I was trying to use Secret manager to keep API Keys secure and use the same in Apigee. However, I am not able to see the key in the response. I am not sure what I am doing wrong.
I had referred to this https://www.googlecloudcommunity.com/gc/Apigee/Access-GCP-Secret-Manager-from-Apigee/m-p/482208 post by @dchiesa1 which worked (I had to add Viewer role after going to Secret Manager console).
Only problem is that, I am not able to see the encoded key value. This is the content which I am able to see after the service callout and Assign message policies (Same as mentioned in the above link).
{
"name": "projects/508108081207/secrets/sp_dev_apigee_key/versions/1",
"createTime": "2023-07-17T10:14:29.502331Z",
"state": "ENABLED",
"replicationStatus": {
"automatic": {}
},
"etag": "\"1600ac1062157b\"",
"clientSpecifiedPayloadChecksum": true
}
Solved! Go to Solution.
Yes, the name in the output
{
"name": "projects/508108081207/secrets/sp_dev_apigee_key/versions/1",
...
...tells me that you are using a path that ends in the version number for the secret. According to the documentation, that will get metadata for the specified version of the secret.
The metadata. includes when it was created, its state, the replication status.... But if you want the actual content, you must use the url with the :access
suffix. /v1/projects/PROJECT/secrets/SECRETNAME/versions/1:access
.
That will give you a payload of this kind of structure.
{
"name": "projects/911586521367/secrets/secret1/versions/1",
"payload": {
"data": "VGhpcy1pcy1hLXNlY3JldA==",
"dataCrc32c": "3671980923"
}
}
The data in that payload is a base64-encoded version of the secret.
(I had to add Viewer role after going to Secret Manager console).
Note: you must add the secretmanager.secretAccessor role to get the secret data. It's not the same role as secretmanager.viewer!
Yes, the name in the output
{
"name": "projects/508108081207/secrets/sp_dev_apigee_key/versions/1",
...
...tells me that you are using a path that ends in the version number for the secret. According to the documentation, that will get metadata for the specified version of the secret.
The metadata. includes when it was created, its state, the replication status.... But if you want the actual content, you must use the url with the :access
suffix. /v1/projects/PROJECT/secrets/SECRETNAME/versions/1:access
.
That will give you a payload of this kind of structure.
{
"name": "projects/911586521367/secrets/secret1/versions/1",
"payload": {
"data": "VGhpcy1pcy1hLXNlY3JldA==",
"dataCrc32c": "3671980923"
}
}
The data in that payload is a base64-encoded version of the secret.
(I had to add Viewer role after going to Secret Manager console).
Note: you must add the secretmanager.secretAccessor role to get the secret data. It's not the same role as secretmanager.viewer!
I was using the wrong path as you pointed out. It is working with access keyword added at the end. Thank you so much @dchiesa1