npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

gcp-secret-credentials-fetcher

v1.1.1

Published

A lightweight helper utility to retrieve and automatically parse JSON secrets from Google Cloud Secret Manager.

Downloads

211

Readme

gcp-secret-credentials-fetcher

A lightweight, modern Node.js helper utility to easily retrieve, decrypt, and parse credentials and configuration payloads from Google Cloud Secret Manager.

npm version License: MIT

Features

  • Automatic JSON Parsing: Automatically parses the secret payload to an object if it's a valid JSON string. Otherwise, returns the raw string.
  • Pure JavaScript & Modern Async/Await: Avoids buggy, native C++ deasync code loops. Ensures maximum compatibility across platforms (Docker, Alpine, Windows, macOS, Linux).
  • Synchronous Support: Includes a accessSecretManagerKeySync helper for CommonJS config files (env.js, config.js) that cannot use await, using a zero-dependency pure-JS approach via child_process.spawnSync.
  • Lazy Initialization: The GCP Client is initialized only when requested, ensuring your app doesn't crash on boot if secrets aren't accessed in that environment.
  • Error Fallback Mode: Offers optional legacy-compatible fallback mode, returning a database configuration object with undefined properties instead of throwing an error.

Installation

npm install gcp-secret-credentials-fetcher

Note: Requires Node.js version 18.0.0 or higher.


Google Cloud Credentials Setup

This package uses the official Google Cloud Secret Manager client under the hood, which automatically authenticates using Application Default Credentials (ADC).

1. Local Development (Service Account Key)

  1. In the Google Cloud Console, create a Service Account and grant it the Secret Manager Secret Accessor role (roles/secretmanager.secretAccessor).
  2. Download the JSON key file.
  3. Set the environment variable:
    • Windows (PowerShell): $env:GOOGLE_APPLICATION_CREDENTIALS="C:\path\to\service-account-key.json"
    • Linux/macOS: export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account-key.json"

2. Cloud Environment (GCP VM, GKE, Cloud Run, Cloud Functions)

No key file is required. Assign a service account with the Secret Manager Secret Accessor role directly to your Compute instance, GKE pod, or Cloud Run service. The library will authenticate automatically.


Choosing the Right Function

This package exposes two functions for two different situations — both do the same thing (fetch a secret) but in fundamentally different ways:

| | getSecret / accessSecretManagerKey | accessSecretManagerKeySync | |---|---|---| | Returns | Promise<any> | any (directly) | | Needs await? | ✅ Yes | ❌ No | | Blocks event loop? | ❌ No | ✅ Yes (briefly, once at startup) | | Best for | App startup, service handlers | Config files, env.js | | Solves | General async use | ERR_REQUIRE_ASYNC_MODULE error |

Why does ERR_REQUIRE_ASYNC_MODULE happen?
When you use await at the top level of a file loaded via require(), Node.js treats it as an async ESM module and throws this error. accessSecretManagerKeySync solves this by removing the need for await entirely — the result is returned directly.


Usage Examples

1. Recommended: Asynchronous Initialization (Async/Await)

For standard Node.js applications, fetch the credentials asynchronously at startup before starting your services:

const getSecret = require('gcp-secret-credentials-fetcher');

async function initializeApp() {
    try {
        const secretKeyPath = process.env.cassandra_secret_key; // e.g. "projects/123456789/secrets/cassandra-config/versions/latest"
        
        // Fetches and automatically parses the JSON secret payload
        const cassandraCredentials = await getSecret(secretKeyPath);
        
        console.log("Secret loaded successfully. Connecting to database...");
        console.log("Host:", cassandraCredentials.hostname);
        
        // Start your server/db clients here using the credentials
    } catch (error) {
        console.error("Failed to load application configurations:", error.message);
        process.exit(1);
    }
}

initializeApp();

2. Modern Node.js: Top-Level Await (ES Modules)

If your package is configured as an ES module ("type": "module" in your package.json), or you are running in a supported Node.js environment, you can use top-level await:

import getSecret from 'gcp-secret-credentials-fetcher';

const secretKeyPath = process.env.cassandra_secret_key;
const credentials = await getSecret(secretKeyPath);

export default credentials;

3. Legacy Migration / Fallback Mode

If your existing application has a legacy setup that expects an object with empty database fields on error instead of throwing a validation/network exception, pass the { fallbackOnError: true } option:

const getSecret = require('gcp-secret-credentials-fetcher');

async function getDbConfig() {
    // If the call fails, this will NOT throw, but instead return:
    // { hostname: undefined, ip: undefined, username: undefined, password: undefined, ... }
    const credentials = await getSecret(
        process.env.cassandra_secret_key, 
        { fallbackOnError: true }
    );
    
    return credentials;
}

4. Synchronous — For Config Files (env.js / config.js)

Use this when you are loading secrets inside a CommonJS configuration file using require(), where using await at the top level would cause a ERR_REQUIRE_ASYNC_MODULE error:

const { accessSecretManagerKeySync } = require('gcp-secret-credentials-fetcher');

// No async, no await — result is returned directly!
const cassandraConfig = accessSecretManagerKeySync(process.env.cassandra_secret_key);

module.exports = cassandraConfig;

With fallback on error:

const { accessSecretManagerKeySync } = require('gcp-secret-credentials-fetcher');

const cassandraConfig = accessSecretManagerKeySync(
    process.env.cassandra_secret_key,
    { fallbackOnError: true } // returns { hostname: undefined, ... } instead of throwing
);

module.exports = cassandraConfig;

API Reference

getSecret(secretKey, [options]) / accessSecretManagerKey(secretKey, [options]) — Async

Returns a Promise resolving to the payload. Must be used with await inside an async function.

Parameters:

  • secretKey (string, Required): The full resource name of the secret version in Google Cloud, e.g. projects/PROJECT_NUMBER/secrets/SECRET_NAME/versions/latest or projects/PROJECT_NUMBER/secrets/SECRET_NAME/versions/1.
  • options (Object, Optional):
    • fallbackOnError (boolean, Optional): If true, returns a fallback database object with empty (undefined) properties on failure instead of throwing an error. Defaults to false.

Returns:

  • Promise<any>: Resolves to the parsed JSON object if the payload is valid JSON, or the raw UTF-8 string/payload if parsing fails.

accessSecretManagerKeySync(secretKey, [options]) — Synchronous

Blocks execution and returns the secret payload directly — no await required. Internally spawns a short-lived child Node.js process via child_process.spawnSync. Best used in CommonJS configuration files.

Parameters:

  • secretKey (string, Required): The full resource name of the secret version in Google Cloud, e.g. projects/PROJECT_NUMBER/secrets/SECRET_NAME/versions/latest.
  • options (Object, Optional):
    • fallbackOnError (boolean, Optional): If true, returns a fallback database object with empty (undefined) properties on failure instead of throwing an error. Defaults to false.

Returns:

  • any: The parsed JSON object if the payload is valid JSON, or the raw UTF-8 string.

License

MIT © 2026