HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

You are viewing documentation for version v1.18.x. View latest version.

GCP secret import source

Use the GCP source to import secret data from GCP Secret Manager into your Vault instance. To use dynamic credentials with GCP import, ensure the GCP secrets engine is already configured.

Argument reference

Refer to the HCL syntax for arguments common to all source types.

Additional arguments

  • credentials (string: "") - The path to the service account key credentials file for the service account with the necessary permissions. If credentials is set, then vault_mount_path and vault_role_name must be unset.

  • vault_mount_path (string: "") - The Vault mount path to a pre-configured GCP secrets engine used to generate dynamic credentials for the importer. If one of vault_mount_path, vault_role_name, or vault_namespace are set, then credentials must be unset.

  • vault_role_name (string: "") - The Vault role used to generate a dynamic credential for the importer. The role name must exist in the pre-configured GCP secrets engine mount. If one of vault_mount_path, vault_role_name, or vault_namespace are set, then credentials must be unset.

  • vault_namespace (string: "") - The Vault namespace containing the preconfigured GCP secrets engine mount path specified in vault_mount_path for use with dynamic secrets. If one of vault_mount_path, vault_role_name, or vault_namespace are set, then credentials must be unset.

Example

Define and configure the my-gcp-source-1 GCP source:

source_gcp {
  name             = "my-gcp-source-1"
  vault_mount_path = "gcp"
  vault_role_name  = "my-gcp-role-1"
  vault_namespace  = "ns-1"
}

Permissions

To use GCP import, you must grant the associated GCP identity permission to read secrets:

"secretmanager.secrets.list",
"secretmanager.versions.access",
Edit this page on GitHub