secret-manager | External secret management for Kubernetes | Identity Management library

I'm working with the Python library google-cloud-secret-manager and I'm facing some problems in creating a secret within a defined region.

In the method secretmanager.create_secret seems that there is a metadata parameter that can be filled but I keep receiving errors trying something like:

I try to connect from a Google Cloud Function in Python runtime to an external MySQL server db that is not hosted by Google Cloud.

My "requirements.txt":

I am using Google Cloud Secrets in a NodeJS Project. I am moving away from using preset environment variables and trying to find out the best practice to store and reuse secrets.

The 3 main routes I've found to use secrets are:

1. Fetching all secrets on startup and set them as ENV variables for later use
2. Fetching all secrets on startup and set as constant variables
3. Each time a secret is required, fetch it from Cloud Secrets

Google's own best practice documentation mentions 2 conflicting things:

1. Use ENV variables to set secrets at startup (source)
2. Don't use ENV variables as they can be accessed in debug endpoints and traversal attacks among other things (source)

My questions are:

1. Should I store secrets as variables to be re-used or should I fetch them each time?
2. Does this have an impact on quotas?

I stored my MySQL DB credentials in AWS secrets manager using the Credentials for other database option. I want to import these credentials in my application.properties file. Based on a few answers I found in this thread "https://stackoverflow.com/questions/56194579/how-to-integrate-aws-secret-manager-with-spring-boot-application", I did the following:

1. Added the dependency spring-cloud-starter-aws-secrets-manager-config
2. Added spring.application.name = and spring.config.import = aws-secretsmanager: in application.properties
3. Used secret keys as place holders in the following properties:

...

When running the command python manage.py makemigrations locally on my laptop, I get the following error on my console:

I am unable to retrieve an environment variable accessed in code in my bitbucket deployed application. When my application starts, I want to fetch db uri, like this: const uri = process.env.MONGODB_CONNECTION_URI;

Whenever I build and push the artifact from local, my environment variables are successfully passed from .env-files I have stored locally on my machine. Obviously I do not want to commit this file.

When I use Bitbucket Pipelines for deploying my application to GCP. I am able to successfully push a new artifact to GCP. But on application startup, it is unable to retrieve my db-uri.

This article is pretty close to describing what I want to achieve, but I don't see how this addresses the fact that the property value is an actual secret that I cannot commit to my repo, and need to access at application startup from somewhere.

This question describes how to access variables from secret manager in the Cloud Pipeline, not in the application itself.

I use the predefined google-app-engine-deploy-pipe. Relevant parts of my bitbucket-pipelines.yml looks like this:

Currently migrating my application to Micronaut 3, I encountered one problem with micronaut-gcp. Especially with the google secret manager. I am using gradle with Kotlin DSL.

Actual configuration: (not working, using plugin io.micronaut.library version 2.0.4)

• gradle 7.2
• micronaut 3.0.1

Previous configuration: (working with no plugin, using micronaut-bom)

• gradle 6.5.1
• micronaut 2.4.0
• micronautGcp 3.5.0

I/ The Problem

My goal is to load some secrets as key/value pairs into a property source. I followed the documentation that says to use a bootstrap.yml as follows:

I recently had to bump a google cloud library due to a conflict that was generating a bug. Long story short, I had

I am trying to execute a apache beam pipeline as a dataflow job in Google Cloud Platform.

My project structure is as follows: