gsm-buddy can be used to fetch secrets from GCP Secret Manager as a group which is not currently supported by GCP Secret Manager.

• Fetch secrets for an app prior to it's deployment
• Run gsm-buddy as a sidecar of an application to feed secrets periodically

curl -sSL https://github.com/yamaszone/gcp-secret-manager-buddy/releases/download/v0.1.2/gcp-secret-manager-buddy-v0.1.2-$(
    bash -c '[[ $OSTYPE == darwin* ]] && echo darwin || echo linux'
  )-amd64 -o gsm-buddy && chmod a+x gsm-buddy && sudo mv gsm-buddy /usr/local/bin/

Download executable from releases page

project_id=my-gcp-project-id
sa_name=secrets-manager-reader-foo
iam_account="${sa_name}@${project_id}.iam.gserviceaccount.com"
gcloud iam service-accounts create "$sa_name" --display-name "$sa_name"
gcloud projects add-iam-policy-binding "$project_id" --member "serviceAccount:${iam_account}" --role "roles/secretmanager.viewer"
gcloud projects add-iam-policy-binding "$project_id" --member "serviceAccount:${iam_account}" --role "roles/secretmanager.secretAccessor"
gcloud iam service-accounts keys create --iam-account "$iam_account" ~/${sa_name}-key.json
export GOOGLE_APPLICATION_CREDENTIALS=~/${sa_name}-key.json

• Install gsm-buddy
• GCP Service Account Setup

cat input.json

{
	"KEY1":"gsm-secret-ID1",
	"KEY2":"gsm-secret-ID2"
}

gsm-buddy get -i input.json -p my-gcp-project

{
	"KEY1":"secret-value1",
	"KEY2":"secret-value2"
}

gsm-buddy can be run as a stub by setting export GSM_IS_STUB=yes. This will bypass GCP Secret Manager communication and will simply output the content of the input file. This is useful for the following scenarios:

• iterate on the gsm-buddy itself stubbing out the GCP Secret Manager
• allow gsm-buddy to work for situations where GCP Secret Manager is unreachable

cat input.json

{
	"KEY1":"secret-value1",
	"KEY2":"secret-value2"
}

gsm-buddy get -i input.json -p my-gcp-project

{
	"KEY1":"secret-value1",
	"KEY2":"secret-value2"
}

• gsm-buddy: gsm-buddy get -i secret-ids-sample.json -p tntprod
• gcloud: for i in $(gcloud secrets list --format="value(name)" --filter=""); do echo $i=$(gcloud secrets versions access latest --secret $i); done

NOTE: gcloud secret fetch method runs serially while gsm-buddy parallelize the fetch request. The secret fetch time will increase linearly for gcloud. For example, gcloud can take ~50s while gsm-buddy can take ~1s to fetch 10 secrets.