Google Apps Scripts accessing Secret Manager

Asked 4/4, 2021 at 13:3 Answered 14/3, 2023 at 15:41

google-apps-script google-cloud-platform

I'm building a data studio connector (apps scripts) that needs access mysql.

I have all my credentials storing in GCP Secret Manager and would like my apps scripts to get the credentials from Secret Manager.

I checked https://developers.google.com/apps-script documentation but couldn't find the relevant class to access Secret Manager.

What is the best way for Apps Scripts to get credentials being stored in Secret Manager?

Victimize answered 4/4, 2021 at 13:3 Comment(3)

Use the Secret Manager API – Nelly 4/4, 2021 at 15:9

Did you solve this? I need exactly this functionality and don't really want to start from scratch – Maurer 2/12, 2021 at 15:18

no.. at the end i need to hardcoded the secret in app secrets.. I gave up on google services and migrated to other cloud .. XD – Victimize 3/12, 2021 at 3:0

I also needed to read a secret from Secret Manager to avoid hardcoded value in Google App Script. After I had added a secret value in Secret Manager in GCP developer console, I enabled Secret Manager API.

And here is my solution:

First of all, open Project Settings menu in your App Script Editor (settings cogwheel icon on the panel to the left) and tick the checkbox:

    "Show appsscript.json manifest file in editor"

This will make the appscript.json file visible in your project files near your main Code.gs. Then add these lines into an existing dictionary in appscript.json:

"oauthScopes": [
    "https://www.googleapis.com/auth/script.external_request",
    "https://www.googleapis.com/auth/cloud-platform"
]

This will enable the necessary scopes for your project. I am reading API Key from Secret Manager, so I added getAPIKey() function in Code.gs:

function getAPIKey() {
  let token, endpoint, response;
  endpoint = `https://secretmanager.googleapis.com/v1/projects/<project_id>/secrets/<secret_name>/versions/<version_number>:access`;
  token = ScriptApp.getOAuthToken();
  response = UrlFetchApp.fetch(endpoint, {
    headers: {
      Authorization: 'Bearer ' + token,
      Accept: 'application/json',
    }
  });
  var decodedAPIKey = Utilities.base64Decode(JSON.parse(response.getContentText())['payload']['data']);
  var apiKey = Utilities.newBlob(decodedAPIKey).getDataAsString()
  return apiKey;
}

Google Cloud OAuth Token is used to authenticate this script to access Secret Manager. On the first run of the script, you will also need to do an authorization manually, but only once.

Please remember to add your project_id, secret_name and version_number. You will find this information in Secret Manager in Developer Console when open your secret value.

Then call this function in a place where you need your secret value.

Blindly answered 14/3, 2023 at 15:41 Comment(1)

this is helpful thanks! Is there a way to 'install' and test the library in conjunction with the rest of a google script code.gs file? PS I'm not following why you reference a getOAuthToken() call in there, seems unnecessary? – Bearce 3/10, 2023 at 6:50

Recapping for better visibility:
When you need to store secrets (passwords, certificates, private keys, etc.) in Google Cloud, you can use Secret Manager.
To have your apps retrieve them automatically and securely, use Secret Manager API. They can be accessed using REST or gRPC API, with Google Cloud libraries or your own.

Corbicula answered 4/4, 2021 at 13:3 Comment(0)

Recommended topics

Hot tags