Add secret manager support (!9) · Merge requests · Information Services / DevOps / Tools / Logan

Dr Rich Wareham requested to merge add-secret-manager-support into master Feb 16, 2020

Teach logan how to access Google Secret Manager secrets. We do this by extending the source field for secrets.

Previously logan just knew how to decrypt local files:

# ...
secrets:
  - name: some secret
    source: path/to/encrypted/file.json.enc
    target: /path/to/container/file.json
    key:
      # ... key configuration

Now, borrowing heavily from the berglas reference syntax, one can specify Secret Manager secrets as the source:

# ...
secrets:
  - name: some secret
    source: sm://some-project-name/my-secret
    target: /path/to/container/file.json

This MR does some tidying up of secrets handling along the way. Logan was originally written as a Python port of a shell script and that shows in that gcloud is called directly to decrypt the secrets. There exists a perfectly good Python library to access Cloud KMS so this MR updates logan to make use of it. (See individual commit for details.)

A little compatibility wrinkle is that gcloud auth login only sets the credentials for the gcloud command itself. To use a personal account as the default application credentials one must use gcloud auth application-default login instead. The README is updated to note this.

Closes #9 (closed)

Add secret manager support

Merge request reports