HashiDays One conference. Three cities. Find a city near you
Vault
Vault Home

GCP import source

Use the GCP source to import secret data from the GCP Secret Manager into your Vault instance. To use dynamic credentials for this source, ensure that the GCP secrets engine has already been configured.

GCP source parameters

  • name - (Required) The unique name used by Vault to reference the GCP source elsewhere (e.g., in a mapping).

  • credentials - (Optional) The path to the service account key credentials file for the service account with the necessary permissions. If credentials is set, then vault_mount_path and vault_role_name must be unset.

  • vault_mount_path - (Optional) The Vault mount path to a pre-configured GCP secrets engine used to generate dynamic credentials for the importer. If vault_mount_path or vault_role_name are set, then credentials must be unset.

  • vault_role_name - (Optional) The Vault role used to generate a dynamic credential for the importer. The role name must exist in the pre-configured GCP secrets engine mount. If vault_role_name or vault_mount_path are set, then credentials must be unset.

Example

Define and configure the my-gcp-source-1 GCP source:

source_gcp {
  name                 = "my-gcp-source-1"
  secrets_engine_mount = "gcp"
  secrets_engine_role  = "my-gcp-role-1"
}

Permissions

To use a GCP source, you must grant the GCP identity being used to read secrets the following permissions:

"secretmanager.secrets.list",
"secretmanager.versions.access",
Edit this page on GitHub