Concept

GCP Secret Manager

Google Cloud's managed secret store: versioned, IAM-gated, encrypted at rest. Secrets are addressed as `projects/<p>/secrets/<name>/versions/<n|latest>` and fetched over REST/gRPC with an OAuth token — commonly the attached service account's token from the instance metadata server, so a VM can read its secrets with **no key material on disk**.

type conceptstatus activegcp · security · secrets

Key points

  • Versioned: adding a version rotates without breaking readers pinned to latest; old versions are individually destroyable (gcloud secrets versions destroy).
  • Least privilege: grant roles/secretmanager.secretAccessor on named secrets, not the project; effective VM access = IAM ∩ instance OAuth scope.
  • Access pattern from a bare VM (no gcloud needed): metadata server → SA access token → GET …/versions/latest:access → base64-decode payload.data. Parse the JSON with a real parser — the API pretty-prints, so naive grep '"data":"' matches nothing.
  • Payload hygiene: write secrets with printf '%s', not echo — a trailing newline survives the round-trip and corrupts consumers.

Details

In gcp-mcp-standalone/HLD, Secret Manager is the home for the Tailscale auth key (read once at first boot by the startup script) and the GitHub OAuth client secret (read at each Ansible deploy). This keeps secrets out of git, tfvars, Terraform state and instance metadata; rotation is a version bump plus, for boot-time secrets, VM replacement (gcp-mcp-standalone/runbooks/rotate-tailscale-key).

Sources

Compiled from wiki/concepts/GCP-Secret-Manager.md · git is the source of truth