This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Getting key from Secret manager to Apigee proxy

Posted on 07-17-2023 08:50 AM
abhijithsh
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

I was trying to use Secret manager to keep API Keys secure and use the same in Apigee. However, I am not able to see the key in the response. I am not sure what I am doing wrong.

I had referred to this https://www.googlecloudcommunity.com/gc/Apigee/Access-GCP-Secret-Manager-from-Apigee/m-p/482208 post by @dchiesa1 which worked (I had to add Viewer role after going to Secret Manager console). 

Only problem is that, I am not able to see the encoded key value. This is the content which I am able to see after the service callout and Assign message policies (Same as mentioned in the above link).

{
  "name": "projects/508108081207/secrets/sp_dev_apigee_key/versions/1",
  "createTime": "2023-07-17T10:14:29.502331Z",
  "state": "ENABLED",
  "replicationStatus": {
    "automatic": {}
  },
  "etag": "\"1600ac1062157b\"",
  "clientSpecifiedPayloadChecksum": true
}

@API-Evangelist @mevangelisti 

Solved Solved
2 2 486
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Yes, the name in the output

 

{ 
  "name": "projects/508108081207/secrets/sp_dev_apigee_key/versions/1",
  ...

 

...tells me that you are using a path that ends in the version number for the secret. According to the documentation, that will get metadata for the specified version of the secret.

secret-version-metadata.jpg

The metadata. includes when it was created, its state, the replication status.... But if you want the actual content, you must use the url with the :access suffix. /v1/projects/PROJECT/secrets/SECRETNAME/versions/1:access .

access-secret-data.jpg

That will give you a payload of this kind of structure.

 

{
  "name": "projects/911586521367/secrets/secret1/versions/1",
  "payload": {
    "data": "VGhpcy1pcy1hLXNlY3JldA==",
    "dataCrc32c": "3671980923"
  }
}

 

The data in that payload is a base64-encoded version of the secret.

(I had to add Viewer role after going to Secret Manager console).

Note: you must add the secretmanager.secretAccessor role to get the secret data. It's not the same role as secretmanager.viewer!

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Yes, the name in the output

 

{ 
  "name": "projects/508108081207/secrets/sp_dev_apigee_key/versions/1",
  ...

 

...tells me that you are using a path that ends in the version number for the secret. According to the documentation, that will get metadata for the specified version of the secret.

secret-version-metadata.jpg

The metadata. includes when it was created, its state, the replication status.... But if you want the actual content, you must use the url with the :access suffix. /v1/projects/PROJECT/secrets/SECRETNAME/versions/1:access .

access-secret-data.jpg

That will give you a payload of this kind of structure.

 

{
  "name": "projects/911586521367/secrets/secret1/versions/1",
  "payload": {
    "data": "VGhpcy1pcy1hLXNlY3JldA==",
    "dataCrc32c": "3671980923"
  }
}

 

The data in that payload is a base64-encoded version of the secret.

(I had to add Viewer role after going to Secret Manager console).

Note: you must add the secretmanager.secretAccessor role to get the secret data. It's not the same role as secretmanager.viewer!

Jump to Solution

Posted on --/--/---- --:-- AM
abhijithsh
Bronze 5
Bronze 5
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

I was using the wrong path as you pointed out. It is working with access keyword added at the end. Thank you so much @dchiesa1 

Jump to Solution
Top Solution Authors
View all