GitHub - GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp: Google Secret Manager provider for the Secret Store CSI Driver. (original) (raw)

Google Secret Manager provider for the Secret Store CSI Driver. Allows you to access secrets stored in Secret Manager as files mounted in Kubernetes pods.

Install

• Create a new GKE cluster with Workload Identity or enableWorkload Identityon an existing cluster.
• Install theSecret Store CSI Driverv1.0.1 or higher to the cluster.
• Install the Google plugin DaemonSet & additional RoleBindings:

kubectl apply -f deploy/provider-gcp-plugin.yaml

if you want to use helm

helm upgrade --install secrets-store-csi-driver-provider-gcp charts/secrets-store-csi-driver-provider-gcp

NOTE: The driver's rotation and secret syncing functionality is still in Alpha and requires additional installation steps.

Usage

Secret Manager

The provider will use the workload identity of the pod that a secret is mounted onto when authenticating to the Google Secret Manager API. For this to work the workload identity of the pod must be configured and appropriate IAM bindings must be applied.

• Setup the workload identity service account.

$ export PROJECT_ID= $ gcloud config set project $PROJECT_ID $ export PROJECT_NUMBER="$(gcloud projects describe "${PROJECT_ID}" --format='value(projectNumber)')"

• Create a secret that the workload identity service account can access

Create a secret with 1 active version

$ echo "foo" > secret.data $ gcloud secrets create testsecret --replication-policy=automatic --data-file=secret.data $ rm secret.data

grant the new service account permission to access the secret

$ gcloud secrets add-iam-policy-binding testsecret
--role=roles/secretmanager.secretAccessor
--member=principal://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${PROJECT_ID}.svc.id.goog/subject/ns/default/sa/mypodserviceaccount

• Note: Regional secrets are also supported from v1.6.0, Please see Regional Secret Documentation.
• Try it out the example which attempts to mount the secret "test" in $PROJECT_ID to /var/secrets/good1.txt and /var/secrets/good2.txt

$ ./scripts/example.sh $ kubectl exec -it mypod /bin/bash root@mypod:/# ls /var/secrets

Parameter Manager

From version 1.9.0, secrets-store-csi-driver-provider-gcp also supports mounting the parameter version from Google Parameter Version

Parameter Manager is an extension to the Secret Manager service and provides a centralized storage for all configuration parameters related to your workload deployments.

• Setup the workload identity service account if not done already for secret manager example.

$ export PROJECT_ID= $ gcloud config set project $PROJECT_ID $ export PROJECT_NUMBER="$(gcloud projects describe "${PROJECT_ID}" --format='value(projectNumber)')"

• Create a parameter that the workload identity service account can access in the supported location.

set the location

$ export LOCATION_ID= $ gcloud config set api_endpoint_overrides/parametermanager https://parametermanager.${LOCATION_ID}.rep.googleapis.com/ $ echo "server_port: 8080" > parameter.data $ gcloud parametermanager parameters create testparameter --location LOCATIONID−−parameter−format=YAML−−project{LOCATION_ID} --parameter-format=YAML --project LOCATIONI​D−−parameter−format=YAML−−project{PROJECT_ID} $ gcloud parametermanager parameters versions create testversion --parameter=testparameter --location=${LOCATION_ID} --payload-data-from-file=parameter.data $ rm parameter.data

grant the new service account permission to access the secret

$ gcloud projects add-iam-policy-binding ${PROJECT_ID}
--role=roles/parametermanager.parameterAccessor
--member=principal://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${PROJECT_ID}.svc.id.goog/subject/ns/default/sa/mypodserviceaccount

• Try it out the example which attempts to mount the parameterversions

$ ./scripts/pm_example.sh

wait for pod to be in running state

$ kubectl exec -it mypod -- cat /var/secrets/good1.txt

Security Considerations

This plugin is built to ensure compatibility between Secret Manager and Kubernetes workloads that need to load secrets from the filesystem. It also enables syncing of those secrets to Kubernetes-native secrets for consumption as environment variables.

When evaluating this plugin consider the following threats:

• When a secret is accessible on the filesystem, application vulnerabilities like directory traversal attacks can become higher severity as the attacker may gain the ability to read the secret material.
• When a secret is consumed through environment variables, misconfigurations such as enabling a debug endpoint or including dependencies that log process environment details may leak secrets.
• When syncing secret material to another data store (like Kubernetes Secrets), consider whether the access controls on that data store are sufficiently narrow in scope.

For these reasons, when possible we recommend using the Secret Manager API directly (using one of the provided client libraries, or by following the REST or GRPC documentation).

Contributing

Please see the contributing guidelines.

Support

This is not an officially supported Google product.

For supportplease search open issues here, and if your issue isn't already represented pleaseopen a new one. Pull requests and issues will be triaged weekly.

We close issues after 30 days if there's been no response or action taken.