Problems on Accessing Secret Manager on Google Cloud

0
votes

I am trying to find a way to access Secret Manager Version (Service accountkey file) into an App hosted On-Premise. This link has an example on how to access it through C# via secret manager client API but the problem here is it requires having an ADC which is not possible on those servers. I couldn't find anywhere but does SecretManager Client API supports API Key ? if not what all options I have ? Also there is Workload Identity Federation service but there is no .net Client API's available

//Uses ADC
SecretManagerServiceClient client = SecretManagerServiceClient.Create();

Also there is a SecretManagerServiceClientBuilder but there is no documentation on how it can be used

1
google-cloud-platformgoogle-secret-manager
If you aren't on GCP, you need either a service account key file or to use Workload Identity Federation. (You can understand that API Key is not an option, except is you use API Gateway in front of Secret manager, but it's not recommended); If there isn't available library to use it, it's just a set of API calls (3 if my memory is good) to implement. What's your language? And why you can't use ADC?guillaume blaquiere
@guillaumeblaquiere It is C#.NET. As per my understanding, for ADC to be available we need to install Google SDK in all our servers then authenticate it 'google auth application-default login'. I am not sure if there is a way programmatically for setting up ADCPrany

1 Answers

0
votes

To use ADC, you don't need to install gcloud SDK on your servers (answer to your comment). You need to set en environment variable GOOGLE_APPLICATION_CREDENTIALS with the absolute path to the service account key file as value. That's all, the library will automatically detect this env var and use the file as credential.

If you don't put this file, and if your app doesn't run on Google Cloud, the libraries look into the "well-known location". This location is the standard location of the user credential file created with the command google auth application-default login.

If you have read carefully, the ADC with the env var use a service account credential, and the well known location use a user credential. You use user credential in your personal computer/workstation. In production and on app, you use "app identity", a "service identity", therefore a service account.

Service account key file are made for that: provide a service identity to app running outside GCP and authenticate it to interact with GCP. However, this file contain a secret, and you need to secure it cautiously, and to rotate the file as soon as you can in your process.