Google Cloud Secrets - Reusing a secret

Question

I am using Google Cloud Secrets in a NodeJS Project. I am moving away from using preset environment variables and trying to find out the best practice to store and reuse secrets.

The 3 main routes I've found to use secrets are:

1. Fetching all secrets on startup and set them as ENV variables for later use
2. Fetching all secrets on startup and set as constant variables
3. Each time a secret is required, fetch it from Cloud Secrets

Google's own best practice documentation mentions 2 conflicting things:

1. Use ENV variables to set secrets at startup (source)
2. Don't use ENV variables as they can be accessed in debug endpoints and traversal attacks among other things (source)

My questions are:

1. Should I store secrets as variables to be re-used or should I fetch them each time?
2. Does this have an impact on quotas?

Answer 1

The best practice is to load one time the secret (at startup, or the first time is it accessed) to optimize performances and prevent API call latency. And yes, the access secret quotas is impacted on each access.

If a debugger tool is connected to the environment, Variables and Env Var data can be compromised. The threat is roughly the same. Be sure to secure correctly the environment.