HashiDays One conference. Three cities. Find a city near you
Vault
Vault Home

GCP import source

Use the GCP source to import secret data from GCP Secret Manager into your Vault instance. To use dynamic credentials with GCP import, ensure the GCP secrets engine is already configured.

Argument reference

Refer to the HCL syntax for arguments common to all source types.

Additional arguments

  • credentials (string: "") - The path to the service account key credentials file for the service account with the necessary permissions. If credentials is set, then vault_mount_path and vault_role_name must be unset.

  • vault_mount_path (string: "") - The Vault mount path to a pre-configured GCP secrets engine used to generate dynamic credentials for the importer. If vault_mount_path or vault_role_name are set, then credentials must be unset.

  • vault_role_name (string: "") - The Vault role used to generate a dynamic credential for the importer. The role name must exist in the pre-configured GCP secrets engine mount. If vault_role_name or vault_mount_path are set, then credentials must be unset.

Example

Define and configure the my-gcp-source-1 GCP source:

source_gcp {
  name                 = "my-gcp-source-1"
  secrets_engine_mount = "gcp"
  secrets_engine_role  = "my-gcp-role-1"
}

Permissions

To use GCP import, you must grant the associated GCP identity permission to read secrets:

"secretmanager.secrets.list",
"secretmanager.versions.access",
Edit this page on GitHub