GoogleCloudPlatform / konlet

Apache License 2.0
80 stars 23 forks source link

Feature: Enable support for Google Secrets Manager #58

Open nycnewman opened 4 years ago

nycnewman commented 4 years ago

Seems that a minor change to konlet-startup would enable the use of Secrets Manager to inject environment variables directly into container from Secrets Manager. Using existing Auth credentials, one could make a call to Secrets Manager after it calls the Metadata store, get the secrets and map to environment variables. Something along lines of:

We are going to see about creating a Pull Request with this change

jawnsy commented 2 years ago

This would be awesome, and I'd be happy to open a PR to add this capability as well, though I'd need some guidance for the desired implementation approach

bschaatsbergen commented 1 year ago

This would be very nice to have, I'm currently a bit lost on how to properly implement a secret integration between konlet/cos and my container.

jimmyntu commented 3 months ago

After 4 years, it's amazing that Container Optimised OS is still not able to support load secret from secret manager. Google, please wake up to see what is available by other competitors.

runa commented 2 months ago

You can use this script to get the secret value. Credits to Gemini, I guess

#!/bin/bash

# Set the project ID
PROJECT_ID="your-project-id"

# Set the secret ID
SECRET_ID="foobarbaz"

# Set the version (optional, defaults to 'latest')
VERSION="latest"  # or a specific version number

# Get an access token using the metadata server
ACCESS_TOKEN=$(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" \
  -H "Metadata-Flavor: Google")
ACCESS_TOKEN=$(echo $ACCESS_TOKEN | jq -r '.access_token')

# Construct the Secret Manager API URL
API_URL="https://secretmanager.googleapis.com/v1/projects/$PROJECT_ID/secrets/$SECRET_ID/versions/$VERSION:access"

# Make the API call using CURL
SECRET_VALUE=$(curl -s -H "Authorization: Bearer $ACCESS_TOKEN" $API_URL | jq -r '.payload.data' | base64 -d)

echo "The secret value is: $SECRET_VALUE"