Google Cloud Secret Manager
@purista/gcloud-secret-store connects to Google Cloud Secret Manager. It is the recommended choice for GCP-hosted services — secrets are versioned, access is controlled with IAM, and operations are logged to Cloud Audit Logs.
Capabilities
| Feature | Support |
|---|---|
Read (getSecret) | ✅ |
Write (setSecret) | ✅ (opt-in) |
Delete (removeSecret) | ✅ (opt-in) |
| Secret versioning | ✅ |
| Workload Identity (GKE) | ✅ |
| Cloud Audit Logs | ✅ |
| CMEK encryption | ✅ |
Install
npm install @purista/gcloud-secret-storeSetup
import { GoogleSecretStore } from '@purista/gcloud-secret-store'
const secretStore = new GoogleSecretStore({
project: process.env.GCP_PROJECT_ID ?? 'projects/my-gcp-project',
enableSet: true,
enableRemove: true,
})
const myService = await myV1Service.getInstance(eventBridge, { secretStore })Authentication uses Application Default Credentials — Workload Identity in GKE, service account key files, or gcloud auth application-default login in development.
Usage inside a handler
.setCommandFunction(async function (context, payload) {
const { stripeApiKey } = await context.secrets.getSecret('stripeApiKey')
// use stripeApiKey to call Stripe
})IAM policy
Grant the Secret Manager Secret Accessor role for read-only access:
gcloud projects add-iam-policy-binding MY_PROJECT \
--member="serviceAccount:my-service@MY_PROJECT.iam.gserviceaccount.com" \
--role="roles/secretmanager.secretAccessor"Operational tips
- Use Workload Identity in GKE instead of exporting service account keys — it’s more secure and easier to rotate
- Each secret version is immutable; disable old versions instead of deleting to preserve audit history
- Secret Manager supports regional replication — use it for compliance requirements or latency optimization
- Enable
Secret Manager Vieweraudit logs in Cloud Audit Logs to track all access