Close
logodocs

Configure GCP Secret Manager as a Secret Store

This feature is currently in closed-access beta. Functionality and documentation may change.

Secret Stores allow you to use your existing third-party secrets storage tool with strongDM. Your credentials are stored in a tool that is controlled by you, and those credentials are never transmitted to strongDM in any form. If you would like to learn more about how Secret Stores work, and why you might wish to use them, please read the Secret Stores Reference.

This guide will walk you through how to register Google Cloud Platform (GCP) Secret Manager as a secret store in strongDM, and how to use it to connect to resources.

Set up GCP Secret Manager

To get started with GCP Secret Manager, store credentials to some of your resources in it and note the correct paths to those credentials. Then, set up your relay server to be able to authorize to the Secret Manager.

  1. Set up your credentials in GCP Secret Manager (if you have not already).
  2. Get Application Credentials for GCP, save them to your relay server, and set the necessary environment variable that points to those credentials on your relay server (GOOGLE_APPLICATION_CREDENTIALS).
  3. Edit the file /etc/sysconfig/sdm-proxy (unless you have moved or renamed your sdm-proxy file) and add the following lines, substituting your ID and key:
    GOOGLE_APPLICATION_CREDENTIALS="/home/service/keys/gcp-key.json"
  4. Restart the sdm-proxy service (with something like sudo systemctl restart sdm-proxy, depending on your distribution).

Configure the Secret Store with the Admin UI

Once you have GCP Secret Manager set up, credentials stored, and your relay server able to access said credentials, it's time to register the secret store with strongDM.

  1. In the Admin UI, go to the Settings page, and click the Secret Stores tab.
  2. Click the "add secret store" button to reveal the Add Secret Store form.
    Secret Stores Settings
    Secret Stores Settings
  3. Enter a Display Name, and set the appropriate Secret Store Type.

If you've configured the relay server correctly for secret store access and authorization, you will see the green online indicator.

Now, create a resource that uses the secret store, assign it to a user, and verify that you can connect.

  1. In the Admin UI, add a new resource such as a server or datasource and choose the GCP Secrets Manager Secret Store type.

  2. Fill out the information for a resource whose credentials you have stored in your secret store.

  3. Select the GCP Secret Manager you created for the Secrets Store field, then fill in the path to the secrets that you've stored in your management tool.

    GCP Secret Manager does not store usernames and passwords or other such pairs, but instead just has a text value that is stored for your secret. That input does accept JSON, so you can store a username/password or key id/key value pair using JSON within a single secret if you desire. If you do so, you will need to also append ?key=username or ?key=password to fetch the specific item you are looking for.

  4. Submit the form.

  5. Go to Users, and assign a user access to the resource.

  6. Log in as that user in your local GUI (or have the user do so, if not yours) and verify that the resource exists, text a connection, and execute a query.

Congratulations, you've connected to a resource using Secret Stores.