This detailed guide explains how you access your passwords, API keys and other sensitive data stored in the Google Secret Manager with Google Apps Script.
API keys and other credentials are your digital passports to access valuable data and services from various online platforms. When you’re developing Google Apps Script projects that connect to using keys, it’s of paramount importance to handle these keys with care and prevent them from falling into the wrong hands. Mishandled API keys can lead to unauthorized access, data breaches, and potentially even financial consequences.
One way to store API keys in Google Apps Script is the built-in Properties Service. This service offers a mechanism to store key-value pairs attached to your Apps Script project. While the Properties Service offers a convenient way to store sensitive data, it comes with limitations:
- Not True Encryption: The Properties Service stores data in a readable format. Anyone with sufficient access to your Apps Script project might be able to view the API keys.
- Limited Access Control: It’s challenging to implement fine-grained access restrictions over who can see the stored keys within the Properties Service.
For a more secure and scalable approach you might consider using Google Cloud’s Secret Manager. As described by Amit Agarwal in this source post:
Google Secret Manager is a cloud service where you can store sensitive data such as passwords, database credentials, encryption keys or any other confidential information that you don’t want to hardcode in your application’s source code. You can also set up an expiration time for the secret and the Google Secret Manager will automatically delete the secret after the specified time.
You can read more about using the Google Cloud Secret Manager in Amit post, which also includes the setup and Apps Script code snippets to make it work. For some general best practices on key management, Google provide this support article.
Source: How to Access Secrets from Google Secret Manager using Apps Script – Digital Inspiration
Member of Google Developers Experts Program for Google Workspace (Google Apps Script) and interested in supporting Google Workspace Devs.
But what’s the point of this if any user can console the output to see the secrets? They can copy the project_id and secret_id and run the same function to console the password. If appscript could hash or not show the password, it would have been useful
Great question. There will be scenarios where using Script Properties is suitable. Google Secret Manager does however allow fine grained control. For example, consider a scenario where you have a Google Sheet with a container bound script is shared with a large number of people, but you would only like a subset of individuals to be given access to an api key. With Google Secret Manager you can use Google Cloud IAM to manage access to the key