Script: How to copy secrets from One GCP project to another?

 Question/ASK: 

Create a script that copies secrets from Google Cloud Secret Manager in one project to another project. 

Solution/Answer:

To create a script that copies secrets from Google Cloud Secret Manager in one project to another project, you'll need to use the Google Cloud SDK and its Secret Manager API. The following Python script does this. It reads source secret IDs from a file, creates new destination secret IDs by replacing a value in the source secret ID, and then copies the secret data from the source project to the destination project.

First, ensure you have the Google Cloud SDK installed and authenticated(Should have Service Account with access to both Projects), and you have the necessary permissions for both projects.

Here's a step-by-step guide and the script:

1. Install the required libraries:

   sh
   pip install google-cloud-secret-manager
   Create the Python script:
   python
   import os
   from google.cloud import secretmanager
   
   # Initialize the Secret Manager client
   client = secretmanager.SecretManagerServiceClient()
   
   # Define the source and destination projects
   source_project_id = 'your-source-project-id'
   destination_project_id = 'your-destination-project-id'
   
   # Define the pattern to replace in the source secret ID
   replace_pattern = 'source'
   replacement_pattern = 'destination'
   
   # Read the source secret IDs from a file
   with open('source_secrets.txt', 'r') as file:
       source_secret_ids = [line.strip() for line in file]
   
   for source_secret_id in source_secret_ids:
       # Construct the source secret name
       source_secret_name = f'projects/{source_project_id}/secrets/{source_secret_id}/versions/latest'
       
       # Access the secret version
       response = client.access_secret_version(request={"name": source_secret_name})
       secret_data = response.payload.data.decode('UTF-8')
   
       # Create the destination secret ID by replacing the pattern
       destination_secret_id = source_secret_id.replace(replace_pattern, replacement_pattern)
   
       # Construct the destination secret name
       destination_secret_name = f'projects/{destination_project_id}/secrets/{destination_secret_id}'
   
       # Create the new secret in the destination project
       try:
           client.create_secret(
               request={
                   "parent": f"projects/{destination_project_id}",
                   "secret_id": destination_secret_id,
                   "secret": {"replication": {"automatic": {}}},
               }
           )
           print(f'Secret {destination_secret_id} created in project {destination_project_id}.')
       except Exception as e:
           print(f'Secret {destination_secret_id} already exists or another error occurred: {e}')
   
       # Add the secret data to the new secret
       client.add_secret_version(
           request={
               "parent": destination_secret_name,
               "payload": {"data": secret_data.encode('UTF-8')},
           }
       )
       print(f'Secret {destination_secret_id} copied to project {destination_project_id}.')
   Prepare the source secrets file:
   Create a file named source_secrets.txt and list the secret IDs, one per line.
   Run the script:
   sh
   python copy_secrets.py
   Notes:
   Replace your-source-project-id and your-destination-project-id with your actual Google Cloud project IDs.
   Ensure the source and destination projects have appropriate IAM permissions for accessing and managing secrets.