CoursesGCP securityEncryption, keys & secrets

Secret Manager & rotation

Per-secret IAM, runtime fetch, overlap rotation.

Advanced30 min · lesson 9 of 15

A secret is a value with a lifecycle — issued, scoped, rotated, revoked, and audited on every read — not just an encrypted string. Secret Manager turns credentials from files you copy into governed resources you request at runtime, which is what makes least-privilege access and rotation practical.

Secrets as governed resources

Secret Manager gives each secret its own IAM, CMEK encryption, immutable versions, and an audit log entry on every access. Workloads fetch the secret at runtime through their attached service-account identity, so nothing sensitive ships in the image or the deployment manifest, and access can be revoked centrally without a redeploy. Grant roles/secretmanager.secretAccessor on the specific secret, not project-wide, so each workload reaches only the secrets it needs.

per-secret access, fetched at runtime
# Create a secret and grant access to ONE workload's SA on THAT secret only.
echo -n "$DB_PASSWORD" | gcloud secrets create prod-db --data-file=-
gcloud secrets add-iam-policy-binding prod-db \
--member="serviceAccount:[email protected]" \
--role="roles/secretmanager.secretAccessor"
# The app reads it at startup via its identity — nothing baked into the image:
DB_PW=$(gcloud secrets versions access latest --secret=prod-db)

Rotation with overlap

Secret Manager supports scheduled rotation via a Pub/Sub notification that triggers your rotation function to create a new version. The critical discipline is overlap: keep the old and new versions both valid longer than the longest consumer cache or connection lifetime, confirm every consumer has refreshed to the new version, and only then disable the old one. Rotating a secret that consumers never re-read either breaks them or defeats the purpose.

Runtime secret retrieval
1workload identity
attached SA, no static key
2secretAccessor on one secret
least-privilege read
3fetch latest at runtime
each access logged
4rotate with overlap
consumers refresh before old is disabled
The secret becomes requestable-by-identity, scoped, rotated, and audited — not a value copied into config.
Rotation without refresh is an outage
Disabling an old secret version before consumers have re-read the new one breaks them; leaving them on the old value defeats rotation. Use the dual-version overlap window, verify refresh across every consumer, then retire the old version.