Using secret API keys in a Google Cloud Compute Engine Instance Template Startup Script. Where should it be stored and how can I read the value?

Always store the API keys in the environment variables.Please use the below commands for the same,

For linux:

export API_KEY=”your_secret_key_here”

For windows:

Set API_KEY=your_secret_key_here (ensure all these commands are executed before your application starts)

Also you can use the secret manager which is helpful to store and access API keys and please refer to the official GCP documentation to know more about the secret manager.

Additionally you can check these documents for more detailed information.Please let us know if the above information is helpful.

In GCP, it is recommended to store secrets, in this case the secret API keys, in google secret manager(GSM)

1. Create a secret in GSM
2. Upload API key to GSM
3. Grant the service account associated with the compute engine IAM access to the secret - the role is secretmanager.secretAccessor
4. Modify your startup script to pull the API key from GSM and assign it to a variable, say API_KEY_VAR and pass that to curl as below -

curl --location 'https://my-side.com/hello?hostname=$hostname' \
    --header "Authorization: $API_KEY_VAR"

You can use gcloud secrets versions access command to pull the secret.