This project implements a token-based authentication service that integrates with Google Cloud Platform (GCP) Secret Manager to provide secure access to sensitive secrets. The service ensures a one-time-use workflow for tokens and enriches authentication with metadata.
The major use case for now is to fetch secrets from GCP Secret Manager during a cloud-init process.
Therefore only a one time use token is generated and used to fetch the secrets from the cloud-init
process. The token is generated by the secret-operator-client tool and is used to fetch the secrets
from the GCP Secret Manager. The token is valid for 15 minutes and is removed after the first use.
- Token-based Authentication: Secure access using time-bound, metadata-enriched tokens.
- One-Time Use Tokens: Each token is valid for only one API call and is removed after use.
- Metadata Encoding: Tokens include metadata such as:
serviceName: The service requesting access.clientIP: The IP address of the token generator.nonce: A timestamp for uniqueness.randomValue: Cryptographically secure random data for unpredictability.
- Secret Filtering by Labels: GCP secrets are filtered based on predefined labels associated with the
serviceName. - Command-Line Token Generator: Generate tokens locally with metadata and security enhancements.
The service provides a command-line interface (CLI) to generate tokens. Each token includes:
- Metadata such as
serviceNameandclientIP. - A high-resolution timestamp (
nonce) for uniqueness. - A cryptographically secure random value to prevent token prediction.
./secret-operator-client --serviceName=my-serviceThe generated token is printed to stdout:
Generated Token: eyJzZXJ2aWNlTmFtZSI6Im15LXNlcnZpY2UiLCJjbGllbnRJUC...<rest_of_token>
Clients use the generated token to authenticate with the API. The workflow is as follows:
-
Client:
- Generates a token with the
secret-operator-clientCLI.
- Generates a token with the
-
Service:
- Decodes and validates the token.
- Extracts the
serviceNameand retrieves secrets associated with the service from GCP Secret Manager. - Returns the requested secrets in the response.
- Invalidates the token to ensure one-time usage.
POST /retrieve-secrets
Authorization: eyJzZXJ2aWNlTmFtZSI6ImR1b.....JBIn0Each token encodes the following metadata as a Base64-encoded JSON:
| Field | Description |
|---|---|
serviceName |
The name of the service requesting secrets. |
clientIP |
The IP address of the machine that generated the token. |
nonce |
A high-resolution timestamp (nanoseconds). |
randomValue |
A cryptographically secure random string for additional entropy. |
{
"serviceName": "my-service",
"clientIP": "192.168.1.1",
"nonce": 1702495430335210000,
"randomValue": "3eLmP6K0z9eFYQkZtXvNnA"
}- One-Time Use Tokens: Tokens are removed after their first use to prevent reuse.
- Token Expirary: Tokens expires after 15 minutes
- Metadata Enrichment: Includes client information and service-specific data.
- Unpredictable Tokens: The inclusion of a
nonceand random value ensures each token is unique. - Scoped Secrets: Secrets are filtered based on labels matching the
serviceNamein the token.
The token-generator tool is a simple CLI utility for creating tokens. The generated tokens can be used directly with the authentication API.
secret-operator-client --serviceName=<SERVICE_NAME>secret-operator-client --serviceName=my-serviceGenerated Token: eyJzZXJ2aWNlTmFtZSI6Im15LXNlcnZpY2UiLCJjbGllbnRJUC...<rest_of_token>
- Rate Limiting: Limit the number of tokens generated or used per client.
- Enhanced Logging: Add logs for token validation and secret access requests.
- Code Rerfactoring: Reduce code duplication in client and server package by moving it to shared package. Also add unit tests and try to reach test coverage of 90 %
Contributions are welcome! Please feel free to submit a pull request or open an issue for feature requests or bug reports.