Vault
GCP secret import source
Use the GCP source to import secret data from GCP Secret Manager into your Vault instance. To use dynamic credentials with GCP import, ensure the GCP secrets engine is already configured.
Argument reference
Refer to the HCL syntax for arguments common to all source types.
Additional arguments
credentials
(string: "")
- The path to the service account key credentials file for the service account with the necessary permissions. Ifcredentials
is set, thenvault_mount_path
andvault_role_name
must be unset.vault_mount_path
(string: "")
- The Vault mount path to a pre-configured GCP secrets engine used to generate dynamic credentials for the importer. If one ofvault_mount_path
,vault_role_name
, orvault_namespace
are set, thencredentials
must be unset.vault_role_name
(string: "")
- The Vault role used to generate a dynamic credential for the importer. The role name must exist in the pre-configured GCP secrets engine mount. If one ofvault_mount_path
,vault_role_name
, orvault_namespace
are set, thencredentials
must be unset.vault_namespace
(string: "")
- The Vault namespace containing the preconfigured GCP secrets engine mount path specified invault_mount_path
for use with dynamic secrets. If one ofvault_mount_path
,vault_role_name
, orvault_namespace
are set, thencredentials
must be unset.
Example
Define and configure the my-gcp-source-1
GCP source:
source_gcp {
name = "my-gcp-source-1"
vault_mount_path = "gcp"
vault_role_name = "my-gcp-role-1"
vault_namespace = "ns-1"
}
Permissions
To use GCP import, you must grant the associated GCP identity permission to read secrets:
"secretmanager.secrets.list",
"secretmanager.versions.access",