## Manage Database Credentials using GCP Secret Manager

Here is the process involved to get secret details as part of the applications.
* Create Secret Manager Client Object
* Get Secret Details
* Use Secret Details (to connect to Databases)

In [1]:
!pip install google-cloud-secret-manager

Collecting google-cloud-secret-manager
  Downloading google_cloud_secret_manager-2.16.1-py2.py3-none-any.whl (116 kB)
[2K     [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m116.7/116.7 kB[0m [31m3.2 MB/s[0m eta [36m0:00:00[0m
Collecting grpc-google-iam-v1<1.0.0dev,>=0.12.4
  Downloading grpc_google_iam_v1-0.12.6-py2.py3-none-any.whl (26 kB)
Collecting proto-plus<2.0.0dev,>=1.22.0
  Downloading proto_plus-1.22.2-py3-none-any.whl (47 kB)
[2K     [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m47.9/47.9 kB[0m [31m3.3 MB/s[0m eta [36m0:00:00[0m
Collecting grpcio-status<2.0dev,>=1.33.2
  Downloading grpcio_status-1.54.0-py3-none-any.whl (5.1 kB)
Collecting grpcio<2.0dev,>=1.33.2
  Downloading grpcio-1.54.0-cp39-cp39-macosx_10_10_universal2.whl (8.7 MB)
[2K     [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m8.7/8.7 MB[0m [31m31.6 MB/s[0m eta [36m0:00:00[0m00:01[0m00:01[0m
Installing collected packages: proto-plus, grpcio, grpcio-status, grpc-google-i

In [2]:
from google.cloud import secretmanager

In [3]:
client = secretmanager.SecretManagerServiceClient()

In [4]:
client.access_secret_version?

[0;31mSignature:[0m
[0mclient[0m[0;34m.[0m[0maccess_secret_version[0m[0;34m([0m[0;34m[0m
[0;34m[0m    [0mrequest[0m[0;34m:[0m [0mUnion[0m[0;34m[[0m[0mgoogle[0m[0;34m.[0m[0mcloud[0m[0;34m.[0m[0msecretmanager_v1[0m[0;34m.[0m[0mtypes[0m[0;34m.[0m[0mservice[0m[0;34m.[0m[0mAccessSecretVersionRequest[0m[0;34m,[0m [0mdict[0m[0;34m,[0m [0mNoneType[0m[0;34m][0m [0;34m=[0m [0;32mNone[0m[0;34m,[0m[0;34m[0m
[0;34m[0m    [0;34m*[0m[0;34m,[0m[0;34m[0m
[0;34m[0m    [0mname[0m[0;34m:[0m [0mOptional[0m[0;34m[[0m[0mstr[0m[0;34m][0m [0;34m=[0m [0;32mNone[0m[0;34m,[0m[0;34m[0m
[0;34m[0m    [0mretry[0m[0;34m:[0m [0mUnion[0m[0;34m[[0m[0mgoogle[0m[0;34m.[0m[0mapi_core[0m[0;34m.[0m[0mretry[0m[0;34m.[0m[0mRetry[0m[0;34m,[0m [0mgoogle[0m[0;34m.[0m[0mapi_core[0m[0;34m.[0m[0mgapic_v1[0m[0;34m.[0m[0mmethod[0m[0;34m.[0m[0m_MethodDefault[0m[0;34m][0m [0;34m=[0m [0;34m<[0m[0m_

In [5]:
project_id = 'dataanalytics-347914'
secret_id = 'retail_secret'
version_id = 1

In [6]:
secret_name = f'projects/{project_id}/secrets/{secret_id}/versions/{version_id}'

In [7]:
secret_name

'projects/dataanalytics-347914/secrets/retail_secret/versions/1'

In [8]:
response = client.access_secret_version(name=secret_name)

In [9]:
type(response)

google.cloud.secretmanager_v1.types.service.AccessSecretVersionResponse

In [10]:
response.payload

data: "{\"host\": \"34.170.93.218\", \"database\": \"retail_db\", \"user\": \"martin\", \"password\": \"martin\"}"
data_crc32c: 369172841

The payload data has the body of the response. It comes in bytes data type and should be converted to a UTF-8 string by using the decode function

In [12]:
response.payload.data

b'{"host": "34.170.93.218", "database": "retail_db", "user": "martin", "password": "martin"}'

In [13]:
response.payload.data.decode('utf-8')

'{"host": "34.170.93.218", "database": "retail_db", "user": "martin", "password": "martin"}'

In [14]:
import json

Since the body content is a json string, we need to use loads() to create a dictionary from it

In [15]:
secret_details = json.loads(response.payload.data.decode('utf-8'))

In [16]:
secret_details.keys()

dict_keys(['host', 'database', 'user', 'password'])

In [17]:
secret_details['user']

'martin'

In [18]:
secret_details['password']

'martin'

The following function does the same process

In [20]:
import json
from google.cloud import secretmanager

def get_secret_details(secret_name):
    client = secretmanager.SecretManagerServiceClient()
    response = client.access_secret_version(name=secret_name)
    return json.loads(response.payload.data.decode('utf-8'))

In [23]:
project_id = 'dataanalytics-347914'
secret_id = 'retail_secret'
version_id = 1

secret_name = f'projects/{project_id}/secrets/{secret_id}/versions/{version_id}'
secret_details = get_secret_details(secret_name)
secret_details

{'host': '34.170.93.218',
 'database': 'retail_db',
 'user': 'martin',
 'password': 'martin'}

Since the secret doesn't have a port value, we need to fill the placeholders using format() method that allows to pass one written argument and unpack a dictionary with the rest of the arguments from the secret manager

In [24]:
conn_uri = 'postgresql://{user}:{password}@{host}:{port}/{database}'

In [25]:
conn_uri.format(port=5432, **secret_details)

'postgresql://martin:martin@34.170.93.218:5432/retail_db'

In [26]:
import pandas as pd

In [27]:
df = pd.read_sql(
    '''
        SELECT order_status, sum(order_count) AS order_count FROM daily_status_count
        GROUP BY 1
        ORDER BY 2 DESC
    ''',
    conn_uri.format(port=5432, **secret_details)
)

In [28]:
df

Unnamed: 0,order_status,order_count
0,COMPLETE,22899.0
1,PENDING_PAYMENT,15030.0
2,PROCESSING,8275.0
3,PENDING,7610.0
4,CLOSED,7556.0
5,ON_HOLD,3798.0
6,SUSPECTED_FRAUD,1558.0
7,CANCELED,1428.0
8,PAYMENT_REVIEW,729.0
