Google Cloud Secret Manager
Project Configuration
- •Project ID:
myimageupscaler-auth - •Account:
jfurtado141@gmail.com - •Secrets:
- •
myimageupscaler-api-prod→.env.api.prod - •
myimageupscaler-client-prod→.env.client.prod
- •
Setup Commands
bash
# Set correct account and project gcloud config set account jfurtado141@gmail.com gcloud config set project myimageupscaler-auth # Verify access gcloud secrets list
Common Issues
"Failed to fetch secret" Error
- •Check current project:
gcloud config get-value project - •Check current account:
gcloud config get-value account - •Switch to correct account/project (see above)
Wrong Project
The CLI might default to definya-447700. Always ensure you're on myimageupscaler-auth.
Service Account vs Personal Account
- •Service account
cloudstartlabs-service-acc@coldstartlabs-auth.iam.gserviceaccount.comdoes NOT have access to myimageupscaler-auth - •Use personal account
jfurtado141@gmail.comfor secret access - •Or use the service account key at
./cloud/keys/myimageupscaler-auth-6348371fe8c6.json:bashgcloud auth activate-service-account --key-file=./cloud/keys/myimageupscaler-auth-6348371fe8c6.json
Deploy Flow
The deploy script (scripts/deploy/deploy.sh) fetches secrets in step 0:
- •Fetches
myimageupscaler-api-prod→.env.api.prod - •Fetches
myimageupscaler-client-prod→.env.client.prod - •Cleans up these files after deploy (success or failure)
Updating Secrets
bash
# Update API secrets gcloud secrets versions add myimageupscaler-api-prod --data-file=.env.api # Update client secrets gcloud secrets versions add myimageupscaler-client-prod --data-file=.env.client
Important: Always destroy older versions after adding a new one to avoid secret sprawl and reduce security risk:
bash
# List versions to find the old one gcloud secrets versions list myimageupscaler-api-prod # Destroy the previous version (replace N with version number) gcloud secrets versions destroy N --secret=myimageupscaler-api-prod --quiet
Service Account Key Location
Local keys available at:
- •
./cloud/keys/coldstart-labs-service-account-key.json(Note: Does not have access to myimageupscaler-auth project) - •
./cloud/keys/myimageupscaler-auth-6348371fe8c6.json(myimageupscaler-auth project)
Important: The cloud/keys/ directory is gitignored. Never commit service account keys.