Home

Awesome

GCP Secret Manager Hush Provider

Build Status Coverage Status hex.pm version hex.pm downloads

This package provides a Hush Provider to resolve Google Cloud Platform's Secret Manager secrets.

Documentation can be found at https://hexdocs.pm/hush_gcp_secret_manager.

Installation

The package can be installed by adding hush_gcp_secret_manager to your list of dependencies in mix.exs:

def deps do
  [
    {:hush, "~> 1.0"},
    {:hush_gcp_secret_manager, "~> 1.1"}
  ]
end

This module relies on goth to fetch secrets from the Google Cloud Platform API. As such you need to configure goth which is used in hush_gcp_secret_manager, the configuration is the same as if you were to configure a child_spec as per their documentation.

As the provider needs to start both applications, it needs to registered as a provider in hush, so that it gets loaded during startup.

# config/config.exs

alias Hush.Provider.GcpSecretManager

# ensure hush loads GcpSecretManager during startup
config :hush,
  providers: [GcpSecretManager]

config :hush_gcp_secret_manager,
  project_id: "my_project_id",
  goth: [name: MyApp.Goth, source: ...],
  goth_timeout: 5_000 # milliseconds

GCP Authorization

In order to retrieve secrets from GCP, ensure the service account you use has the Secret Manager Secret Accessor role (roles/secretmanager.secretAccessor).

Usage

The following example reads the password and the pool size for CloudSQL from secret manager into the ecto repo configuration.

# config/prod.exs

alias Hush.Provider.GcpSecretManager

config :app, App.Repo,
  password: {:hush, GcpSecretManager, "CLOUDSQL_PASSWORD"},
  pool_size: {:hush, GcpSecretManager, "ECTO_POOL_SIZE", cast: :integer, default: 10}

License

Hush is released under the Apache License 2.0 - see the LICENSE file.