Using secret API keys in a Google Cloud Compute Engine Instance Template Startup Script. Where should it be stored and how can I read the value?

Question

I have a Google Cloud Compute Engine Instance Template with a Startup Script.

In the startup script the server generates a certificate. After generating the certificate it sends a message to an API to tell a central system about the certificate. The request looks like this:

curl --location 'https://my-side.com/hello?hostname=$hostname' \ --header 'Authorization: SUPER_SECRET_API_KEY' 

The API key is stored as raw text in the Startup Script. Is this OK, or should it be moved to example secret store? If so, then how can I read the API key in the Startup Script?

Answer 1

In GCP, it is recommended to store secrets, in this case the secret API keys, in google secret manager(GSM)

1. Create a secret in GSM
2. Upload API key to GSM
3. Grant the service account associated with the compute engine IAM access to the secret - the role is secretmanager.secretAccessor
4. Modify your startup script to pull the API key from GSM and assign it to a variable, say API_KEY_VAR and pass that to curl as below -

curl --location 'https://my-side.com/hello?hostname=$hostname' \ --header "Authorization: $API_KEY_VAR" 

You can use gcloud secrets versions access command to pull the secret.

Answer 2

Always store the API keys in the environment variables.Please use the below commands for the same,

For linux:

export API_KEY=”your_secret_key_here”

For windows:

Set API_KEY=your_secret_key_here (ensure all these commands are executed before your application starts)

Also you can use the secret manager which is helpful to store and access API keys and please refer to the official GCP documentation to know more about the secret manager.

Additionally you can check these documents for more detailed information.Please let us know if the above information is helpful.