloudaudit.googleapis.com%2Fdata_access
---
insertId: ezqliye5onps
logName: projects/******-***/logs/cloudaudit.googleapis.com%2Fdata_access
protoPayload:
  <span style="color:#b84">'@type'</span>: type.googleapis.com/google.cloud.audit.AuditLog
  authenticationInfo:
    principalEmail: markvanholsteijn@binx.io
  authorizationInfo:
  - granted: <span style="color:#999">true</span>
    permission: storage.objects.get
    resource: projects/_/buckets/******-***-secrets/objects/oracle/scott/password
    resourceAttributes: <span style="font-weight:bold">{</span><span style="font-weight:bold">}</span>
  - granted: <span style="color:#999">true</span>
    permission: storage.objects.getIamPolicy
    resource: projects/_/buckets/******-***-secrets/objects/oracle/scott/password
    resourceAttributes: <span style="font-weight:bold">{</span><span style="font-weight:bold">}</span>
  methodName: storage.objects.get
  requestMetadata:
    callerIp: ****:***:***f:*:****:d***:****:d***
    callerSuppliedUserAgent: berglas/0.2.0 <span style="font-weight:bold">(</span>+https://github.com/GoogleCloudPlatform/berglas<span style="font-weight:bold">)</span>,gzip<span style="font-weight:bold">(</span>gfe<span style="font-weight:bold">)</span>
    destinationAttributes: <span style="font-weight:bold">{</span><span style="font-weight:bold">}</span>
    requestAttributes: <span style="font-weight:bold">{</span><span style="font-weight:bold">}</span>
  resourceLocation:
    currentLocations:
    - us
  resourceName: projects/_/buckets/******-***-secrets/objects/oracle/scott/password
  serviceName: storage.googleapis.com
  status: <span style="font-weight:bold">{</span><span style="font-weight:bold">}</span>
receiveTimestamp: <span style="color:#b84">'2019-08-07T19:28:14.495129561Z'</span>

To access the secret from an application, berglas offers different integrations.

Application Integrations

Berglas offers a easy integrations for applications in App Engine, Cloud Run,
Cloud Functions, Cloud Build and Kubernetes. We recommend checking out the
different examples on Berglas integrations

Conclusion

As you have seen, Berglas combines
the features of Google Cloud Storage, Google Key Management Serviceand Google Identity and Access management to create a secret store.
It stores secrets safely and needs explicit authorization to access them. Google Cloud Platform logs any access to the secrets in the audit trail.

Mark van Holsteijn is a senior software systems architect, and CTO of binx.io. He is passionate about removing waste in the software delivery process and keeping things clear and simple.
Share this article: Tweet this post / Post on LinkedIn