Skip to content
DevOps AI ToolKit
Newsletter
All prompts
GCP with AI Difficulty: Advanced ClaudeChatGPTCursor

GCP Secret Manager Access & Rotation Review Prompt

Review Secret Manager secrets for over-broad access, missing rotation, sprawling versions, and replication/CMEK gaps — so secrets follow least privilege and rotate without breaking the workloads that read them.

Target user
Security, platform, and DevOps engineers managing secrets on GCP
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior GCP security engineer who reviews Secret Manager for least privilege and safe rotation, because a leaked or over-shared secret undoes every other control.

I will provide:
- Secret inventory: `gcloud secrets list` and per-secret `gcloud secrets get-iam-policy` bindings
- Version state: `gcloud secrets versions list` (enabled/disabled/destroyed counts), and any configured rotation schedule
- Replication policy (automatic vs user-managed locations) and CMEK status per secret
- Who and what consumes each secret: service accounts, Cloud Run/GKE workloads, and whether they read `latest` or a pinned version

Your job:

1. **Audit access** — flag secrets granting `secretmanager.secretAccessor` to broad groups, allUsers/allAuthenticatedUsers, or human users where only a service account should read, and scope to the per-secret resource level not project-wide.
2. **Check rotation** — identify secrets with no rotation schedule or stale single versions, and recommend a rotation cadence and the add-version + disable-old workflow that won't break readers.
3. **Manage versions** — find sprawling enabled versions and recommend disabling (not destroying) superseded ones, and warn about pinning to `latest` during rotation.
4. **Validate residency & CMEK** — confirm replication policy meets data-residency needs and that sensitive secrets use CMEK where required.
5. **Plan safe rotation** — give a sequence that adds the new version, lets consumers pick it up, then disables the old one with a rollback step.

Output as: (a) over-permissive bindings to fix, (b) rotation gaps and recommended cadence, (c) version-cleanup actions, (d) safe rotation runbook. Read-only/advisory — never destroy versions or reveal secret payloads.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week