
Google Cloud’s Secrets Manager - known
https://cloud.google.com/blog/products/identity-security/introducing-google-clouds-secret-manager
======
sethvargo
Hey everyone - sorry for the delayed reply, I've been on a plane. Seth from
Google here, the same Seth in the byline of the blog post.

We are very excited to bring Secret Manager to the market. Let us know if you
have any questions!

~~~
devy
Hi Seth!

I wonder how is GCP Secrets Manager comparing to Hashicorp Vault? Is GCP SM
implemented in Hashicorp Vault (or Berglas) behind the scene? If not, what are
the differences in terms of feature set?

~~~
sethvargo
Secret Manager is a Google Cloud first-party fully-managed service. Vault
still works and runs great on GCP for users who want more advanced
functionality like dynamic secrets.

~~~
devy
No feature comparison?

------
sessy
Comparable AWS Version: [https://aws.amazon.com/secrets-
manager/](https://aws.amazon.com/secrets-manager/)

Pricing: AWS: $0.40 per secret per month. GCP: $0.06 per active secret version
per regional replica per month.

i don't understand the GCP pricing correctly. Can someone shine a light here
...

~~~
davedx
For AWS, as with many cloud offerings, read the pricing small print: AWS
Secret Manager also charges per API request [1]. It isn't expensive, but you
should keep it in mind when you architect your infrastructure. (We actually
switched from fetching secrets at runtime to injecting them into containers
are deploy time, and this was one reason).

[https://aws.amazon.com/secrets-
manager/pricing/](https://aws.amazon.com/secrets-manager/pricing/)

~~~
jaxr
This bit us too. We use goodaddy's external secrets [1] to fetch secrets from
AWS secrets manager and make them available to the cluster. It polls the
secret every n seconds, but with many services consuming secrets, it can scale
up pretty quickly and start to build up cost.

[1] [https://github.com/godaddy/kubernetes-external-
secrets](https://github.com/godaddy/kubernetes-external-secrets)

------
patwolf
Glad to see this service exists. Until now I've been storing secrets in JSON
files in Cloud Storage, and using KMS to encrypt the contents.

This is hopefully simpler to use and easier to audit.

~~~
sethvargo
Enable Cloud Audit Logging for Secret Manager and give us feedback. We know
auditing is super important, so it's built in!

~~~
ricktdotorg
so far, i've found the audit logging to be pretty great!

i especially like exemptions; the ability to _not_ log for specific service
accounts/identities is very handy.

------
ackdesha
I'm hoping this eventually leads to AWS reducing their Secrets Manager
pricing.

~~~
nodesocket
Have you looked at just using AWS parameter store?

------
Jonnax
What are people's favoured ways of managing secrets these days?

Does this look appealing?

~~~
dijit
Hashicorp vault is basically industry standard I believe. But there are
various cloud APIs too, which have varying degrees of integration with
kubernetes.

~~~
Axsuul
Unfortunately Vault doesn't have a plugin yet for Docker Swarm still :(

~~~
Jonnax
Swarm is on its way out. Mirantis bought that part of Docker and they said
this:

"The primary orchestrator going forward is Kubernetes. Mirantis is committed
to providing an excellent experience to all Docker Enterprise platform
customers and currently expects to support Swarm for at least two years,
depending on customer input into the roadmap. Mirantis is also evaluating
options for making the transition to Kubernetes easier for Swarm users."

[https://www.mirantis.com/blog/mirantis-acquires-docker-
enter...](https://www.mirantis.com/blog/mirantis-acquires-docker-enterprise-
platform-business/)

~~~
peterwwillis
This is sad. Swarm is simple and effective, like Nomad but easier.

~~~
notduncansmith
Agreed. I’ve been working a lot with Swarm over the past year and while it’s
not perfect, it has been an overall great experience. I really enjoy the
simplicity and tight integration with Docker, and I feel that the ecosystem
around Swarm was just starting to mature. Hopefully it remains an option for a
while.

Also, I haven’t needed to integrate something like Vault because the Swarm
secrets feature covers my use case perfectly.

~~~
Axsuul
I'm also using the secrets feature but it's very brittle. If your swarm gets
destroyed or you want to migrate servers, it's a huge pain to get those
secrets back up and running. Unless I'm missing a better way to do this, I'd
love to know!

I currently have my secrets stored in an encrypted text file in case I need to
bring them back up.

~~~
notduncansmith
I do something similar, using Ansible Vault (not to be confused with Hashicorp
Vault!) to store the encrypted secrets in my ops directory (separate from the
application source code). They’re stored as YAML so very easy to
upload/regenerate with Ansible.

------
Already__Taken
This would be taking on Vaults top-tier enterprise package when looking at the
feature list?

[https://www.hashicorp.com/products/vault/pricing/](https://www.hashicorp.com/products/vault/pricing/)

~~~
tonyhb
Vault does more than store secrets.

For example, with Postgres it can store root creds and issue non-root, time-
bound creds for each service. Vault's "backends" allow it to do _a lot_ of
things that a secure static credentials manager can't.

Not to say that this isn't good though – any proper secret management system
is better than none :D

~~~
rossmohax
Vault is single system, accessible over the network with root access to all
datastores in the company... How is it good for security?

Kerberos solves very same problem of using only short lived tokens on the wire
when accessing services, but it fall out of fashion .

------
cbushko
We are eagerly awaiting GKE integration.

~~~
sethvargo
While I cannot comment on specifics, we are going to provide deeper, first-
class integrations with other GCP products.

~~~
te_chris
Yes, GKE would be great. If we could specify the source of an ENV in a
Deployment as a Managed Secret that would be incredible and save us so much
hassle.

------
rags1811
How do permissions work? Can I only give access to a specific secret to a
specific person/group of people? Playing with Secrets Manager it looks like
anyone with access to the project can access all secrets.

~~~
ricktdotorg
> Can I only give access to a specific secret to a specific person/group of
> people?

yes.

> Playing with Secrets Manager it looks like anyone with access to the project
> can access all secrets.

just FYI, this is not the case. the "Secret Manager Secret Accessor" role must
be applied per-secret for any identity to read the content of that secret.

------
dberg
How does this differ from the KMS product ?

~~~
antoncohen
The short answer is KMS doesn't store secrets.

You can use KMS as _part_ of your own secret manager, but you would have to
store the actual secrets somewhere else, like GCS or Datastore. KMS stores
encryption keys, and has an API for encrypting/decrypting. For example to
retrieve a secret using KMS you would get the encrypted data from where it is
stored, like Datastore, and send it to KMS to have KMS decrypt the data.
Secret Manager actually stores the secret, so a single API call can retrieve
the decrypted value. Secret Manager also has versioning, which is important
when rotating secrets. If you were building your own solution around KMS you
would need to do versioning in your storage schema, wherever you end up
storing the secrets.

~~~
robohoe
You can also use AWS Parameter Store with KMS (SecureString type) to store
secrets in Parameter Store. Of course this doesn't offer rotation of the
secrets although KMS will handle key rotation.

------
darkwater
The title is missing the "Secret" word which makes a significant difference.
"Cloud's Manager" vs "Cloud's Secret Manager". With the current title I was
thinking about a generic cloud manager for GCloud

------
userbinator
I thought it would be a story about the elusive nature of the Google Cloud
management people.

~~~
degenerate
Me too. Everyone else calls key storage "Secrets Manager" (plural)

------
csapdani
As someone trying to move away from Google, no thanks.

