This document includes the best practices and guidelines for Secret Manager when running generative AI workloads on Google Cloud. Use Secret Manager with Vertex AI to help secure the sensitive data and credentials that are used in Vertex AI projects.
Consider the following use cases for Secret Manager with Vertex AI:
- Store API keys for accessing external data sources used in model training.
- Encrypt database credentials within prediction pipelines for secure access.
- Provision temporary access tokens for secure communication between services.
- Secure private keys and certificates that you use for encrypting communication channels.
- Manage passwords and credentials for third-party services that you use in your ML workflows.
Required Secret Manager controls
The following controls are strongly recommended when using Secret Manager.
Set up automatic secret rotation
| Google control ID | SM-CO-6.2 |
|---|---|
| Category | Required |
| Description | Automatically rotate secrets and have emergency rotation procedures available in case of a compromise. |
| Applicable products |
|
| Related NIST-800-53 controls |
|
| Related CRI profile controls |
|
| Related information |
Recommended controls based on generative AI use case
If you handle sensitive data or sensitive generative AI workloads, we recommend that you implement the following controls in your applicable generative AI use cases.
Replicate secrets automatically
| Google control ID | SM-CO-6.1 |
|---|---|
| Category | Recommended |
| Description | Choose the automatic replication policy to replicate your secrets unless your workload has specific location requirements. The automatic policy meets the availability and performance needs of most workloads. If your workload has specific location requirements, you can use the API to select the locations for the replication policy when you create the secret. |
| Applicable products |
|
| Related NIST-800-53 controls |
|
| Related CRI profile controls |
|
| Related information |
What's next
Review Security Command Center controls.
See more Google Cloud security best practices and guidelines for generative AI workloads.