Use Secrets Manager for Managing Secrets in Google Cloud Functions

Risk Level: Medium (should be achieved)

To prevent unauthorized access or accidental exposure of sensitive information, ensure that Secrets Manager service is used to store and manage secrets instead of storing them in cleartext within Cloud Functions environment variables.

Security

Storing secrets in Google Cloud Functions environment variables is insecure due to lack of encryption, limited access control, and inadequate audit trails. For better security use dedicated secret management services such as Google Cloud Secret Manager. Secret Manager provides additional security measures like encryption at rest and in transit, access controls, auditing, and versioning.

Audit

To determine if Cloud Functions environment variables are configured to store secret information, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to the Cloud Functions console available at https://console.cloud.google.com/functions.

04 Click on the name (link) of the Google Cloud function that you want to examine.

05 Select the VARIABLES tab and examine the environment variables listed in the Runtime environment variables and Build environment variables section to determine if your environment variables are storing secret information such as access keys, API keys, user passwords, database credentials, access tokens, and sensitive configuration settings. If the environment variables defined for the selected Google Cloud function contain secret, sensitive information, the function configuration is not secure and compliant.

06 Repeat steps no. 4 and 5 for each Google Cloud function deployed within the selected GCP project.

07 Repeat steps no. 2 – 6 for each project available in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each GCP project available within your Google Cloud account:

gcloud projects list 
  --format="table(projectId)"

02 The command output should return the requested GCP project identifier(s):

PROJECT_ID
  cc-web-app-project-112233
  cc-bigdata-project-123123

03 Run functions list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom filtering to describe the name of each serverless function deployed within the selected project:

gcloud functions list 
  --project cc-web-app-project-112233 
  --format="table(name)"

04 The command output should return the requested function identifier(s):

NAME
cc-worker-function
cc-project5-function

05 Run functions describe command (Windows/macOS/Linux) using the name of the function that you want to examine as the identifier parameter and custom filters to describe the runtime and build environment variables defined for the selected function:

gcloud functions describe cc-worker-function 
  --format="json(serviceConfig.environmentVariables,buildConfig.environmentVariables)"

06 The command output should return the requested key/value pairs (i.e. runtime and build environment variables):

{
    "serviceConfig": {
        "environmentVariables": {
            "CC_API_KEY": "ABCD1234ABCD1234ABCD1234"
        }
    },
    "buildConfig": {
        "environmentVariables": {
            "CC_BUILD_VER": "2.4"
        }
    }
  }

Check the key/value pairs returned by the functions describe command output to determine if your environment variables are storing secret information such as access keys, API keys, user passwords, database credentials, access tokens, and sensitive configuration settings. If the environment variables configured for the selected Google Cloud function contain secret and/or sensitive information, the function configuration is not secure and compliant.

07 Repeat steps no. 5 and 6 for each Google Cloud function deployed within the selected GCP project.

08 Repeat steps no. 3 - 8 for each project created within your Google Cloud Platform (GCP) account.

Remediation / Resolution

To manage secrets using Secrets Manager service instead of Cloud Functions environment variables, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to the API Library page available at https://console.cloud.google.com/apis/library.

04 Type Secret Manager API in the Search for API & Services search box and press Enter.

05 Click on the name of the Secret Manager API to open the API overview page.

06 On the API overview page, choose ENABLE to enable the Secret Manager API for your GCP project.

07 Navigate to Secret Manager page at https://console.cloud.google.com/security/secret-manager.

08 A Secret Manager secret is an encrypted wrapper around a collection of secret data versions. Choose CREATE SECRET and follow the setup wizard to create the Secret Manager secret that will replace the secret information stored in cleartext within the function environment variable.

09 For Name, enter the name of the environment variable that you are replacing. This will be the secret variable that will be referenced in your code.

10 For Secret value, enter the value from the environment variable that you are replacing. This is the actual value of the variable that will be referenced from your code.

11 Configure the secret encryption, replication policy, secret rotation and expiration based on your application requirements, then choose CREATE SECRET to create your new Secret Manager secret.

12 To grant your function's service account access to the new secret, open the newly created Secret Manager secret, select the PERMISSIONS tab, and choose GRANT ACCESS.

13 On the Grant access to "[secret-name]" panel, enter the service account that your function uses for its identity in the New principals box and select Secret Manager Secret Accessor from the Role dropdown list. Choose SAVE to apply the changes.

14 Modify your function configuration to use the new secret managed by Secret Manager. Navigate to the Cloud Functions console available at https://console.cloud.google.com/functions.

15 Click on the name (link) of the function that you want to configure and choose EDIT.

16 Choose Runtime, build, connections and security settings and select the SECURITY AND IMAGE REPO tab.

17 Under Secrets, choose ADD A SECRET REFERENCE and follow the setup process to create the secret reference that will replace the secret information stored in cleartext within the function environment variable. Choose DONE to save the changes.

18 Select NEXT and choose DEPLOY to deploy the function changes.

19 After the secret information that replaced the environment variable has been successfully referenced, you can safely remove the non-compliant environment variable from your function configuration. Choose EDIT from the function main menu, and select RUNTIME/BUILD depending on the environment variable type.

20 Use the Delete item (trash bin icon) button to remove any environment variable that holds secret, sensitive information, listed in the Runtime environment variables/Build environment variables section.

21 Select NEXT and choose DEPLOY to deploy the function changes.

22 Repeat steps no. 7 - 21 for each Google Cloud function deployed within the selected GCP project.

23 Repeat steps no. 2 – 22 for each GCP project available in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run services enable command (Windows/macOS/Linux) using the ID of the GCP project that you want to configure as the identifier parameter, to enable the Secret Manager API for the selected project:

gcloud services enable secretmanager.googleapis.com
  --project cc-web-app-project-112233

02 If successful, the command output should return the ID and status of the performed operation:

Operation "operations/acat.p0-123456789012-abcd1234-abcd-1234-abcd-1234abcd1234" finished successfully.

03 Run secrets create command (Windows/macOS/Linux) to create the Secret Manager secret that will replace the secret information stored in cleartext within the specified function environment variable:

gcloud secrets create CC_API_KEY 
  --replication-policy automatic 
  --data-file="secret-file.txt"

04 If successful, the command output should return the version of the newly created secret:

Created version [1] of the secret [CC_API_KEY]

05 Run secrets add-iam-policy-binding command (Windows/macOS/Linux) to grant your function's service account access to the new Secret Manager secret:

gcloud secrets add-iam-policy-binding CC_API_KEY 
  --member="[service-account-name]" 
  --role="roles/secretmanager.secretAccessor"

06 The command output should return the new policy available for the configured Secret Manager secret:

Updated IAM policy for secret [CC_API_KEY].
bindings:
- members:
    - serviceAccount:[service-account-name]
    role: roles/secretmanager.secretAccessor
etag: ABCD1234ABCD
version: 1

07 Run functions deploy command (Windows/macOS/Linux) using the name of the function that you want to configure as the identifier parameter, to update the function configuration to use the new secret and redeploy the function:

gcloud functions deploy cc-worker-function 
  --update-env-vars CC_API_KEY=projects/cc-web-app-project-112233/secrets/CC_API_KEY/versions/1

08 If successful, the command output should return the ID and status of the performed operation:

Operation "operations/acat.p1-123456789012-abcd1234-abcd-1234-abcd-1234abcd1234" finished successfully.

09 After the secret information that replaced the environment variable has been successfully referenced, you can safely remove the non-compliant environment variable from your function configuration. Run functions deploy command (Windows/macOS/Linux) using the name of the environment variable that you want to delete as the identifier parameter, to remove the specified variable from your function configuration and redeploy the function:

gcloud functions deploy cc-worker-function 
  --remove-env-vars CC_API_KEY

10 If successful, the command output should return the ID and status of the performed operation:

Operation "operations/acat.p1-123456789012-abcd1234-abcd-1234-abcd-1234abcd1234" finished successfully.

11 Repeat steps no. 3 - 10 for each Google Cloud function deployed within the selected GCP project.

12 Repeat steps no. 1 – 11 for each GCP project available in your Google Cloud Platform (GCP) account.

References

Google Cloud Platform (GCP) Documentation
Google Cloud APIs
Using Environment Variables
Secret Manager conceptual overview
Create a secret
Add a secret version

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud services enable
gcloud functions list
gcloud functions describe
gcloud functions deploy
gcloud secrets create
gcloud secrets add-iam-policy-binding

Publication date Jun 29, 2023

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Use Secrets Manager for Managing Secrets in Google Cloud Functions

Risk Level: Medium

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related CloudFunctions rules