Google Cloud Secret Manager logo and Octopus Deploy logo sit in front of a blue CI/CD infinite loop symbol

Using Google Cloud Secret Manager with Octopus

Mark Harrison

I've written previously about extending the functionality of Octopus to integrate with HashiCorp Vault and Azure Key Vault using step templates. We're committed to providing many ways for our customers to succeed with Octopus, so we're creating more step templates that integrate with other secret managers.

In this post, I walk through a new step template, GCP Secret Manager - Retrieve Secrets. This step template retrieves secrets from Secret Manager on Google Cloud Platform (GCP) for use in your deployments or runbooks.

Getting started

This post assumes some familiarity with custom step templates and the Octopus community library.

In addition, this post doesn't go into great detail about Secret Manager concepts or how to set up Secret Manager. You can learn more by reading the Secret Manager quickstart guide from Google.

The step template in this post retrieves secrets from Secret Manager using gcloud, the GCP command-line tool. The gcloud tool, version 338.0.0 or higher must be installed on the deployment target or Worker before the step can retrieve secrets successfully.

The step also requires Octopus 2021.2 or newer as it makes use of our recently added built-in support for Google Cloud Platform. The step template has been tested on both Windows and Linux (with PowerShell Core installed).

Authentication

Before you can retrieve secrets from Secret Manager, you must authenticate with Google. In their documentation on creating and accessing secrets, Google describes the role to access secrets:

Accessing a secret version requires the Secret Manager Secret Accessor role (roles/secretmanager.secretAccessor) on the secret, project, folder, or organization. IAM roles can't be granted on a secret version.

To learn more about the different roles you can use with Secret Manager, read the access control documentation on how to provide permissions to access sensitive passwords, certificates, and other secrets.

In Octopus, you can authenticate with Google Cloud Platform using the Google Cloud Account we added in version 2021.2

Retrieving secrets

The GCP Secret Manager - Retrieve Secrets step template retrieves one or more secrets from Secret Manager and creates sensitive output variables for each one retrieved.

For each secret, you must provide a version of the secret to retrieve, and optionally provide a custom output variable name.

Always choose a specific secret version
Google recommends that for production applications, you should always retrieve secrets with a specific version, and not with the latest version specifier.

Retrieving a single secret requires:

  • A Google Cloud account with permission to access the secret, including details of the default project, region, and zone
  • The name of the secret to retrieve

An advanced feature of the step template offers support for retrieving multiple secrets at once. This requires entering each secret on a new line.

For each secret retrieved, a sensitive output variable is created for use in subsequent steps. By default, only a count of the number of variables created will be shown in the task log. To see the names of the variables in the task log, change the Print output variable names parameter to True.

Step template parameters

The step template uses the following parameters:

  • Google Cloud Account: A Google Cloud account with permissions to access secrets from Secret Manager.

  • Google Cloud Project: Specify the default project. This sets the CLOUDSDK_CORE_PROJECT environment variable.

  • Google Cloud Region: Specify the default region. This sets the CLOUDSDK_COMPUTE_REGION environment variable.

  • Google Cloud Zone: Specify the default zone. This sets the CLOUDSDK_COMPUTE_ZONE environment variable.

  • Secret names to retrieve: Specify the names of the secrets to return from Secret Manager in Google Cloud, in the format: SecretName SecretVersion | OutputVariableName where:

    • SecretName is the name of the secret to retrieve.
    • SecretVersion is the version of the secret to retrieve. If this value isn't specified, the latest version will be retrieved.
    • OutputVariableName is the optional Octopus output variable name to store the secret's value in. If this value isn't specified, an output name will be generated dynamically.

    Note: Multiple fields can be retrieved by entering each one on a new line.

  • Print output variable names: Write out the Octopus output variable names to the task log. Default: False.

Parameters for the step

Using the step

The GCP Secret Manager - Retrieve Secrets step is added to deployment and runbook processes in the same way as other steps.

After you add the step to your process, fill out the parameters in the step:

GCP Secret Manager - Retrieve Secrets step used in a process

After you fill in the parameters, you can execute the step in a runbook or deployment process. On successful execution, any matching secrets will be stored as sensitive output variables. If you configured your step to print the variable names, they appear in the task log:

GCP Secret Manager - Retrieve secrets step task log

In subsequent steps, output variables created from matching secrets can be used in your deployment or runbook.

Tip: Remember to replace GCP Secret Manager - Retrieve Secrets with the name of your step for any output variable names.

Although not recommended, it's possible to retrieve the latest version of a secret. You can omit the version from the secret names parameter like this:

OctoSecrets-username | username-latest

Alternatively, you can use the latest version specifier like this:

OctoSecrets-password latest | password-latest

In both cases, the step template will send a warning to the task log:

GCP Secret Manager - Retrieve secret using latest version specifier warning

Conclusion

The GCP Secret Manager - Retrieve Secrets step template demonstrates that it's easy to integrate with Google Cloud Secret Manager and make use of secrets stored there with your Octopus deployments or runbooks.

Happy deployments!

Loading...