|
| 1 | +--- |
| 2 | +title: Using GCP Secrets Manager with Okteto |
| 3 | +description: Learn how to securely access secrets stored in Google Cloud Secrets Manager from an Okteto Development Environment |
| 4 | +sidebar_label: GCP Secrets Manager |
| 5 | +id: gcp-secrets-manager |
| 6 | +--- |
| 7 | + |
| 8 | +# Using GCP Secrets Manager with Okteto |
| 9 | + |
| 10 | +## Overview |
| 11 | +This guide explains how to securely access secrets stored in **Google Cloud Secrets Manager** from an Okteto Development Environment. The recommended authentication method uses **Workload Identity Federation**, allowing developers to authenticate without storing long-lived service account keys. |
| 12 | + |
| 13 | +For a complete working example, refer to the [Okteto Community GCP Secrets Manager repository](https://github.com/okteto-community/gcp-secret-manager). |
| 14 | + |
| 15 | +--- |
| 16 | + |
| 17 | +## Prerequisites |
| 18 | +Before proceeding, ensure you have the following: |
| 19 | + |
| 20 | +- **Google Cloud Project** with **Secrets Manager API enabled** |
| 21 | +- **Workload Identity Federation** configured as per [Okteto’s GCP Cloud Credentials Guide](admin/cloud-credentials/gcp.mdx) |
| 22 | +- **Okteto CLI** installed and configured |
| 23 | +- **kubectl** and **gcloud CLI** installed |
| 24 | + |
| 25 | +--- |
| 26 | + |
| 27 | +## Step 1: Configure Workload Identity Federation |
| 28 | +To authenticate your Okteto workloads with Google Cloud, follow the steps in the [Okteto GCP Cloud Credentials Guide](admin/cloud-credentials/gcp.mdx). This method ensures secure access to GCP services without using long-lived credentials. |
| 29 | + |
| 30 | +--- |
| 31 | + |
| 32 | +## Step 2: Store and Retrieve Secrets in GCP Secrets Manager |
| 33 | +### 2.1 Store a Secret |
| 34 | +To store a secret file in **Google Cloud Secrets Manager**, follow these steps: |
| 35 | + |
| 36 | +#### **Create a local secret file** |
| 37 | +Here we'll create a secret file `top-secret-information.txt` with the content: |
| 38 | +``` |
| 39 | +MY_NAME=cindy |
| 40 | +MY_COLOR=valencia green |
| 41 | +``` |
| 42 | +```sh |
| 43 | +echo -e "MY_NAME=cindy\nMY_COLOR=valencia green" > top-secret-information.txt |
| 44 | +``` |
| 45 | + |
| 46 | +#### **Create a new secret in GCP** |
| 47 | +```sh |
| 48 | +gcloud secrets create top-secret-information --replication-policy="automatic" |
| 49 | +``` |
| 50 | + |
| 51 | +#### **Upload the file as a new version of the secret** |
| 52 | +```sh |
| 53 | +gcloud secrets versions add top-secret-information --data-file=top-secret-information.txt |
| 54 | +``` |
| 55 | + |
| 56 | +### 2.2 Verify this saved by retrieving the Secret Manually |
| 57 | +To retrieve the secret manually from your local environment: |
| 58 | + |
| 59 | +```sh |
| 60 | +gcloud secrets versions access latest --secret=top-secret-information |
| 61 | +``` |
| 62 | + |
| 63 | +--- |
| 64 | + |
| 65 | +## Step 3: Access GCP Secrets from an Okteto Development Environment |
| 66 | +### 3.1 Deploy the Example Application |
| 67 | +Ensure your development environment is running in Okteto and has access to the necessary **GCP credentials**. |
| 68 | + |
| 69 | +Clone the example repository and deploy the sample application: |
| 70 | + |
| 71 | +```sh |
| 72 | +git clone https://github.com/okteto-community/gcp-secret-manager.git |
| 73 | +cd gcp-secret-manager |
| 74 | +okteto up |
| 75 | +``` |
| 76 | + |
| 77 | +This will start a development container with the necessary permissions. |
| 78 | + |
| 79 | +### 3.2 Retrieve and Use Secrets in the example Go Application |
| 80 | +Once the environment is deployed, go to the **Okteto UI** and click on the **endpoint** that Okteto created for you. The logic in `main.go` from the sample repository retrieves values from the secret file we created in **Google Cloud Secrets Manager**. The output will be similar to this: |
| 81 | + |
| 82 | +``` |
| 83 | +Hi, my name is cindy, and my favorite color is valencia green. |
| 84 | +``` |
0 commit comments