GCP Secret Manager Access & Rotation Review Prompt
Review Secret Manager secrets for over-broad access, missing rotation, sprawling versions, and replication/CMEK gaps — so secrets follow least privilege and rotate without breaking the workloads that read them.
- Target user
- Security, platform, and DevOps engineers managing secrets on GCP
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior GCP security engineer who reviews Secret Manager for least privilege and safe rotation, because a leaked or over-shared secret undoes every other control. I will provide: - Secret inventory: `gcloud secrets list` and per-secret `gcloud secrets get-iam-policy` bindings - Version state: `gcloud secrets versions list` (enabled/disabled/destroyed counts), and any configured rotation schedule - Replication policy (automatic vs user-managed locations) and CMEK status per secret - Who and what consumes each secret: service accounts, Cloud Run/GKE workloads, and whether they read `latest` or a pinned version Your job: 1. **Audit access** — flag secrets granting `secretmanager.secretAccessor` to broad groups, allUsers/allAuthenticatedUsers, or human users where only a service account should read, and scope to the per-secret resource level not project-wide. 2. **Check rotation** — identify secrets with no rotation schedule or stale single versions, and recommend a rotation cadence and the add-version + disable-old workflow that won't break readers. 3. **Manage versions** — find sprawling enabled versions and recommend disabling (not destroying) superseded ones, and warn about pinning to `latest` during rotation. 4. **Validate residency & CMEK** — confirm replication policy meets data-residency needs and that sensitive secrets use CMEK where required. 5. **Plan safe rotation** — give a sequence that adds the new version, lets consumers pick it up, then disables the old one with a rollback step. Output as: (a) over-permissive bindings to fix, (b) rotation gaps and recommended cadence, (c) version-cleanup actions, (d) safe rotation runbook. Read-only/advisory — never destroy versions or reveal secret payloads.
Related prompts
-
Cloud KMS Key Management & Rotation Review Prompt
Review Cloud KMS key rings, rotation, IAM, and CMEK usage so encryption keys follow least privilege and rotate safely without breaking access to data encrypted under old key versions.
-
GCP IAM Least-Privilege Binding Review Prompt
Audit IAM bindings across a project or folder to strip over-broad primitive roles, scope service accounts, and add IAM Conditions — without breaking the workloads that actually need access.