Add Support for Secret Manager

[flopshot]

Motivation

For Serverless products like Cloud Run, one should not be injecting secrets into your backend service via Environment Variables. Thus, one should use Google Cloud's Secret Manager to query for sensitive information like Database Passwords. It seems that there would be a great advantage to have the logic to retrieve secrets in GoogleCloudKit

Implementation

Much of the work for authentication can be re-used from GoogleCloudCore. A request would only need the OAuth token, provided by OAuthRefreshable. From the Secret Manager api docs, a request would be simple enough to implement with the token

Create a Secret

curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets?secretId=my-secret" \
    --request "POST" \
    --header "authorization: Bearer $(gcloud auth print-access-token)" \
    --header "content-type: application/json" \
    --header "x-goog-user-project: project-id" \
    --data "{\"replication\": {\"automatic\": {}}}"

Retrieve a Secret

curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets/my-secret/versions/1:access" \
    --request "GET" \
    --header "authorization: Bearer $(gcloud auth print-access-token)" \
    --header "content-type: application/json" \
    --header "x-goog-user-project: project-id"

[flopshot]

If it's alright with the community, I'd like to contribute this feature to GoogleCloudKit.

[owainhunt]

👋 #33 already covers getting a secret version, but doesn’t implement creating a secret or secret version.

[flopshot]

👋 #33 already covers getting a secret version, but doesn’t implement creating a secret or secret version.

Perfect timing. That's all I needed for my use case, accessing secrets in secret manager. Thanks for your contribution. I'll try out the fork next week.

[Andrewangeta]

Released and tagged in RC 5