This project provides an automated solution for creating and rotating GCS HMAC keys using Google Secret Manager while following least privilege principles.
For immediate testing with your GCP project tflabs and bucket mevijays:
# 1. Setup local environment
./setup_local.sh setup
# 2. Run HMAC key rotation test
./setup_local.sh testSee LOCAL_DEVELOPMENT.md for detailed local testing instructions.
The application is configured via environment variables in .env:
- PROJECT_ID:
tflabs - BUCKET_NAME:
mevijays - SECRET_NAME:
test - SERVICE_ACCOUNT_EMAIL:
hmac-rotator@tflabs.iam.gserviceaccount.com
- GKE Cluster: Standard cluster with Workload Identity Federation enabled
- Service Account: Google Service Account without direct key management
- Workload Identity: Maps Kubernetes Service Account to Google Service Account
- Automation: Kubernetes CronJob that runs every 90 days
- Security: Follows least privilege policy with minimal IAM permissions
app.py- Python application for HMAC key managementDockerfile- Container image definitionk8s/- Kubernetes manifeststerraform/- Infrastructure as Code (optional)requirements.txt- Python dependencies
- GKE cluster with Workload Identity enabled
- Google Service Account created (without keys)
- Google Secret Manager API enabled
- Cloud Storage API enabled
- Build and push the container image
- Apply Kubernetes manifests
- Configure IAM bindings for Workload Identity
The Google Service Account needs the following permissions:
storage.hmacKeys.createstorage.hmacKeys.liststorage.hmacKeys.updatesecretmanager.versions.addsecretmanager.versions.listsecretmanager.versions.disable
The CronJob will automatically:
- Create new HMAC keys for the service account
- Store the new key in Google Secret Manager
- Disable old versions of the secret
- Clean up old HMAC keys
Check the job logs for execution status and any errors.