Google Cloud Platform Secret Manager
The Google Cloud Platform (GCP) Secret Manager sync destination allows Vault to safely synchronize secrets to your GCP projects. This is a low footprint option that enables your applications to benefit from Vault-managed secrets without requiring them to connect directly with Vault. This guide walks you through the configuration process.
Prerequisites:
- Ability to read or create KVv2 secrets
- Ability to create GCP Service Account credentials with access to the Secret Manager
- Ability to create sync destinations and associations on your Vault server
Setup
If you do not already have a Service Account, navigate to the IAM & Admin page in the Google Cloud console to create a new Service Account with the necessary permissions. Instructions to provision this Service Account via Terraform can be found below.
Configure a sync destination with the Service Account JSON credentials created in the previous step. See docs for alternative ways to pass in the
credentials
parameter.Output:
Usage
If you do not already have a KVv2 secret to sync, mount a new KVv2 secrets engine.
Output:
Create secrets you wish to sync with a target GCP Secret Manager.
Output:
Create an association between the destination and a secret to synchronize.
Output:
Navigate to the Secret Manager in the Google Cloud console to confirm your secret was successfully created in your GCP project.
Moving forward, any modification on the Vault secret will be propagated in near real time to its GCP Secret Manager counterpart. Creating a new secret version in Vault will create a new version in GCP Secret Manager. Deleting the secret or the association in Vault will delete the secret in your GCP project as well.
Permissions
The credentials given to Vault must have the following permissions to synchronize secrets:
Provision service account
Vault needs to be configured with credentials to establish a trust relationship with your GCP project so it can manage Secret Manager secrets on your behalf. The IAM & Admin page in the Google Cloud console can be used to create a new Service Account with access to the Secret Manager.
You can equally use the Terraform Google provider to provision a GCP Service Account with the appropriate policies.
Copy-paste this HCL snippet into a
secrets-sync-setup.tf
file.Execute a plan to validate the Terraform Google provider is properly configured.
Output:
Execute an apply to provision the Service Account.
Output:
The generated Service Account credentials file can then be used to configure the Vault GCP Secret Manager destination following the setup steps.
Targeting specific GCP projects
By default, the target GCP project to sync secrets with is derived from the service account JSON credentials or application default credentials for a particular GCP sync destination. This means secrets will be synced within the parent project of the configured service account.
In some cases, it's desirable to use a single service account or workload identity
to sync secrets with any number of GCP projects within an organization. To achieve this,
you can set the project_id
parameter to the target project to sync secrets with:
This overrides the project ID derived from the service account JSON credentials or application default credentials. The service account must be authorized to perform Secret Manager actions in the target project.
API
Please see the secrets sync API for more details.