@reaatech/secret-rotation-provider-gcp
v0.1.0
Published
GCP Secret Manager provider for Secret Rotation Kit
Downloads
147
Readme
@reaatech/secret-rotation-provider-gcp
Status: Pre-1.0 — APIs may change in minor versions. Pin to a specific version in production.
GCP Secret Manager adapter for Secret Rotation Kit. Implements the SecretProvider interface using the @google-cloud/secret-manager SDK.
Installation
npm install @reaatech/secret-rotation-provider-gcp @google-cloud/secret-manager
# or
pnpm add @reaatech/secret-rotation-provider-gcp @google-cloud/secret-manager
@google-cloud/secret-manageris an optional peer dependency, loaded lazily at runtime. Install it alongside this package; if it's missing the adapter throws a clear error telling you to install it.
Feature Overview
- Full
SecretProviderimplementation — CRUD, versioning, rotation sessions, and health checks - Label-based rotation tracking — uses
rotation-statusandpending-versionlabels (GCP has no native stage labels) - Custom endpoints — support for emulators and private API endpoints
- Automatic version tracking — new writes create new versions automatically
Quick Start
import { GCPProvider } from '@reaatech/secret-rotation-provider-gcp';
import { RotationManager } from '@reaatech/secret-rotation-core';
const provider = new GCPProvider({ projectId: 'my-gcp-project' });
const manager = new RotationManager({ providerInstance: provider });
await manager.rotate('my-secret');API Reference
GCPProvider
Constructor
new GCPProvider(config: GCPProviderConfig)GCPProviderConfig
| Property | Type | Required | Description |
|----------|------|----------|-------------|
| type | "gcp" | Yes | Discriminator |
| projectId | string | Yes | GCP project ID |
| endpoint | string | No | Custom endpoint for emulators or private APIs |
SecretProvider Methods
| Method | Description |
|--------|-------------|
| createSecret(name, value) | Create a new secret with replication set to automatic |
| getSecret(name, version?) | Get secret value. Defaults to latest version. |
| storeSecretValue(name, value, options?) | Add a new version. { stage: "pending" } sets rotation-status: pending label. |
| deleteSecret(name, options?) | Delete a secret |
| listVersions(name) | List all versions with labels |
| getVersion(name, versionId) | Get a specific version's value |
| deleteVersion(name, versionId) | Destroy a specific version |
| supportsRotation() | Returns true |
| beginRotation(name) | Creates a session. Marks the latest version as pending via label. |
| completeRotation(session) | Promotes pending version by removing the rotation-status label |
| cancelRotation(session) | Removes rotation labels from pending version |
| health() | Lightweight health check using listVersions with page size 1 |
| capabilities() | Returns supportsRotation: true, supportsVersioning: true, supportsLabels: true |
Rotation Flow
beginRotation() → marks latest version with rotation-status label
storeSecretValue(pending) → creates new version with pending label
completeRotation() → removes rotation-status, promotes pending version
cancelRotation() → cleans up rotation labelsUsage Patterns
Explicit Provider Instance
import { GCPProvider } from '@reaatech/secret-rotation-provider-gcp';
import { RotationManager } from '@reaatech/secret-rotation-core';
const provider = new GCPProvider({ projectId: 'my-gcp-project' });
const manager = new RotationManager({ providerInstance: provider });Dynamic Provider Selection
import '@reaatech/secret-rotation-provider-gcp'; // registers 'gcp' type
import { createProvider } from '@reaatech/secret-rotation-types';
const provider = createProvider({ type: 'gcp', projectId: 'my-gcp-project' });Related Packages
@reaatech/secret-rotation-types—SecretProviderinterface and config types@reaatech/secret-rotation-core— Rotation engine@reaatech/secret-rotation-provider-aws— AWS adapter@reaatech/secret-rotation-provider-vault— Vault adapter