Dark-Alex-17/gman
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: Updated the docs to show how to use the GCP Secret Manager provider

Browse Source
This commit is contained in:
Alex Clarke
2025-09-12 18:48:47 -06:00
parent 3e1e138296
commit a303f2fdaa
1 changed files with 60 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+60 -30
View File
@@ -92,6 +92,7 @@ gman aws sts get-caller-identity
- [Providers](#providers)
- [Local](#provider-local)
- [AWS Secrets Manager](#provider-aws_secrets_manager)
- [GCP Secret Manager](#provider-gcp_secret_manager)
- [Run Configurations](#run-configurations)
- [Environment Variable Secret Injection](#environment-variable-secret-injection)
- [Inject Secrets via Command-Line Flags](#inject-secrets-via-command-line-flags)
@@ -244,7 +245,7 @@ documented and added without breaking existing setups. The following table shows
| [`aws_secrets_manager`](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) | ✅ | [AWS Secrets Manager](#provider-aws_secrets_manager) | |
| [`hashicorp_vault`](https://www.hashicorp.com/en/products/vault) | 🕒 | | |
| [`azure_key_vault`](https://azure.microsoft.com/en-us/products/key-vault/) | 🕒 | | |
| [`gcp_secret_manager`](https://cloud.google.com/security/products/secret-manager?hl=en) | 🕒 | | |
| [`gcp_secret_manager`](https://cloud.google.com/security/products/secret-manager?hl=en) | | [GCP Secret Manager](#provider-gcp_secret_manager) | |
| [`1password`](https://1password.com/) | 🕒 | | |
| [`bitwarden`](https://bitwarden.com/) | 🕒 | | |
| [`dashlane`](https://www.dashlane.com/) | 🕒 | | Waiting for CLI support for adding secrets |
@@ -301,6 +302,64 @@ Security and encryption basics
- Memory hygiene: Sensitive buffers are wiped after use (zeroized), and secrets are handled with types (like SecretString)
that reduce accidental exposure through logs and debug prints. No plaintext secrets are logged.
### Provider: `aws_secrets_manager`
The `aws_secrets_manager` provider uses AWS Secrets Manager as the backing storage location for secrets.
- Requires two fields: `aws_profile` and `aws_region`.
- Uses the shared AWS config/credentials files under the named profile to authenticate.
Configuration example:
```yaml
default_provider: aws
providers:
- name: aws
type: aws_secrets_manager
aws_profile: default # Name from your ~/.aws/config and ~/.aws/credentials
aws_region: us-east-1 # Region where your secrets live
```
Important notes:
- Deletions are immediate: the provider calls `DeleteSecret` with `force_delete_without_recovery = true`, so there is no
recovery window. If you need a recovery window, do not delete via `gman`.
- `add` uses `CreateSecret`. If the secret already exists, AWS returns an error. Use `update` to change an existing
secret value.
- IAM permissions: ensure the configured principal has `secretsmanager:GetSecretValue`, `CreateSecret`, `UpdateSecret`,
`DeleteSecret`, and `ListSecrets` for the relevant region and ARNs.
- Credential resolution: the provider explicitly selects the given `aws_profile` and `aws_region` via the AWS config
loader; it does not fall back to other profiles or env-only defaults.
### Provider: `gcp_secret_manager`
The `gcp_secret_manager` provider uses Google Cloud Secret Manager as the backing storage location for secrets.
- Requires: `gcp_project_id` (string) to scope secrets to your project.
- Replication: secrets are created with Automatic replication.
Configuration example:
```yaml
default_provider: gcp
providers:
- name: gcp
type: gcp_secret_manager
gcp_project_id: my-project-id
```
Authentication (Application Default Credentials):
- Option 1: `gcloud auth application-default login` (user ADC on your machine).
- Option 2: Set `GOOGLE_APPLICATION_CREDENTIALS` to a service account key JSON file path.
- Example: `export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json`
- Ensure the service account has appropriate roles (e.g., `roles/secretmanager.admin` or a combination of
get/create/update/delete/list permissions).
Important notes:
- Deletion removes the entire secret resource, including all versions, not just the latest.
- `set` creates the Secret and first version; if the Secret already exists, it errors (AlreadyExists). Use `update` to
add a new version.
- `get` returns the latest version; older versions remain unless you delete the secret.
## Run Configurations
Run configurations (or "profiles") tell `gman` how to inject secrets into a command. Three modes of secret injection are
@@ -403,35 +462,6 @@ Then, all you need to do to run `managarr` with the secrets injected is:
gman managarr
```
### Provider: `aws_secrets_manager`
The `aws_secrets_manager` provider stores secrets in AWS Secrets Manager using the official AWS Rust SDK.
- Requires two fields: `aws_profile` and `aws_region`.
- Uses the shared AWS config/credentials files under the named profile to authenticate.
- Implements: `get`, `set`, `update`, `delete`, and `list`.
Configuration example:
```yaml
default_provider: aws
providers:
- name: aws
type: aws_secrets_manager
aws_profile: default # Name from your ~/.aws/config and ~/.aws/credentials
aws_region: us-east-1 # Region where your secrets live
```
Important notes:
- Deletions are immediate: the provider calls `DeleteSecret` with `force_delete_without_recovery = true`, so there is no
recovery window. If you need a recovery window, do not delete via `gman`.
- `add` uses `CreateSecret`. If the secret already exists, AWS returns an error. Use `update` to change an existing
secret value.
- IAM permissions: ensure the configured principal has `secretsmanager:GetSecretValue`, `CreateSecret`, `UpdateSecret`,
`DeleteSecret`, and `ListSecrets` for the relevant region and ARNs.
- Credential resolution: the provider explicitly selects the given `aws_profile` and `aws_region` via the AWS config
loader; it does not fall back to other profiles or env-only defaults.
## Detailed Usage
### Storing and Managing Secrets