Managing Secrets Securely using GCP Secret Manager
Introduction
Every application needs credentials — database passwords, API keys, tokens. The biggest mistake developers make is storing these in:
Hardcoded in source code
Committed to GitHub
Stored in plain text files
Shared over Slack or email
One leaked credential can compromise your entire system. This is where GCP Secret Manager comes in.
In this blog I'll show you exactly how to manage secrets securely across production applications using GCP Secret Manager.
What is GCP Secret Manager?
GCP Secret Manager is a fully managed service that allows you to:
Store sensitive data like API keys, passwords, tokens
Version your secrets — keep history of changes
Control access using IAM roles
Audit who accessed what and when
Rotate credentials without downtime
What is GCP Secret Manager?
GCP Secret Manager is a fully managed service that allows you to:
Store sensitive data like API keys, passwords, tokens
Version your secrets — keep history of changes
Control access using IAM roles
Audit who accessed what and when
Rotate credentials without downtime
Real World Use Case
In a typical web application you need to securely store:
DATABASE_URL API_KEY JWT_SECRET SMTP_PASSWORD STRIPE_SECRET_KEY THIRD_PARTY_TOKEN
Instead of hardcoding these values in your code, store them in Secret Manager and access them securely from Cloud Functions and Cloud Run.
Prerequisites
✅ GCP Account with billing enabled
✅ A GCP Project
✅ Cloud Run or Cloud Functions deployed
✅ gcloud CLI installed
Step 1 — Enable Secret Manager API
Search "Secret Manager API"
Click "Enable"
Step 2 — Create Your First Secret
Go to Secret Manager
Click "Create Secret"
Fill in:
| Field | Value |
|---|---|
| Name | DATABASE_URL |
| Secret value | your-database-connection-string |
| Regions | us-central1 |
Click "Create Secret" ✅
Step 3 — Add a New Version
When credentials change, add a new version instead of deleting:
Click on the secret name
Click "+ New Version"
Enter new value
Click "Add New Version"
Disable the old version ✅
Step 4 — Grant IAM Access
This is the most important step — control who can access your secrets.
Service Account Access (for Cloud Run/Functions)
Go to IAM & Admin → IAM
Find your service account
Click ✏️ Edit
Add role: Secret Manager Secret Accessor
Click "Save" ✅
Step 6 — Access Secrets in Cloud Run
Option A — Mount as Environment Variables
Go to Cloud Run → Your Service
Click "Edit & Deploy New Revision"
Click "Variables & Secrets" tab
Click "Reference a Secret"
Select your secret
Choose "Exposed as environment variable"
Click "Deploy" ✅
Step 7 — Verify Secret Access
gcloud secrets versions access latest --secret="DATABASE_URL" --project=YOUR_PROJECT_ID
Step 8 — Best Practices
1. Never Commit Secrets to GitHub
Add to .gitignore:
.env *.key secrets/
2. Use Least Privilege
Only grant secretAccessor role — not admin:
| Role | What it allows |
|---|---|
secretmanager.viewer |
View secret metadata only |
secretmanager.secretAccessor |
Access secret values ✅ |
secretmanager.admin |
Full control — use sparingly |
3. Always Version Your Secrets
Never delete old versions immediately
Disable old version after new one is confirmed working
Keep at least 2 versions for rollback
4. Use Secret Names Consistently
Good naming conventionDATABASE_URL_STAGESTRIPE_SECRET_KEY_PRODSMTP_PASSWORD_STAGE
Bad namingsecret1mysecrettemp_key
5. Audit Secret Access
Go to Secret Manager → Your Secret
Click "Audit Logs"
See who accessed what and when
Before vs After Secret Manager
| Before | After |
|---|---|
| ❌ Hardcoded in code | ✅ Stored in Secret Manager |
| ❌ Committed to GitHub | ✅ Never in version control |
| ❌ Shared over Slack | ✅ Accessed via IAM only |
| ❌ No audit trail | ✅ Full audit logging |
| ❌ No versioning | ✅ Version history kept |
| ❌ Rotation causes downtime | ✅ Zero downtime rotation |
Conclusion
GCP Secret Manager is an essential tool for any production application. By following the steps in this blog you can:
✅ Store all credentials securely
✅ Control who has access
✅ Version and rotate secrets safely
✅ Audit all secret access
✅ Never hardcode credentials again
Security is not optional — it's a requirement. Start using Secret Manager today!
