Skip to content

feat: add Google Cloud Secret Manager provider (gcsm) #53

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
domenkozar merged 2 commits into from
Jan 5, 2026
Merged

feat: add Google Cloud Secret Manager provider (gcsm) #53

domenkozar merged 2 commits into from
Jan 5, 2026

Conversation

@yhori991
Copy link
Contributor

@yhori991 yhori991 commented Jan 3, 2026

Add support for Google Cloud Secret Manager as requested in #25.

Features

  • Read/write support: Full provider implementation
  • Application Default Credentials: Supports local dev, service accounts, and Workload Identity
  • Consistent with other providers: Follows the same pattern as keyring, OnePassword, and LastPass
  • Migration support: Enables secretspec import dotenv://.env to migrate secrets to GCP
  • Project/profile namespacing: Properly uses project and profile parameters for organization

Implementation

  • URI format: gcsm://PROJECT_ID
  • Storage path: secretspec-{project}-{profile}-{key} (reads latest version)
  • Uses google-cloud-secretmanager-v1 crate for GCP API access
  • Feature-gated with --features gcsm to keep binary size minimal
  • Documentation matches standard provider format

Usage Example

# Authenticate (first time)
$ gcloud auth application-default login

# Build with GCSM support
$ cargo build --features gcsm

# Set a secret
$ secretspec set DATABASE_URL --provider gcsm://my-gcp-project

# Secrets stored as:
# secretspec-myapp-default-DATABASE_URL
# secretspec-myapp-default-API_KEY

# Run with secrets from GCP
$ secretspec run --provider gcsm://my-gcp-project -- npm start

Fixes #25

@yhori991 yhori991 closed this Jan 3, 2026
@yhori991 yhori991 deleted the feature/gcsm-provider branch January 3, 2026 12:06
@yhori991 yhori991 restored the feature/gcsm-provider branch January 3, 2026 12:07
@yhori991 yhori991 reopened this Jan 3, 2026
domenkozar
domenkozar requested changes Jan 4, 2026
View reviewed changes
secretspec/src/provider/gcsm.rs Outdated
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct GcsmConfig {
/// The GCP project ID (e.g., "my-gcp-project")
pub project_id: Option<String>,
Copy link
Member

@domenkozar domenkozar Jan 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be required given that the code expects it always to be set and errors out

Copy link
Contributor Author

@yhori991 yhori991 Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So true. Thanks for pointing it out. It won't work when we don't have project_id by any means.
I'll change it to a required field.

@domenkozar domenkozar merged commit 7d61240 into cachix:main Jan 5, 2026
7 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@domenkozar domenkozar domenkozar requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add support for Google Cloud Secret Manager

2 participants

@yhori991 @domenkozar