Secret Manager Baseline

Purpose

Define the minimum production baseline for secret storage, access, and verification.

When to run this

During new environment bootstrap
Before first production deployment
During security reviews and incident response

Prerequisites

gcloud authenticated to payroll-bi-gauntlet
IAM permission to view secrets and policies
Cloud Run service names and runtime service account known

Inputs

Project: payroll-bi-gauntlet
Runtime SA: sa-worker@payroll-bi-gauntlet.iam.gserviceaccount.com
Required runtime secret mapping:
- JWT_SECRET_KEY=jwt-secret:latest

Procedure

1) Verify required secrets exist

gcloud secrets describe jwt-secret --project=payroll-bi-gauntlet

2) Verify runtime service account access

gcloud secrets get-iam-policy jwt-secret \
  --project=payroll-bi-gauntlet

Expected: runtime SA has roles/secretmanager.secretAccessor.

3) Verify Cloud Run secret wiring (both services)

gcloud run services describe payroll-backend-prod \
  --region=us-central1 \
  --project=payroll-bi-gauntlet \
  --format="yaml(spec.template.spec.containers[0].env,spec.template.spec.containers[0].env.valueSource)"

gcloud run services describe payroll-pipeline-cbs-api \
  --region=us-central1 \
  --project=payroll-bi-gauntlet \
  --format="yaml(spec.template.spec.containers[0].env,spec.template.spec.containers[0].env.valueSource)"

Confirm JWT_SECRET_KEY is sourced from Secret Manager, not plaintext env vars.

4) Rotation baseline

Rotate secret version in Secret Manager.
Keep runtime mapping pinned to :latest unless a freeze requires explicit version pinning.
Re-run smoke tests after rotation.

Verification

jwt-secret exists
Runtime SA has secretAccessor
Both services reference Secret Manager-backed JWT_SECRET_KEY
No plaintext secret values committed in docs/config

Failure modes & fixes

403 when accessing secret at runtime
- Add roles/secretmanager.secretAccessor for runtime SA.
Auth failures after deploy
- Verify JWT_SECRET_KEY mapping points to correct secret and version.
Drift between services
- Ensure both services use the same secret contract and value source.

Artifacts produced

Secret existence and IAM verification output
Service configuration proof for secret wiring

Start Here

Operate & Support

Reference

Build & Integrate

SECRET MANAGER BASELINE

Secret Manager Baseline

Purpose

When to run this

Prerequisites

Inputs

Procedure

1) Verify required secrets exist

2) Verify runtime service account access

3) Verify Cloud Run secret wiring (both services)

4) Rotation baseline

Verification

Failure modes & fixes

Artifacts produced

Start Here

Operate & Support

Reference

Build & Integrate

​Secret Manager Baseline

​Purpose

​When to run this

​Prerequisites

​Inputs

​Procedure

​1) Verify required secrets exist

​2) Verify runtime service account access

​3) Verify Cloud Run secret wiring (both services)

​4) Rotation baseline

​Verification

​Failure modes & fixes

​Artifacts produced

​Related docs

Secret Manager Baseline

Purpose

When to run this

Prerequisites

Inputs

Procedure

1) Verify required secrets exist

2) Verify runtime service account access

3) Verify Cloud Run secret wiring (both services)

4) Rotation baseline

Verification

Failure modes & fixes

Artifacts produced

Related docs