Agent skill
gcloud-secrets
Manage Google Cloud Secret Manager for storing and fetching environment secrets. Use when working with deployment, secrets, or gcloud commands.
Stars
163
Forks
31
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/data/gcloud-secrets
SKILL.md
Google Cloud Secret Manager
Project Configuration
- Project ID:
myimageupscaler-auth - Account:
jfurtado141@gmail.com - Secrets:
myimageupscaler-api-prod→.env.api.prodmyimageupscaler-client-prod→.env.client.prod
Setup Commands
bash
# Set correct account and project
gcloud config set account jfurtado141@gmail.com
gcloud config set project myimageupscaler-auth
# Verify access
gcloud secrets list
Common Issues
"Failed to fetch secret" Error
- Check current project:
gcloud config get-value project - Check current account:
gcloud config get-value account - Switch to correct account/project (see above)
Wrong Project
The CLI might default to definya-447700. Always ensure you're on myimageupscaler-auth.
Service Account vs Personal Account
- Service account
cloudstartlabs-service-acc@coldstartlabs-auth.iam.gserviceaccount.comdoes NOT have access to myimageupscaler-auth - Use personal account
jfurtado141@gmail.comfor secret access - Or use the service account key at
./cloud/keys/myimageupscaler-auth-6348371fe8c6.json:bashgcloud auth activate-service-account --key-file=./cloud/keys/myimageupscaler-auth-6348371fe8c6.json
Deploy Flow
The deploy script (scripts/deploy/deploy.sh) fetches secrets in step 0:
- Fetches
myimageupscaler-api-prod→.env.api.prod - Fetches
myimageupscaler-client-prod→.env.client.prod - Cleans up these files after deploy (success or failure)
Updating Secrets
bash
# Update API secrets
gcloud secrets versions add myimageupscaler-api-prod --data-file=.env.api
# Update client secrets
gcloud secrets versions add myimageupscaler-client-prod --data-file=.env.client
Important: Always destroy older versions after adding a new one to avoid secret sprawl and reduce security risk:
bash
# List versions to find the old one
gcloud secrets versions list myimageupscaler-api-prod
# Destroy the previous version (replace N with version number)
gcloud secrets versions destroy N --secret=myimageupscaler-api-prod --quiet
Service Account Key Location
Local keys available at:
./cloud/keys/coldstart-labs-service-account-key.json(Note: Does not have access to myimageupscaler-auth project)./cloud/keys/myimageupscaler-auth-6348371fe8c6.json(myimageupscaler-auth project)
Important: The cloud/keys/ directory is gitignored. Never commit service account keys.
Didn't find tool you were looking for?