Awesome
GCP Secret Manager Hush Provider
This package provides a Hush Provider to resolve Google Cloud Platform's Secret Manager secrets.
Documentation can be found at https://hexdocs.pm/hush_gcp_secret_manager.
Installation
The package can be installed by adding hush_gcp_secret_manager
to your list
of dependencies in mix.exs
:
def deps do
[
{:hush, "~> 1.0"},
{:hush_gcp_secret_manager, "~> 1.1"}
]
end
This module relies on goth
to fetch secrets from the Google Cloud Platform API. As such you need to configure goth which is used in hush_gcp_secret_manager
, the configuration is the same as if you were to configure a child_spec as per their documentation.
As the provider needs to start both applications, it needs to registered as a provider in hush
, so that it gets loaded during startup.
# config/config.exs
alias Hush.Provider.GcpSecretManager
# ensure hush loads GcpSecretManager during startup
config :hush,
providers: [GcpSecretManager]
config :hush_gcp_secret_manager,
project_id: "my_project_id",
goth: [name: MyApp.Goth, source: ...],
goth_timeout: 5_000 # milliseconds
GCP Authorization
In order to retrieve secrets from GCP, ensure the service account you use has the Secret Manager Secret Accessor role (roles/secretmanager.secretAccessor
).
Usage
The following example reads the password and the pool size for CloudSQL from secret manager into the ecto repo configuration.
# config/prod.exs
alias Hush.Provider.GcpSecretManager
config :app, App.Repo,
password: {:hush, GcpSecretManager, "CLOUDSQL_PASSWORD"},
pool_size: {:hush, GcpSecretManager, "ECTO_POOL_SIZE", cast: :integer, default: 10}
License
Hush is released under the Apache License 2.0 - see the LICENSE file.