Fastify secrets plugin for Google cloud platform secrets manager
npm install --save fastify-secrets-gcp
In order to be able to read from gcp secrets manager you will need some permissions. You will also probably manage permissions in different ways in local dev and production environment.
In general you may want to use a different secrets manager on your local machine (i.e. fastify-secrets-env to read secrets from env variables).
If you want run fastify-secrets-gcp in the local environment too you will need to follow these steps:
- Create a GCP Service Account
- Grant the new service account at least the role of "Secret Manager Secret Accessor"
- Create key for the account
- Download the key in json format
- (optional) Place the key in the root of your project (make sure to add it to
.gitignoreto avoid commiting it) - Set the env variable
GOOGLE_APPLICATION_CREDENTIALSto the absolute path of the downloaded key - You're ready to run your app
If you already have a custom Service Account for your service Clour Run you will need to give it access to Secrets Manager. Otherwise you will need to create a new custom Service Account with access to Secrets Manager and assign it to Cloud Run.
In any case you will need to grant the "Secret Manager Secret Accessor" role.
const FastifySecrets = require('fastify-secrets-gcp')
fastify.register(FastifySecrets, {
secrets: {
dbPassword: 'projects/PROJECT-ID/secrets/SECRET-ID/versions/latest'
}
})await fastify.ready()
console.log(fastify.secrets.dbPassword) // content of projects/PROJECT-ID/secrets/SECRET-ID/versions/latestThe plugin only expect the secrets object in the options.
It is a map of keys and resource ids for the secrets. fastify-secrets-gcp will decorate the fastify server with a secrets object where keys will be the same keys of the options and the value will be the content of the secret as fetched from GCP Secrets Manager
See CONTRIBUTING.md
Copyright NearForm Ltd 2020. Licensed under the Apache-2.0 license.