|
|
|
|
|
|
by manigandham
3200 days ago
|
|
|
Google actually has a technical how-to here: https://cloud.google.com/kms/docs/store-secrets and in-depth solution architecture here: https://cloud.google.com/kms/docs/secret-management Key Management Service creates and maintains private keys for you and provides an API to easily encrypt or decrypt some data. Basically call method KMS.Decrypt("name_of_key_to_use", <bytes>) and get back decrypted content. Secrets are simple text files encrypted with KMS and stored in a private storage bucket. For example we have something like "database-secrets.dev.json.encrypted". We have a small library that took a day to write, used in all of our projects that does the following on startup: open private storage bucket, download encrypted file, call the KMS API, decrypt the file, and parse the raw contents as json. Now the app has the secrets in-memory to be used anywhere. No infrastructure required, nothing on disk and this is universally accessible whether inside Google cloud or on local machine. Takes under 1 second when running in the cloud. I dont think I can do better than the documentation but let me know if you have any questions. |
|
|
https://aws.amazon.com/kms/
You can limit access to the keys based on IAM instance profiles. So that only certain instances can access specific credentials.