How to protect your Google Cloud Platform (GCP) secrets

Google Cloud Platform (GCP) may be the smallest major cloud, but it’s one of the fastest growing thanks to its close association with Kubernetes and the company’s liberal habit of giving startups free usage credits.

GCP’s default configuration and policies offer substantial security for applications running on GCP infrastructure, but none of that matters if you don’t also protect the cloud access credentials and application secrets that would allow attackers to access the cloud and your apps with all the privileges of legitimate users.

1. GCP secrets vs. your secrets in GCP

The passwords, keys, and tokens used to access GCP allow you or anybody with those credentials to run VMs, add GCP Cloud Functions, clone databases, and add new GCP users, among other activities. This ability to modify infrastructure and permissions makes these credentials highly sensitive, and it explains why Google is so insistent about using two-factor authentication and other means to help secure them.

However, your application also likely has its own secrets. You might have user accounts inside your app, or there might be keys used to authenticate your app with outside services. Add to that, you likely have SSL certificates, SSH keys, and other details that aren’t part of GCP, but they are part of your app running on GCP.

2. Secrets related to your GCP account

There are many ways to authenticate yourself and API integrations with GCP. All of them should be considered sensitive.

GCP account authentication credentials/keys

Users can use this authentication method by signing in with their Google account. Once authenticated, the user has full access to all Google services, and a Google ID token can be used to call Google APIs and Cloud Endpoints APIs. This method also confirms that Google signed the JWT and that the issuer is listed on the API configuration.

Your Google account username password should never be shared with anybody, and users should take great care to watch out for phishing schemes scammers use to get you to reveal your Google credentials.

Two-factor authentication (2FA) tokens

Most security experts and Google all recommend the use of two-factor authentication (2FA) with Google services, including GCP. 2FA adds a layer of protection against credential theft, because 2FA tokens require access to a specific user device and are short-lived, but they’re not completely unhackable. Phishing and social engineering schemes to get people to reveal 2FA tokens are common, and Google accounts associated with GCP are high-value targets.

Service account keys

They are used by non-human users such as when an application needs to access Google Cloud resources without user intervention. Google’s Identity and Access Management (IAM) system is in charge, and service account keys are the credentials used in a service account. A service account, unlike a user account, does not include a user-facing login interface.

API keys

Google API keys are used to verify the authenticity of applications that use Google Cloud APIs. They are especially useful for anonymously accessing public data such as Google Maps, as well as associating API calls with the user’s project for quota and billing purposes. API keys are not regarded as strictly confidential because they are frequently embedded in client-side code or mobile applications that use Google Cloud APIs. They should, however, be secured and never treated as public information. An unrestricted Google API key exposed in public source code could be used by malicious actors to consume Google APIs on your behalf. This will have a financial impact because the malicious actor will be charged for the data consumed.

OAuth access tokens

When you use your Google account to sign in to a third-party app, it usually uses the OAuth process to validate the user’s Google credentials without ever sharing them with the third-party app. After successful authentication, Google shares a token with the third-party app that represents your identity and allows the app to interact with Google on your behalf. 

3. Services GCP offers to help manage secrets in your application

Sensitive information/credentials in the GCP are mainly used to authenticate users and applications prior to allowing them access to the platform’s services and information. The following are the major services that GCP uses to facilitate security and easy management of these credentials

GCP Secret Manager

Google Cloud Secret Manager is a safe and easy way to store API keys, passwords, certificates, and other sensitive information. Secret Manager does not specify any size limits for secrets that can be stored within it, but it is safe to assume that it can handle any type of typical key/value store secret.

Google Cloud Key Management System (KMS)

Users’ data is automatically encrypted at rest when they store it in Google Cloud. To gain better control over the encrypted data-at-rest and encryption keys, GCP uses Google’s Cloud Key Management service. Cloud KMS enables users to manage cryptographic keys in a centralized cloud service for use directly or in conjunction with other resources and applications.

Google Cloud IAM

Google offers an identity and access management (IAM) service with granular access control. IAM can be used to control which users or groups have access to cloud resources. Roles can be assigned, including primitive, predefined, and custom roles. Google IAM creates audit trails of permission authorizations and deletions automatically.

Firebase user database

Firebase, Google’s application back-end as a service (MBaaS) supports user management, allowing developers to offload the work of securely managing user passwords, OAuth keys to other services such as Facebook and Twitter, and other sensitive details.

Google Cloud Identity

Not strictly a part of GCP, but worth mentioning in the context of how to keep your good data secure: Google Cloud Identity provides the user with the ability to manage the security of their cloud applications and devices. The service is accessible via the Google Admin Console. Cloud Identity can also be used to enable multi-factor authentication and single sign-on authentication.

Google Access Transparency

Again, not strictly a part of GCP, but worth mentioning in the context of how to keep your good data secure: Google Access Transparency allows a user to view log data in near-real time, indicating why and when Google’s internal IT staff accessed their environment. When responding to support requests or attempting to recover from an outage, IT staff typically gains access to the environment.

1. Steps to keeping all your secrets safe in GCP
2. Use BluBracket’s free tools to scan your code to find any secrets, including your app secrets, GCP credentials, and others
3. Make sure you’re using two-factor authentication (2FA), and consider using a hardware cryptographic key like Google’s Titan Security Key
4. Use personal secret vaults to securely manage your GCP access credentials
5. Move any secrets in code to GCP KMS or GCP Secret Manager
6. Use BluBracket’s free, automated pull request review tool to help spot secrets in code before you merge them to production

*** This is a Security Bloggers Network syndicated blog from BluBracket: Code Security & Secret Detection authored by Casey Bisson. Read the original post at: https://blubracket.com/how-to-protect-your-google-cloud-platform-gcp-secrets/