Storing Secrets on GCP

Gepostet von Timothy am 27.06.2022

secrets devops GCP OpenSource Nuget configuration

Distributing secrets (such as API keys and connection strings) is a common task for web applications and their development teams.

The GCP (Google Cloud Platform) provides a service for storing secrets in a secure way. This allows the end users to focus on the application itself and not on managing secrets, rotating keys and other security-related tasks.

But how can we access the secrets from GCP, both locally for developers and from a cloud service for end users?

We mostly use C# in the backend, so we went ahead and wrote an open-source package which injects the secrets into the Microsoft.Extensions.Configuration. This package is called Neolution.Extensions.Configuration.GoogleSecrets and can be found on GitHub The NuGet package is available on

Cloud Usage

If your service runs inside a GCP service, you don’t have to worry about authorisation at all and can simply use the Neolution.Extensions.Configuration.GoogleSecrets package in the Program.cs file.

For example

public static IHostBuilder CreateHostBuilder(string[] args)
    return Host.CreateDefaultBuilder(args)
        .ConfigureAppConfiguration((_, configuration) =>
            configuration.AddGoogleSecrets(options =>
                options.ProjectName = "your-project-id";

Local Usage

If you want to use the secrets locally, you have two options.

  1. Use the gcloud command line tool to login into your GCP account and set the application default credentials:

    gcloud auth login
    gcloud auth application-default login

    Now the application default credentials are set and you can use the Neolution.Extensions.Configuration.GoogleSecrets package as described above.

  2. Use the GOOGLE_APPLICATION_CREDENTIALS environment variable to set the path to the credentials file. This can for example point to a service account json file. More information can be found here:

With these two approaches, it’s easy to manage secrets both locally and in the cloud. Gone are the days where we had to share secrets manually across teams. It’s also really easy to manage permissions with this approach, because we create a project on GCP for each environment (production, staging, etc.). So, it's easy to define which user should have access to which environment and its secrets.