Google Cloud moves to ‘single source of truth’ with Secret Manager

Google Cloud has revealed a new tool to help partners and customers manage, access and audit data across its platform.

Named the Secret Manager, the tool aims to provide a single source of truth to store and manage API keys, passwords, certificates and other sensitive data. The new tool is now in beta and available to all Google Cloud customers.

According to Google Cloud, Secret Manager will alleviate issues of “secret sprawl” across cloud environments due to applications needing credentials to connect to a database or API keys to invoke a service and certificates for authentication. 

Revealed in a blog post, the tool will offer automatic and user-managed replication policies and version secret pinning. 

Security features include audit logging, with logs integrated into anomaly detection systems to spot abnormal access patterns, plus TLS encryption in transit and resting at AES-256-bit encryption keys.

In addition, Secret Manager will include VPC Service Control and allow only project owners have permissions to access secrets.

Google Cloud also claimed the tool will address the “pain point” of regionalisation “even though credentials like API keys or certificates rarely differ across cloud regions”.

“While secret names are global, the secret data is regional,” the blog post said. “Some enterprises want full control over the regions in which their secrets are stored, while others do not have a preference.

"Secret Manager addresses both of these customer requirements and preferences with replication policies.”