Save 10-15% Register for HashiConf and save big when you buy 2+ tickets Get your passes
Vault
Vault Home

GCP secret import source

Use the GCP Importer to read secret data from GCP Secrets Manager into your Vault instance.

Before you start

  • You must know the relevant GCP credentials. You can provide the credentials as environment variables, as explicit arguments, or use dynamic credentials from an existing GCP secrets plugin mount path.

Step 1: Set GCP Identity permissions

To use GCP import, you must grant the associated GCP identity permission to read secrets:

"secretmanager.secrets.list",
"secretmanager.versions.access",

Step 2: Define the Azure source

The following configuration example uses Azure static credentials to import secrets from Azure Key Vault:

source_gcp {
  name             = "my-gcp-source-1"
  credentials_file = "/path/to/credentials-file"
}

If credentials_file is set, then vault_mount_path, vault_role_name,vault_namespace,vault_address and vault_credentials_file must be unset.

Argument reference

Refer to the HCL syntax for arguments common to all source types.

  • vault_mount_path (string: "") - The Vault mount path to a pre-configured GCP secrets engine used to generate dynamic credentials for the importer.

  • vault_role_name (string: "") - GCP secrets plugin role used to generate dynamic credentials for the importer. Only required for dynamic credentials.

  • vault_namespace (string: "") - Vault namespace for the mount path specified in vault_mount_path. Only required for dynamic credentials.

  • vault_address (string: "") - The address of your Vault server. Only required for dynamic credentials.

  • vault_credentials_file (string: "") - Local path to a file containing a valid token for the Vault server at vault_address. Only required for dynamic credentials.

  • credentials_file (string: "") - The path to the service account key credentials file to authenticate with.

Edit this page on GitHub