Smart Learning/Kubernetes Learning Journey/Configmaps And Secrets

GCP Secret Manager

---

TrackKubernetes Learning Journey

Current SectionConfigmaps And Secrets

Progress90 of 271

Managing Kubernetes Secrets from GCP Secret Manager (Using GCP Console)

Step 1: Create a Secret in GCP Secret Manager

Go to GCP Console → Secret Manager: https://console.cloud.google.com/security/secret-manager
Click "Create Secret"
Name it db-password
Enter the secret value (e.g., mySecurePassword123)
Click "Create"

Step 2: Create a Service Account for Kubernetes to Access the Secret

Go to IAM & Admin → Service Accounts: https://console.cloud.google.com/iam-admin/serviceaccounts
Click "Create Service Account"
- Name: eso-syncer
Skip adding roles during creation
Click "Done"

Grant Secret Access Role

Go to Secret Manager → Click on db-password
Go to the "Permissions" tab
Click "Grant Access"
Add the service account: eso-syncer@<project-id>.iam.gserviceaccount.com
Role: Secret Manager Secret Accessor
Click Save

Generate and Download a Key

Go to the service account you just created
Go to the "Keys" tab → Click "Add Key" → JSON
Save the key.json file locally

Step 3: Create a Kubernetes Secret from the JSON Key

kubectl create secret generic gcp-credentials \
  --from-file=key.json=key.json

Step 4: Install External Secrets Operator (ESO)

kubectl apply -f https://github.com/external-secrets/external-secrets/releases/download/v0.9.10/install-crds.yaml
kubectl apply -f https://github.com/external-secrets/external-secrets/releases/download/v0.9.10/external-secrets.yaml

Step 5: Create a SecretStore

# secret-store.yaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: gcp-secret-store
spec:
  provider:
    gcpsm:
      projectID: <YOUR_PROJECT_ID>
      auth:
        secretRef:
          secretAccessKeySecretRef:
            name: gcp-credentials
            key: key.json

Apply it:

kubectl apply -f secret-store.yaml

Step 6: Create an ExternalSecret Resource

# external-secret.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: my-db-secret
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: gcp-secret-store
    kind: SecretStore
  target:
    name: db-k8s-secret
  data:
    - secretKey: password
      remoteRef:
        key: db-password

Apply it:

kubectl apply -f external-secret.yaml

Step 7: Use the Synced Secret in a Pod

# pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: test-secret
spec:
  containers:
    - name: app
      image: busybox
      command: ["sh", "-c", "echo $DB_PASSWORD && sleep 3600"]
      env:
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: db-k8s-secret
              key: password

Apply and verify:

kubectl apply -f pod.yaml
kubectl logs test-secret

Expected output:

mySecurePassword123