Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions sidebarTutorials.js
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ module.exports = {
'external-resources',
'webpack',
'using-launchdarkly-and-okteto-to-automate-modern-feature-flag-management',
'gcp-secret-manager',
'divert',
'optimize-your-development-environment',
'create-and-use-volume-snapshots',
Expand Down
102 changes: 102 additions & 0 deletions src/tutorials/gcp-secret-manager.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
---
title: Using Google Cloud Secret Manager with Okteto
description: Inject secrets stored in Google Cloud Secret Manager into your Okteto Development and Preview Environments
id: gcp-secret-manager
---

[Google Cloud Secret Manager](https://cloud.google.com/security/products/secret-manager) stores API keys, passwords, certificates, and other sensitive data in your GCP account. Okteto can retrieve these secrets when deploying your application, so your Development and Preview Environments use the same secret store as the rest of your infrastructure and developers never handle the secret values directly.

This tutorial deploys the [okteto-community/gcp-secret-manager](https://github.com/okteto-community/gcp-secret-manager) sample application: a Go web server that reads its configuration from an `.env` file created at deploy time from a secret stored in Secret Manager.

## Prerequisites

- Admin access to an Okteto instance
- A GCP project with the [Secret Manager API enabled](https://cloud.google.com/secret-manager/docs/configuring-secret-manager)
- The [gcloud CLI](https://cloud.google.com/sdk/docs/install) installed and authenticated against your GCP project
- The [Okteto CLI](/docs/get-started/install-okteto-cli/) installed and configured

## Giving your Okteto instance access to your GCP account

Okteto authenticates to GCP with a dedicated service account whose key you store as [Admin Variables](/docs/core/okteto-variables/#admin-variables). Admin Variables are available to the deploy commands of every Development and Preview Environment in your Okteto instance.

1. [Create a service account](https://cloud.google.com/iam/docs/service-accounts-create) for your Okteto instance. Grant it the minimum set of permissions it needs — for this tutorial, the `Secret Manager Secret Accessor` role is enough.
2. [Create a service account key](https://cloud.google.com/iam/docs/keys-create-delete) and save it locally.
3. In the Okteto Admin Dashboard, navigate to **Admin → Variables** and create the following Admin Variables:
- `GCP_PROJECT_ID`: the ID of the GCP project you are using
- `GCP_SERVICE_KEY`: the base64-encoded value of the service account key you created

You can generate the base64 value of the key with:

```bash
base64 -i <path-to-your-service-account-key>.json
```

:::tip
If you prefer not to manage long-lived service account keys, you can configure keyless authentication with [Workload Identity Federation](/docs/admin/cloud-credentials/gcp-cloud-credentials/) instead. The rest of this tutorial uses the service account key approach.
:::

## Creating the secret

The sample application expects a secret named `top-secret-information` containing an `.env` file with two values. Create a local file with the secret content:

```bash
echo -e "MY_NAME=cindy\nMY_COLOR=valencia green" > top-secret-information.txt
```

Create the secret in Secret Manager:

```bash
gcloud secrets create top-secret-information --replication-policy="automatic"
```

Upload the file as the first version of the secret:

```bash
gcloud secrets versions add top-secret-information --data-file=top-secret-information.txt
```

Verify the secret by retrieving it:

```bash
gcloud secrets versions access latest --secret=top-secret-information
```

## Deploying the Development Environment

Clone the sample repository and deploy it:

```bash
git clone https://github.com/okteto-community/gcp-secret-manager.git
cd gcp-secret-manager
okteto deploy
```

You can also deploy the repository directly from the Okteto UI.

The deploy section of the `okteto.yaml` in the sample repository authenticates to GCP using the Admin Variables you created, downloads the secret into an `.env` file, and deploys the application with it:

```yaml
deploy:
# this image already contains the gcloud CLI, so developers don't need to
# install or configure anything except the Okteto CLI
image: google/cloud-sdk:alpine
commands:
- name: Configure GCP credentials
command: |
echo ${GCP_SERVICE_KEY} | base64 -d | gcloud auth activate-service-account --key-file=-
gcloud --quiet config set project ${GCP_PROJECT_ID}

- name: Create the .env file using the secrets stored in Secret Manager
command: gcloud secrets versions access "latest" --secret=top-secret-information > .env-okteto

- name: Deploy the application
command: okteto deploy --file docker-compose.yaml
```

When the deploy finishes, open the endpoint Okteto created for you from the Okteto UI. The application reads `MY_NAME` and `MY_COLOR` from the `.env` file built from your secret:

```
Hi, my name is cindy, and my favorite color is valencia green
```

To use a different secret in your own application, change the `--secret` flag in the deploy command to the name of your secret. Secrets are downloaded only during deployment — rotate a secret in Secret Manager and redeploy to pick up the new value.