This package provides a Hush Provider to resolve Google Cloud Platform's Secret Manager secrets.
Documentation can be found at https://hexdocs.pm/hush_gcp_secret_manager.
The package can be installed by adding hush_gcp_secret_manager to your list
of dependencies in mix.exs:
def deps do
[
{:hush, "~> 1.0"},
{:hush_gcp_secret_manager, "~> 1.0.2"}
]
endThis module relies on goth to fetch secrets from the Google Cloud Platform API. As such you need to configure goth which is used in hush_gcp_secret_manager, the configuration is the same as if you were to configure a child_spec as per their documentation.
As the provider needs to start both applications, it needs to registered as a provider in hush, so that it gets loaded during startup.
# config/config.exs
alias Hush.Provider.GcpSecretManager
# ensure hush loads GcpSecretManager during startup
config :hush,
providers: [GcpSecretManager]
config :hush_gcp_secret_manager,
project_id: "my_project_id",
goth: [name: MyApp.Goth, source: ...],
goth_timeout: 5_000 # millisecondsIn order to retrieve secrets from GCP, ensure the service account you use has the Secret Manager Secret Accessor role (roles/secretmanager.secretAccessor).
The following example reads the password and the pool size for CloudSQL from secret manager into the ecto repo configuration.
# config/prod.exs
alias Hush.Provider.GcpSecretManager
config :app, App.Repo,
password: {:hush, GcpSecretManager, "CLOUDSQL_PASSWORD"},
pool_size: {:hush, GcpSecretManager, "ECTO_POOL_SIZE", cast: :integer, default: 10}Hush is released under the Apache License 2.0 - see the LICENSE file.
