SMCache is a Go library to store certificates from Let's Encrypt in GCP Secret Manager. It is an implementation of the Cache within acme autocert that will store data within Google Cloud's Secret Manager.
This is not an official Google product.
import (
"github.com/jwendel/smcache"
"golang.org/x/crypto/acme/autocert"
)
func main() {
m := &autocert.Manager{
Cache: smcache.NewSMCache(smcache.Config{ProjectID: "my-project-id", SecretPrefix: "test-"}),
Prompt: autocert.AcceptTOS,
HostPolicy: autocert.HostWhitelist("example.com", "www.example.com"),
}
s := &http.Server{
Addr: ":https",
TLSConfig: m.TLSConfig(),
}
panic(s.ListenAndServeTLS("", ""))
}
SMCache requires admin access to the Secret Manager API to function properly. This is configure in the IAM policy for a resource.
Example of enabling this API for Compute Engine:
- Go the IAM policy management
- Edit the
<projectId>-compute@developer.gserviceaccount.com
(Compute Engine default service account
) - Click
Add Another Role
, and selectSecret Manager Admin
.
Bonus Security: if you're paranoid about this resource getting access to other secrets, you can set a condition on the Role we just added.
- click
Add Condition
, then set a name and description for it. - For Conditional Type, select
Resource
->Name
, Operator:Starts With
, and set it to whatever value you want, such as "test-
".- Note: this prefix should be the same as the
SecretPrefix
you set on thesmcache.Config
.
- Note: this prefix should be the same as the
There are 2 demos checked into this repo under example/.
- Autocert+Http Example - shows how to use this library with Autocert and the Go HTTP std server.
- Simple Example - demos how this library interacts with GCP's Secret Manager.
- Requires Go >= 1.13.0 (due to use of
fmt.Errorf
)