Secret

Naming convention

Each secret is named using following convention PREFIX-CUSTOMER_ID. Prefix designates the purpose that secret is used for, e.g. client-tokens-100200300.

Secret versions

Each secret has one or more secret versions. Only one secret version is used for encryption at any given time. However, two secret versions can be used for decryption at any given time. This happens when secret is rotated, which means that we use a new secret version for encryption and decryption, but previous secret version for decryption only. Gradually, all data will be encrypted with the new secret version, and after 90 days old secret version will be disabled. This process repeats itself with every secret rotation (every 90 days).

Secret aliases

Secret alias points to a particular secret version. It can point to only one secret version at any time. There are two secret aliases in use:

latest - this is a built-in secret alias in Google Secret Manager which always points to the latest secret version.
active - this is our custom alias, that we use to tag a secret version which is currently in use for encryption. By using this alias we can make sure that we are always using the correct secret version for encryption, without knowing the exact version number.

Secret access

Access to secrets must be managed by IAM. Since we can manage different classes of secrets (different prefixes) in the same project, we must use IAM conditions to grant service accounts access to only those secrets that they neeed (by filtering on secret prefix).