Access Secrets from Google Secret Manager using Apps Script

 To access secrets from Google Secret Manager using Google Apps Script, you will need to follow a series of steps involving setting up the Secret Manager, enabling the necessary API, and writing the appropriate Apps Script code.

1. Set Up Google Secret Manager

1. Create a Secret:
   • Go to the Google Cloud Console.
   • Navigate to the Secret Manager (you can find it under Security or use the search bar).
   • Click on "Create Secret."
   • Follow the prompts to name your secret and add the secret value.

2. Enable Google Secret Manager API

1. Enable the API:
   • In the Google Cloud Console, go to the API & Services Dashboard.
   • Click on "Enable APIs and Services."
   • Search for "Secret Manager API" and enable it.

3. Set Up Authentication

1. Create a Service Account:

   • In the Google Cloud Console, go to IAM & Admin > Service Accounts.
   • Click on "Create Service Account."
   • Follow the prompts to create a service account. Assign it the "Secret Manager Secret Accessor" role.

2. Create a JSON Key:

   • After creating the service account, go to the "Keys" section.
   • Click on "Add Key" and choose "Create New Key."
   • Select "JSON" and download the key file. Save it securely.

4. Write Google Apps Script Code

1. Upload the JSON Key to Google Drive:

   • Upload the JSON key file to your Google Drive.

2. Use the JSON Key in Apps Script:

   • Write the following Apps Script code to access the secret:

function getSecret() {
  var secretName = "projects/YOUR_PROJECT_ID/secrets/YOUR_SECRET_NAME/versions/latest";
  var keyFileId = "YOUR_JSON_KEY_FILE_ID"; // File ID of the JSON key in Google Drive
  
  var keyFile = DriveApp.getFileById(keyFileId).getBlob().getDataAsString();
  var key = JSON.parse(keyFile);

  var url = "https://secretmanager.googleapis.com/v1/" + secretName + ":access";
  
  var response = UrlFetchApp.fetch(url, {
    method: "GET",
    headers: {
      "Authorization": "Bearer " + getAccessToken(key)
    }
  });
  
  var secretPayload = JSON.parse(response.getContentText()).payload.data;
  var secret = Utilities.base64Decode(secretPayload);
  var secretString = new TextDecoder().decode(secret);
  
  Logger.log(secretString);
  return secretString;
}

function getAccessToken(key) {
  var jwtHeader = {
    "alg": "RS256",
    "typ": "JWT"
  };

  var jwtClaimSet = {
    "iss": key.client_email,
    "scope": "https://www.googleapis.com/auth/cloud-platform",
    "aud": "https://oauth2.googleapis.com/token",
    "exp": Math.floor(Date.now() / 1000) + 3600,
    "iat": Math.floor(Date.now() / 1000)
  };

  var signedJwt = createSignedJwt(jwtHeader, jwtClaimSet, key.private_key);
  
  var tokenResponse = UrlFetchApp.fetch("https://oauth2.googleapis.com/token", {
    method: "POST",
    payload: {
      "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
      "assertion": signedJwt
    }
  });
  
  var token = JSON.parse(tokenResponse.getContentText()).access_token;
  return token;
}

function createSignedJwt(header, claimSet, privateKey) {
  var base64Header = Utilities.base64EncodeWebSafe(JSON.stringify(header));
  var base64ClaimSet = Utilities.base64EncodeWebSafe(JSON.stringify(claimSet));
  var toSign = base64Header + "." + base64ClaimSet;

  var signature = Utilities.computeRsaSha256Signature(toSign, privateKey);
  var base64Signature = Utilities.base64EncodeWebSafe(signature);

  return toSign + "." + base64Signature;
}

 
5.Run the Script
Save and run the getSecret function in your Apps Script project.
This function retrieves the secret value from Google Secret Manager and logs it.
Important Notes
Ensure your Google Apps Script project has access to the necessary scopes, particularly the Drive API.
The service account should have the appropriate permissions to access the secret in Secret Manager.
Securely handle and store your JSON key file to avoid unauthorized access.
By following these steps, you can access secrets from Google Secret Manager using Google Apps Script securely and efficiently