AgentSkillsCN

gcloud-secrets

管理 Google Cloud Secret Manager,用于存储与获取环境密钥。在进行部署、密钥管理或 gcloud 命令操作时使用。

SKILL.md
--- frontmatter
name: gcloud-secrets
description: Manage Google Cloud Secret Manager for storing and fetching environment secrets. Use when working with deployment, secrets, or gcloud commands.

Google Cloud Secret Manager

Project Configuration

  • Project ID: myimageupscaler-auth
  • Account: jfurtado141@gmail.com
  • Secrets:
    • myimageupscaler-api-prod.env.api.prod
    • myimageupscaler-client-prod.env.client.prod

Setup Commands

bash
# Set correct account and project
gcloud config set account jfurtado141@gmail.com
gcloud config set project myimageupscaler-auth

# Verify access
gcloud secrets list

Common Issues

"Failed to fetch secret" Error

  1. Check current project: gcloud config get-value project
  2. Check current account: gcloud config get-value account
  3. Switch to correct account/project (see above)

Wrong Project

The CLI might default to definya-447700. Always ensure you're on myimageupscaler-auth.

Service Account vs Personal Account

  • Service account cloudstartlabs-service-acc@coldstartlabs-auth.iam.gserviceaccount.com does NOT have access to myimageupscaler-auth
  • Use personal account jfurtado141@gmail.com for secret access
  • Or use the service account key at ./cloud/keys/myimageupscaler-auth-6348371fe8c6.json:
    bash
    gcloud auth activate-service-account --key-file=./cloud/keys/myimageupscaler-auth-6348371fe8c6.json
    

Deploy Flow

The deploy script (scripts/deploy/deploy.sh) fetches secrets in step 0:

  1. Fetches myimageupscaler-api-prod.env.api.prod
  2. Fetches myimageupscaler-client-prod.env.client.prod
  3. Cleans up these files after deploy (success or failure)

Updating Secrets

bash
# Update API secrets
gcloud secrets versions add myimageupscaler-api-prod --data-file=.env.api

# Update client secrets
gcloud secrets versions add myimageupscaler-client-prod --data-file=.env.client

Important: Always destroy older versions after adding a new one to avoid secret sprawl and reduce security risk:

bash
# List versions to find the old one
gcloud secrets versions list myimageupscaler-api-prod

# Destroy the previous version (replace N with version number)
gcloud secrets versions destroy N --secret=myimageupscaler-api-prod --quiet

Service Account Key Location

Local keys available at:

  • ./cloud/keys/coldstart-labs-service-account-key.json (Note: Does not have access to myimageupscaler-auth project)
  • ./cloud/keys/myimageupscaler-auth-6348371fe8c6.json (myimageupscaler-auth project)

Important: The cloud/keys/ directory is gitignored. Never commit service account keys.