open-telemetry · atoulme · May 8, 2025 · Apr 16, 2025 · Apr 25, 2025 · Apr 28, 2025
@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: new_component
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: confmap/googlesecretmanagerprovider
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Initial implementation of secrets manager provider. Allows fetch secrets from Google Secrets Manager
+
+# One or more tracking issues related to the change
+issues: [39665]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
@@ -32,6 +32,10 @@ component_management:
     name: confmap_provider_aesprovider
     paths:
     - confmap/provider/aesprovider/**
+  - component_id: confmap_provider_googlesecretmanagerprovider
+    name: confmap_provider_googlesecretmanagerprovider
+    paths:
+    - confmap/provider/googlesecretmanagerprovider/**
   - component_id: confmap_provider_s3provider
     name: confmap_provider_s3provider
     paths:

@@ -25,6 +25,7 @@ cmd/otelcontribcol/                                              @open-telemetry
 cmd/oteltestbedcol/                                              @open-telemetry/collector-contrib-approvers
 cmd/telemetrygen/                                                @open-telemetry/collector-contrib-approvers @mx-psi @codeboten @Erog38
 confmap/provider/aesprovider/                                    @open-telemetry/collector-contrib-approvers @djaglowski
+confmap/provider/googlesecretmanagerprovider/                    @open-telemetry/collector-contrib-approvers @aabmass @dashpole @jsuereth @psx95 @braydonk @ridwanmsharif
 confmap/provider/s3provider/                                     @open-telemetry/collector-contrib-approvers @Aneurysm9
 confmap/provider/secretsmanagerprovider/                         @open-telemetry/collector-contrib-approvers @atoulme
 connector/countconnector/                                        @open-telemetry/collector-contrib-approvers @djaglowski

@@ -25,6 +25,7 @@ body:
       - cmd/oteltestbedcol
       - cmd/telemetrygen
       - confmap/provider/aesprovider
+      - confmap/provider/googlesecretmanagerprovider
       - confmap/provider/s3provider
       - confmap/provider/secretsmanagerprovider
       - connector/count

@@ -19,6 +19,7 @@ body:
       - cmd/oteltestbedcol
       - cmd/telemetrygen
       - confmap/provider/aesprovider
+      - confmap/provider/googlesecretmanagerprovider
       - confmap/provider/s3provider
       - confmap/provider/secretsmanagerprovider
       - connector/count

@@ -19,6 +19,7 @@ body:
       - cmd/oteltestbedcol
       - cmd/telemetrygen
       - confmap/provider/aesprovider
+      - confmap/provider/googlesecretmanagerprovider
       - confmap/provider/s3provider
       - confmap/provider/secretsmanagerprovider
       - connector/count

@@ -24,6 +24,7 @@ body:
       - cmd/oteltestbedcol
       - cmd/telemetrygen
       - confmap/provider/aesprovider
+      - confmap/provider/googlesecretmanagerprovider
       - confmap/provider/s3provider
       - confmap/provider/secretsmanagerprovider
       - connector/count

@@ -6,6 +6,7 @@ cmd/otelcontribcol cmd/otelcontribcol
 cmd/oteltestbedcol cmd/oteltestbedcol
 cmd/telemetrygen cmd/telemetrygen
 confmap/provider/aesprovider confmap/provider/aesprovider
+confmap/provider/googlesecretmanagerprovider confmap/provider/googlesecretmanagerprovider
 confmap/provider/s3provider confmap/provider/s3provider
 confmap/provider/secretsmanagerprovider confmap/provider/secretsmanagerprovider
 connector/countconnector connector/count

@@ -0,0 +1 @@
+include ../../../Makefile.Common
@@ -0,0 +1,61 @@
+# Google Secrets Provider
+<!-- status autogenerated section -->
+| Status        |           |
+| ------------- |-----------|
+| Stability     | [development]  |
+| Distributions | [] |
+| Issues        | [![Open issues](https://img.shields.io/github/issues-search/open-telemetry/opentelemetry-collector-contrib?query=is%3Aissue%20is%3Aopen%20label%3Aprovider%2Fgooglesecretmanagerprovider%20&label=open&color=orange&logo=opentelemetry)](https://github.com/open-telemetry/opentelemetry-collector-contrib/issues?q=is%3Aopen+is%3Aissue+label%3Aprovider%2Fgooglesecretmanagerprovider) [![Closed issues](https://img.shields.io/github/issues-search/open-telemetry/opentelemetry-collector-contrib?query=is%3Aissue%20is%3Aclosed%20label%3Aprovider%2Fgooglesecretmanagerprovider%20&label=closed&color=blue&logo=opentelemetry)](https://github.com/open-telemetry/opentelemetry-collector-contrib/issues?q=is%3Aclosed+is%3Aissue+label%3Aprovider%2Fgooglesecretmanagerprovider) |
+| Code coverage | [![codecov](https://codecov.io/github/open-telemetry/opentelemetry-collector-contrib/graph/main/badge.svg?component=provider_googlesecretmanagerprovider)](https://app.codecov.io/gh/open-telemetry/opentelemetry-collector-contrib/tree/main/?components%5B0%5D=provider_googlesecretmanagerprovider&displayType=list) |
+| [Code Owners](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/CONTRIBUTING.md#becoming-a-code-owner)    | [@aabmass](https://www.github.com/aabmass), [@dashpole](https://www.github.com/dashpole), [@jsuereth](https://www.github.com/jsuereth), [@psx95](https://www.github.com/psx95), [@braydonk](https://www.github.com/braydonk), [@ridwanmsharif](https://www.github.com/ridwanmsharif) |
+
+[development]: https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/component-stability.md#development
+<!-- end autogenerated section -->
+
+## Summary
+
+This Provider component offers a secure way to reference secrets or sensitive information in collector configurations using [Google Secret Manager](https://cloud.google.com/security/products/secret-manager). Use a placeholder in the format `${googlesecretmanagerprovider:projects/<project Id>/secrets/<secret Id>/versions/<version Id>}` within your configuration. The actual secrets will then be fetched dynamically from [Google Secret Manager](https://cloud.google.com/security/products/secret-manager) during collector initialization.
+## Usage
+
+- Simply replace plaintext secrets within your collector configuration with the placeholder: `${googlesecretmanagerprovider:projects/<project Id>/secrets/<secret Id>/versions/<version Id>}`
+
+An example collector configuration:
+
+```
+receivers:
+  otlp:
+    protocols:
+      grpc:
+      http:
+processors:
+  batch:
+
+exporters:
+  logging:
+    loglevel: debug
+  http:
+    endpoint: "https://example.com/api/metrics"
+    headers:
+      X-API-Key: ${googlesecretmanagerprovider:projects/12345/secrets/my-secret/versions/1}
+service:
+  pipelines:
+    traces:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [logging, http]
+    metrics:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [logging, http]
+    logs:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [logging, http]
+
+```
+
+### Prerequisites
+1. Make sure to enable access to the [Secret Manager API](https://cloud.google.com/secret-manager/docs/accessing-the-api).
+2. Make sure to [add the secret entries to Google Secret Manager](https://cloud.google.com/secret-manager/docs/create-secret-quickstart) before referencing them in the collector configurations. 
+3. This Provider interacts with Google Secret Manager using the Secret Manager client library. This library uses [Application Default Credentials (ADC)](https://cloud.google.com/docs/authentication/application-default-credentials) to locate authentication credentials for Secret Manager. Therefore, if you run your collector in a local environment, execute the [`gcloud auth application-default login`](https://cloud.google.com/secret-manager/docs/authentication#client-libs) command to generate the necessary credential file to provide to ADC.
+4. However, if your collector runs on Google Compute Engine (GCE) or Google Kubernetes Engine (GKE), running `gcloud auth application-default login` is optional. This is because ADC can retrieve credentials via [the metadata server](https://cloud.google.com/docs/authentication/application-default-credentials#order). However, ensure that your GKE or GCE instance [has enabled the cloud-platform OAuth scope](https://cloud.google.com/secret-manager/docs/accessing-the-api#oauth-scopes). Additionally, verify that the Service Account attached to the GCE or GKE instance has been granted at least the [roles/secretmanager.secretAccessor](https://cloud.google.com/secret-manager/docs/access-control#secret-manager-roles) IAM role to access secret entries in Google Secret Manager.
+
@@ -0,0 +1,57 @@
+module github.com/open-telemetry/opentelemetry-collector-contrib/confmap/provider/googlesecretmanagerprovider
+
+go 1.23.0
+
+require (
+	cloud.google.com/go/secretmanager v1.14.7
+	github.com/googleapis/gax-go/v2 v2.14.1
+	github.com/stretchr/testify v1.10.0
+	go.opentelemetry.io/collector/confmap v1.31.1-0.20250505152726-56c7da210783
+	go.uber.org/goleak v1.3.0
+	google.golang.org/grpc v1.71.1
+)
+
+require (
+	cloud.google.com/go/auth v0.16.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
+	cloud.google.com/go/compute/metadata v0.6.0 // indirect
+	cloud.google.com/go/iam v1.5.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
+	github.com/hashicorp/go-version v1.7.0 // indirect
+	github.com/knadh/koanf/maps v0.1.2 // indirect
+	github.com/knadh/koanf/providers/confmap v1.0.0 // indirect
+	github.com/knadh/koanf/v2 v2.2.0 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/collector/featuregate v1.31.1-0.20250505152726-56c7da210783 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
+	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/otel/metric v1.35.0 // indirect
+	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
+	golang.org/x/crypto v0.37.0 // indirect
+	golang.org/x/net v0.39.0 // indirect
+	golang.org/x/oauth2 v0.29.0 // indirect
+	golang.org/x/sync v0.13.0 // indirect
+	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/time v0.11.0 // indirect
+	google.golang.org/api v0.229.0 // indirect
+	google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250414145226-207652e42e2e // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
+)