{"id":73253,"date":"2025-08-27T12:54:32","date_gmt":"2025-08-27T07:24:32","guid":{"rendered":"https:\/\/www.tothenew.com\/blog\/?p=73253"},"modified":"2025-08-27T15:47:06","modified_gmt":"2025-08-27T10:17:06","slug":"guide-to-using-secret-manager-with-gke-csi-driver","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/guide-to-using-secret-manager-with-gke-csi-driver\/","title":{"rendered":"A Step-by-Step Guide to Using Secret Manager with GKE and CSI Driver"},"content":{"rendered":"

Introduction<\/strong><\/span>\u00a0<\/strong><\/p>\n

Management of sensitive information such as API keys, credentials and configuration secrets are an important part of developing safe and reliable Skylands applications. In Google Cloud Ecosystem, Secret Manager provides a centralized and safe way to save, access and manage these secrets.When running applications on Google Kubernetes Engine (GKE), including Secret Manager guarantees that your workloads are able to access secrets securely without having to hard-code them into your containers or codebase.<\/p>\n

Objective<\/span> :-<\/strong><\/p>\n

The objective of this blog is to provide a comprehensive guide on implementing the secret manager using the GCP Key Vault Provider for Secrets Store Container Storage Interface (CSI) Driver within an Google Kubernetes Engine (GKE) cluster. Through this blog we will understand the integration of secret managers in Google Kubernetes Engine by securely managing and accessing the sensitive information , such as secret and credentials in GKE.<\/p>\n

 <\/p>\n

\"Managing

Managing secrets through secret manager<\/p><\/div>\n

 <\/p>\n

What is Secret Manager ?<\/strong><\/span><\/p>\n

Secret Manager is a secure and centralized service on Google Cloud designed to store sensitive information such as API keys, passwords, and certificates. It simplifies the management, access, and auditing of secrets across your cloud environment, helping you keep critical data safe and organized.<\/p>\n

Why to use secret manager ?<\/strong><\/span><\/p>\n

1. Security :<\/strong> Secrets are encrypted at rest using Google-managed or customer-managed keys (CMEK).
\n2. Centralised Secret Management :<\/strong> Google Cloud Secret Manager securely and centrally stores secrets.
\n3. Workload Identity-Based Access Control :<\/strong> GKE workloads can access secrets securely without service account keys using Workload Identity.
\n4. Versioning & Rotation :<\/strong> It has versioning, so you are able to update and roll back securely.
\n5. Integration with CI\/CD Pipelines :<\/strong> Seamlessly integrates with Cloud Build, GitHub Actions, or other CI\/CD to inject secrets during deployment or build.<\/p>\n

Secret manager Setup<\/strong><\/span> :-<\/strong><\/p>\n

1. Create a gke cluster :-<\/strong> Create gke cluster either via console , terraform or by cli.<\/p>\n

\"Cluster

GKE Cluster<\/p><\/div>\n

 <\/p>\n

2. Turn on the secret manager add-on :- <\/strong>Be sure to activate the secret manager add-on when setting up a GKE cluster.Access the secrets kept in Secret Manager as volumes are mounted in Kubernetes pods by using the Secret Manager add-on.<\/p>\n

\"GKE

GKE Cluster add-ons<\/p><\/div>\n

3. Verify that after enabling the secret manager add-on Secrets Store CSI Driver installation :-<\/strong> Verify the installation is finished using the kubectl get pods command, which lists all pods with the csi-\u00a0 secrets-store-gke and csi-secrets-store-provider-gke labels in the kube-system\u00a0 namespace.<\/p>\n

\"CSI

CSI Secret Pods<\/p><\/div>\n

4. Create secrets in a secret manager :-<\/strong> A Secret Manager was created using the GCP Console to guard against unwanted access and safely store private information like passwords and API keys. To effectively handle updates and preserve a safe history of modifications, secret versions are made.<\/p>\n

\"Secrets

Secrets in secret manager<\/p><\/div>\n

\"Secret

Secret Version<\/p><\/div>\n

5.Create a Secret Provider Class :-<\/strong> To specify how secrets from the secret manager are accessed and mounted into your Kubernetes pods, create a SecretProviderClass using the YAML below.<\/p>\n

Secretproviderclass.yaml :-<\/strong>\r\n\r\napiVersion: secrets-store.csi.x-k8s.io\/v1\r\nkind: SecretProviderClass\r\nmetadata:\r\nname: dev-secret-provider\r\nnamespace: dev\r\nspec:\r\nprovider: gke\r\nparameters:\r\nsecrets: |\r\n- resourceName: \"projects\/954514138689\/secrets\/DB_USER\/versions\/1\"\r\nfileName: \"DB_USER\"\r\n- resourceName: \"projects\/954514138689\/secrets\/DB_PASSWORD\/versions\/1\"\r\nfileName: \"DB_PASSWORD\"\r\n\r\nsecretObjects:\r\n- secretName: dev-secrets\r\ntype: Opaque\r\ndata:\r\n- objectName: \"DB_USER\"\r\nkey: \"DB_USER\"\r\n- objectName: \"DB_PASSWORD\"\r\nkey: \"DB_PASSWORD\"<\/pre>\n
6. Apply the SecretProviderClass YAML : –<\/strong> Apply the SecretProviderClass YAML using the following command in GKE.<\/p>\n
kubectl apply -f secretproviderclass.yaml<\/pre>\n
Note :- <\/em><\/strong>
\n 1.No need to create k8s secret object separately. It will be created automatically when you create a pod with CSI driver volume. <\/em>
\n2.The secretObjects block in the above YAML is optional and is only needed if you need to synchronize mounted content with a Kubernetes secret. You will still get the secret manager object mounted to the pod if you do not use this block.<\/em><\/p>\n
6. Give permission to the CSI driver : – <\/strong>Give permission to CSI driver secret store to use cluster roles and cluster role binding to generate GKE secrets.<\/p>\n
Secret-store-rbac.yaml:-<\/strong>\r\n\r\napiVersion: rbac.authorization.k8s.io\/v1\r\nkind: ClusterRole\r\nmetadata:\r\nname: secrets-store-csi-secrets-access\r\nrules:\r\n- apiGroups: [\"\"]\r\n\u00a0 resources: [\"secrets\"]\r\n\u00a0 verbs: [\"get\", \"list\", \"watch\", \"create\", \"patch\"]\r\n\r\n---\r\napiVersion: rbac.authorization.k8s.io\/v1\r\nkind: ClusterRoleBinding\r\nmetadata:\r\nname: secrets-store-csi-secrets-access-binding\r\nsubjects:\r\n- kind: ServiceAccount\r\n\u00a0 name: secrets-store-csi-driver-gke\r\n\u00a0 namespace: kube-system\r\nroleRef:\r\nkind: ClusterRole\r\nname: secrets-store-csi-secrets-access\r\napiGroup: rbac.authorization.k8s.io\r\n\r\n<\/pre>\n
7. Set an environment variable to reference Kubernetes secrets :- <\/strong>Create a deployment.yaml for gke and pass the reference of gke secrets and mount volume on the deployment.yaml.
\nBelow is an example of the deployment.<\/p>\n
\"Example
Example of Gke deployment.yaml<\/p><\/div>\n
8.Create service file : –<\/strong> Create a service.yaml file to expose your deployment and allow network access to the application and apply them using the commands.<\/p>\n
\"service.yaml\"
service.yaml<\/p><\/div>\n
Kubectl apply\u00a0 -f deployment.yaml\r\nKubectl apply\u00a0 -f service.yaml<\/pre>\n
9. Verify the gke secrets : – <\/strong>After applying the service and deployment verify that the csi driver created the gke secrets or not using the following command.<\/p>\n
Kubectl get secrets -n dev<\/pre>\n
\"Kubernetes
Kubernetes Secrets<\/p><\/div>\n
Conclusion<\/span> :-<\/strong><\/p>\n
In conclusion, maintaining the security and integrity of your Google Kubernetes Engine applications depends heavily on efficient secret management. Organisations can greatly lower the risk of sensitive data exposure by utilising GKE’s built-in features, like Kubernetes Secrets, and integrating with reliable programs like Google Cloud Secret Manager. Developers and operations teams can create and implement secure, resilient applications in the GKE environment with confidence if the strategies discussed are put into practice, from appropriate secret creation and distribution to strong access controls and frequent rotation.<\/p>\n","protected":false},"excerpt":{"rendered":"
Introduction\u00a0 Management of sensitive information such as API keys, credentials and configuration secrets are an important part of developing safe and reliable Skylands applications. In Google Cloud Ecosystem, Secret Manager provides a centralized and safe way to save, access and manage these secrets.When running applications on Google Kubernetes Engine (GKE), including Secret Manager guarantees that […]<\/p>\n","protected":false},"author":1959,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":751},"categories":[2348],"tags":[1892,6362],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/73253"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/1959"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=73253"}],"version-history":[{"count":25,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/73253\/revisions"}],"predecessor-version":[{"id":74348,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/73253\/revisions\/74348"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=73253"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=73253"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=73253"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}