-->

DEVOPSZONES

  • Recent blogs

    Script: How to copy secrets from One GCP project to another?

     Question/ASK: 

    Create a script that copies secrets from Google Cloud Secret Manager in one project to another project. 

    Solution/Answer:

    To create a script that copies secrets from Google Cloud Secret Manager in one project to another project, you'll need to use the Google Cloud SDK and its Secret Manager API. The following Python script does this. It reads source secret IDs from a file, creates new destination secret IDs by replacing a value in the source secret ID, and then copies the secret data from the source project to the destination project.

    First, ensure you have the Google Cloud SDK installed and authenticated(Should have Service Account with access to both Projects), and you have the necessary permissions for both projects.

    Here's a step-by-step guide and the script:

    1. Install the required libraries:

      sh
      pip install google-cloud-secret-manager
      1. Create the Python script:

        python
        import os from google.cloud import secretmanager # Initialize the Secret Manager client client = secretmanager.SecretManagerServiceClient() # Define the source and destination projects source_project_id = 'your-source-project-id' destination_project_id = 'your-destination-project-id' # Define the pattern to replace in the source secret ID replace_pattern = 'source' replacement_pattern = 'destination' # Read the source secret IDs from a file with open('source_secrets.txt', 'r') as file: source_secret_ids = [line.strip() for line in file] for source_secret_id in source_secret_ids: # Construct the source secret name source_secret_name = f'projects/{source_project_id}/secrets/{source_secret_id}/versions/latest' # Access the secret version response = client.access_secret_version(request={"name": source_secret_name}) secret_data = response.payload.data.decode('UTF-8') # Create the destination secret ID by replacing the pattern destination_secret_id = source_secret_id.replace(replace_pattern, replacement_pattern) # Construct the destination secret name destination_secret_name = f'projects/{destination_project_id}/secrets/{destination_secret_id}' # Create the new secret in the destination project try: client.create_secret( request={ "parent": f"projects/{destination_project_id}", "secret_id": destination_secret_id, "secret": {"replication": {"automatic": {}}}, } ) print(f'Secret {destination_secret_id} created in project {destination_project_id}.') except Exception as e: print(f'Secret {destination_secret_id} already exists or another error occurred: {e}') # Add the secret data to the new secret client.add_secret_version( request={ "parent": destination_secret_name, "payload": {"data": secret_data.encode('UTF-8')}, } ) print(f'Secret {destination_secret_id} copied to project {destination_project_id}.')
      2. Prepare the source secrets file:

        • Create a file named source_secrets.txt and list the secret IDs, one per line.
      3. Run the script:

        sh
        python copy_secrets.py

      Notes:

      • Replace your-source-project-id and your-destination-project-id with your actual Google Cloud project IDs.
      • Ensure the source and destination projects have appropriate IAM permissions for accessing and managing secrets.





    No comments