'Using secret manager across multiple client organizations

Let's say I have an application that is used by two companies. These companies have database (and other) connections that will be stored in Secret Manager:

  • Company: General Motors

    • Resource: Oracle Database Credentials
    • Resource: SSH Key XYZ

  • Company: Samsung

    • Resource: Postgres Database Credentials
    • Resource: Encryption Key ABC

The companies themselves would never use an IAM to access their secrets, basically we're just trying to use the Secrets Manager as a way to securely store credentials, rather than handling this on our end.

What is the suggested best practice for holding secrets across multiple organizations. Is there a way to physically separate secrets by "client account", or what's the suggested way to set up secrets across multiple client organizations? (Note: I don't mean how to access the secrets or make sure that one client can't see another client's secrets, I mean its implementation on the Google-side and best practices for that).

I suppose one way is to have a Folder for each client organization -- would that help at all?

enter image description here

I suppose this might be a good usage for Multitenancy with GCP ?

google-cloud-platformgoogle-cloud-iamgoogle-secret-manager


Solution 1:[1]

Since Secret Manager doesn't offer options to organize the secrets by itself, I don't think it's the best alternative to what you need. But you could do it like:

One Secret per company, using Secret Manager

  1. Create a dedicated GCP project for your secrets
  • more control over what service accounts and users can access the secrets
  • isolate client secrets from your product secrets
  1. Define a name pattern for each secret
  • COMPANY_ID ?
  1. Define a format and contract for your secrets
  • Enforce this in your API/SecretService
  • I'd suggest a JSON like:
{
  company_id: string,
  secret1: {
    user: string,
    password: string
  }
}

4- Create a CRUD API/SecretService to manage your secrets and enforce the format.

Save secrets in your database using Cloud KMS

  1. Use GCP KMS to generate an encryption key for your SecretService
  2. Encrypt your client credentials and save them to your regular database
  • Save your encryption key ID to the database, with the client credentials (so you can rotate keys)
  1. Use the key ID to get the decryption key from KMS and decrypt the client credentials when you need them
  2. Rotate keys as needed (there are a few alternatives on how to do this)

Conclusion

I'd go with the second alternative, since it's cheaper (Secret Manager charges per secret), more organized and easier to enforce the credential format.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 petrusgomes

Related Questions

How to use use Firestore document field's HashMap key value and populate recyclerview?

how to keep GKE cluster nodes in different regions?

Google Cloud TTS API for M1 Mac

Is it possible to render a video from AfterEffects in a Google Collaboratory notebook?

Allow-IAP Firewall Rule created in default VPC in GCP getting reflected in other VPC as well

Attribute Error when importing SpeechClient from google.cloud.speech

GCP Cost billing data

What is the difference between gcloud and gsutil?

Volume not persistent in Google Cloud

Permission Denied when trying to write on a TPU VM foler

Google Cloud Free Tier will start charging for static or ephemeral IP Address?

How to create a empty folder in google storage(bucket) using gsutil command?

How can size of the root disk in Google Compute Engine be increased?

Cannot switch Firestore from Datastore to native mode on GCP

action console simulator is not working and I cannot release my project