GCP Secret Manager

Prerequisites

• A GCP project with Secret Manager API enabled
• Application Default Credentials configured on the ev API server
• A service account with the Secret Manager Admin role (or equivalent)

Step 1: Enable the API

gcloud services enable secretmanager.googleapis.com

Step 2: Set Up Credentials

The ev API server needs GCP credentials. Options:

Application Default Credentials (local dev):

gcloud auth application-default login

Service Account (production):

export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account-key.json"

Workload Identity (GKE): Attach the service account to your Kubernetes pod.

Step 3: Connect

ev backend set gcp-secret-manager --project my-gcp-project --prefix myapp

Step 4: Import Existing Secrets

ev import gcp-secret-manager --project my-gcp-project --prefix myapp --env prod

How Secrets Are Stored

Each secret is stored as a separate GCP secret with the naming convention:

{prefix}-{env-name}-{KEY}

For example, with prefix myapp and environment prod:

myapp-prod-DB_HOST
myapp-prod-DB_PORT
myapp-prod-SECRET_KEY

Each secret has versions managed by GCP. ev always writes a new version and reads the latest.

Limitations

• No rollback: ev doesn't store values for external backends
• No E2E encryption: Secrets stored as plaintext in GCP
• GCP credentials required: The API server needs Application Default Credentials or a service account key