tl  tr
  Home | Tutorials | Articles | Videos | Products | Tools | Search
Interviews | Open Source | Tag Cloud | Follow Us | Bookmark | Contact   
 Generative AI > Google Gemini API > ADK with Secret Manager for Secure Credentials

ADK with Secret Manager for Secure Credentials

Author: Venkata Sudhakar

Hardcoding API keys and passwords in agent code or environment variables is a security risk. Google Cloud Secret Manager provides a centralised, audited, version-controlled store for secrets that ADK agents can access at runtime. Combined with Workload Identity and IAM, agents get exactly the credentials they need - nothing more - without any secrets touching the codebase or CI/CD logs.

ShopMax India agents need to call several third-party APIs: a payment gateway, an SMS provider, a logistics tracking API, and a fraud detection service. Before Secret Manager, API keys were stored in Cloud Run environment variables - visible to anyone with Cloud Run access. After migrating to Secret Manager, each agent service account can access only its own secrets, and every access is logged in Cloud Audit Logs for compliance.

The below example shows how to load secrets from Secret Manager and inject them into an ADK agent tool at runtime.


It gives the following output,

Secrets loaded from Secret Manager
SMS key length: 32 chars (not logged)
Logistics key length: 48 chars (not logged)
Agent ready with secure tool credentials

The below example shows how to rotate a secret version and update the agent without redeployment.


It gives the following output,

Secret sms-provider-api-key rotated to version 4
Previous version disabled
Now active: version 4
Secret metadata: {"name": "sms-provider-api-key", "created": "2024-01-15",
                   "labels": {"env": "production", "owner": "platform-team"}}

Secret rotation without redeployment is the most operationally important feature of this pattern. ShopMax India rotates all third-party API keys quarterly. With Secret Manager, the rotation is a single API call that takes effect the next time the agent loads its secrets - no need to update environment variables, redeploy Cloud Run services, or touch any code. Cloud Audit Logs automatically records every secret access, giving the security team a complete trail of which service accessed which credential and when.


 
  


  
bl  br