ForgeTrust.AppSurface.Config.GoogleSecretManager 0.2.0-preview.2

This is a prerelease version of ForgeTrust.AppSurface.Config.GoogleSecretManager.
dotnet add package ForgeTrust.AppSurface.Config.GoogleSecretManager --version 0.2.0-preview.2
                    
NuGet\Install-Package ForgeTrust.AppSurface.Config.GoogleSecretManager -Version 0.2.0-preview.2
                    
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="ForgeTrust.AppSurface.Config.GoogleSecretManager" Version="0.2.0-preview.2" />
                    
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="ForgeTrust.AppSurface.Config.GoogleSecretManager" Version="0.2.0-preview.2" />
                    
Directory.Packages.props
<PackageReference Include="ForgeTrust.AppSurface.Config.GoogleSecretManager" />
                    
Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add ForgeTrust.AppSurface.Config.GoogleSecretManager --version 0.2.0-preview.2
                    
#r "nuget: ForgeTrust.AppSurface.Config.GoogleSecretManager, 0.2.0-preview.2"
                    
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package ForgeTrust.AppSurface.Config.GoogleSecretManager@0.2.0-preview.2
                    
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=ForgeTrust.AppSurface.Config.GoogleSecretManager&version=0.2.0-preview.2&prerelease
                    
Install as a Cake Addin
#tool nuget:?package=ForgeTrust.AppSurface.Config.GoogleSecretManager&version=0.2.0-preview.2&prerelease
                    
Install as a Cake Tool

ForgeTrust.AppSurface.Config.GoogleSecretManager

Google Cloud Secret Manager remote secret storage for AppSurface configuration.

Use this package when an AppSurface app running on Google Cloud needs production-like secret reads through the same logical config keys used by ForgeTrust.AppSurface.Config. The provider is read-only, source-aware, fail-closed for claimed keys by default, and keeps environment variables as the top emergency override.

Release Guidance

AppSurface ships as a coordinated package family. Before installing this package from a prerelease feed, check the package chooser and release hub for current release risk, migration guidance, and readiness.

Install

dotnet package add ForgeTrust.AppSurface.Config.GoogleSecretManager

Register AppSurfaceGoogleSecretManagerModule beside your app modules. It brings in AppSurfaceConfigModule, registers GoogleSecretManagerConfigProvider, and uses Application Default Credentials through the Google Cloud client library.

services.ConfigureAppSurfaceGoogleSecretManager(options =>
{
    options.ProjectId = "my-production-project";
    options.MapSecret("Stripe:ApiKey", "stripe-api-key", version: "7");
    options.MapSecret("OpenAI:ApiKey", "projects/shared-secrets/secrets/openai-api-key/versions/3");
});

Grant the runtime identity secretmanager.versions.access only for the secrets it should read. Prefer Workload Identity or host-owned Application Default Credentials. This package does not mint credentials, create secrets, assign IAM, provision Terraform, shell out to gcloud, write secret versions, delete secrets, or rotate values.

Provider Order

The AppSurface config order is:

appsettings defaults < LocalSecrets < Google Secret Manager < environment variables

Environment variables stay above Google Secret Manager so an operator can override a broken remote secret without changing code or mutating Secret Manager. File configuration and LocalSecrets stay below the remote provider. A claimed Google Secret Manager key stops lower-priority providers when the remote lookup is unavailable, denied, invalid, or cannot be converted, unless FailClosedOnProviderFailure is set to false.

Unmapped keys are not claimed and continue through the normal provider chain.

Explicit Mappings

Prefer explicit mappings for production:

services.ConfigureAppSurfaceGoogleSecretManager(options =>
{
    options.ProjectId = "my-production-project";
    options.MapSecret("Billing:Stripe:ApiKey", "billing-stripe-api-key", version: "12");
});

Short secret ids require ProjectId and a version from either the mapping or DefaultVersion. Full version resource names, such as projects/prod/secrets/billing-stripe-api-key/versions/12, already contain the project, secret, and version.

latest is mutable and is not the hidden default. If you need it for a development, canary, or app-owned rollout workflow, opt in explicitly:

services.ConfigureAppSurfaceGoogleSecretManager(options =>
{
    options.ProjectId = "my-dev-project";
    options.AllowLatest();
    options.MapSecret("Stripe:ApiKey", "stripe-api-key", version: AppSurfaceGoogleSecretManagerOptions.LatestVersion);
});

For production release discipline, pin a numeric version or an app-owned stable alias and rotate by updating the mapping or alias through your deployment process.

Convention Resolver

The convention resolver is opt-in and scoped. It is useful when an app owns a narrow config prefix and the corresponding secret names follow the same pattern.

services.ConfigureAppSurfaceGoogleSecretManager(options =>
{
    options.ProjectId = "my-production-project";
    options.EnableConventionResolver("TenantA:", secretIdPrefix: "tenanta-", version: "5");
});

Only keys under the exact logical prefix are claimed. The provider normalizes the key suffix by replacing :, ., and _ with -, lowercasing invariantly, and prepending secretIdPrefix. Broad conventions can claim more keys than intended, so production apps should prefer explicit mappings for high-value secrets.

Typed Values

Secret payloads must be UTF-8 text. The provider converts values with the same AppSurface config converter used by LocalSecrets: strings, numbers, booleans, enums, Guid, nullable scalars, and JSON object payloads are supported. Conversion failures are terminal diagnostics for claimed keys by default and never include the raw payload.

Use normal Config<T> wrappers or direct IConfigManager.GetValue<T> calls:

public sealed class StripeApiKeyConfig : Config<string>
{
}

Diagnostics And Audit

Google Secret Manager diagnostics are paste-safe. They identify the logical key, provider, status, and remediation class without printing secret values, payload bytes, credentials, or raw exception messages.

Diagnostic code Meaning
google-secret-manager-secret-missing The claimed secret or version was not found.
google-secret-manager-access-denied The runtime identity cannot access the secret version.
google-secret-manager-invalid-secret-resource The mapping, project, version, or Secret Manager resource name is invalid.
google-secret-manager-unavailable Secret Manager or the client was unavailable within the bounded lookup.
google-secret-manager-cancelled The lookup was cancelled.
google-secret-manager-invalid-secret-payload The payload was not valid UTF-8 text.
google-secret-manager-conversion-failed The payload could not be converted to the requested config type.

IConfigAuditReporter records Google Secret Manager as a provider source and marks returned values sensitive. Audit reports show source evidence and redaction state, not raw secrets.

Cache Behavior

By default every lookup reads through the client. Set CacheTtl only when the app can tolerate delayed visibility after rotation:

services.ConfigureAppSurfaceGoogleSecretManager(options =>
{
    options.CacheTtl = TimeSpan.FromMinutes(5);
});

Only successful payload reads are cached. Failures are not cached, and the provider does not run a background refresh.

Testing

Use UseAppSurfaceGoogleSecretManagerClient(...) to replace the Google client seam in tests:

services.UseAppSurfaceGoogleSecretManagerClient(new FakeGoogleSecretManagerClient());

The seam returns payload bytes from a resource name and timeout. Test fakes can return deterministic bytes or throw Google RpcException instances so the provider's status mapping remains deterministic without network access.

Migration

Product Compatible and additional computed target framework versions.
.NET net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
0.2.0-preview.2 45 7/3/2026