Infrastructure Integrations
- Container orchestrators
- Infisical Agent
- Docker
- Terraform
- Ansible
Native Integrations
- AWS
- Vercel
- Azure Key Vault
- GCP Secret Manager
- Cloudflare
- Heroku
- Render
- View more
CI/CD Integrations
Framework Integrations
Build Tool Integrations
GCP Secret Manager
How to sync secrets from Infisical to GCP Secret Manager
Prerequisites:
- Set up and add envars to Infisical Cloud
Authorize Infisical for GCP
Navigate to your project’s integrations tab in Infisical.
Press on the GCP Secret Manager tile and select Continue with OAuth
Grant Infisical access to GCP.
If this is your project’s first cloud integration, then you’ll have to grant Infisical access to your project’s environment variables. Although this step breaks E2EE, it’s necessary for Infisical to sync the environment variables to the cloud platform.
Start integration
In the Connection tab, select which Infisical environment secrets you want to sync to which GCP secret manager project. Lastly, press create integration to start syncing secrets to GCP secret manager.
Note that the GCP Secret Manager integration supports a few options in the Options tab:
- Secret Prefix: If inputted, the prefix is appended to the front of every secret name prior to being synced.
- Secret Suffix: If inputted, the suffix to appended to the back of every name of every secret prior to being synced.
- Label in GCP Secret Manager: If selected, every secret will be labeled in GCP Secret Manager (e.g. as
managed-by:infisical); labels can be customized.
Setting a secret prefix, suffix, or enabling the labeling option ensures that existing secrets in GCP Secret Manager are not overwritten during the sync. As part of this process, Infisical abstains from mutating any secrets in GCP Secret Manager without the specified prefix, suffix, or attached label.
Using Infisical to sync secrets to GCP Secret Manager requires that you enable the Service Usage API and Cloud Resource Manager API in the Google Cloud project you want to sync secrets to. More on that here.
Additionally, ensure that your GCP account has sufficient permission to manage secret and service resources (you can assign Secret Manager Admin and Service Usage Admin roles for testing purposes)
Prerequisites:
- Set up and add envars to Infisical Cloud
- Have a GCP project and have/create a service account in it
Authorize Infisical for GCP
Navigate to IAM & Admin page in GCP and add the Secret Manager Admin and Service Usage Admin roles to the service account.
For enhanced security, you may want to assign more granular permissions to the service account. At minimum, the service account should be able to read/write secrets from/to GCP Secret Manager (e.g. Secret Manager Admin role) and list which GCP services are enabled/disabled (e.g. Service Usage Admin role).
Navigate to your project’s integrations tab in Infisical.
Press on the GCP Secret Manager tile and paste in your GCP Service Account JSON (you can create and download the JSON for your service account in IAM & Admin > Service Accounts > Service Account > Keys).
If this is your project’s first cloud integration, then you’ll have to grant Infisical access to your project’s environment variables. Although this step breaks E2EE, it’s necessary for Infisical to sync the environment variables to the cloud platform.
Start integration
In the Connection tab, select which Infisical environment secrets you want to sync to the GCP secret manager project. Lastly, press create integration to start syncing secrets to GCP secret manager.
Note that the GCP Secret Manager integration supports a few options in the Options tab:
- Secret Prefix: If inputted, the prefix is appended to the front of every secret name prior to being synced.
- Secret Suffix: If inputted, the suffix to appended to the back of every name of every secret prior to being synced.
- Label in GCP Secret Manager: If selected, every secret will be labeled in GCP Secret Manager (e.g. as
managed-by:infisical); labels can be customized.
Setting a secret prefix, suffix, or enabling the labeling option ensures that existing secrets in GCP Secret Manager are not overwritten during the sync. As part of this process, Infisical abstains from mutating any secrets in GCP Secret Manager without the specified prefix, suffix, or attached label.
Using Infisical to sync secrets to GCP Secret Manager requires that you enable the Service Usage API and Cloud Resource Manager API in the Google Cloud project you want to sync secrets to. More on that here.
Prerequisites:
- Set up and add envars to Infisical Cloud
Authorize Infisical for GCP
Navigate to your project’s integrations tab in Infisical.
Press on the GCP Secret Manager tile and select Continue with OAuth
Grant Infisical access to GCP.
If this is your project’s first cloud integration, then you’ll have to grant Infisical access to your project’s environment variables. Although this step breaks E2EE, it’s necessary for Infisical to sync the environment variables to the cloud platform.
Start integration
In the Connection tab, select which Infisical environment secrets you want to sync to which GCP secret manager project. Lastly, press create integration to start syncing secrets to GCP secret manager.
Note that the GCP Secret Manager integration supports a few options in the Options tab:
- Secret Prefix: If inputted, the prefix is appended to the front of every secret name prior to being synced.
- Secret Suffix: If inputted, the suffix to appended to the back of every name of every secret prior to being synced.
- Label in GCP Secret Manager: If selected, every secret will be labeled in GCP Secret Manager (e.g. as
managed-by:infisical); labels can be customized.
Setting a secret prefix, suffix, or enabling the labeling option ensures that existing secrets in GCP Secret Manager are not overwritten during the sync. As part of this process, Infisical abstains from mutating any secrets in GCP Secret Manager without the specified prefix, suffix, or attached label.
Using Infisical to sync secrets to GCP Secret Manager requires that you enable the Service Usage API and Cloud Resource Manager API in the Google Cloud project you want to sync secrets to. More on that here.
Additionally, ensure that your GCP account has sufficient permission to manage secret and service resources (you can assign Secret Manager Admin and Service Usage Admin roles for testing purposes)
Prerequisites:
- Set up and add envars to Infisical Cloud
- Have a GCP project and have/create a service account in it
Authorize Infisical for GCP
Navigate to IAM & Admin page in GCP and add the Secret Manager Admin and Service Usage Admin roles to the service account.
For enhanced security, you may want to assign more granular permissions to the service account. At minimum, the service account should be able to read/write secrets from/to GCP Secret Manager (e.g. Secret Manager Admin role) and list which GCP services are enabled/disabled (e.g. Service Usage Admin role).
Navigate to your project’s integrations tab in Infisical.
Press on the GCP Secret Manager tile and paste in your GCP Service Account JSON (you can create and download the JSON for your service account in IAM & Admin > Service Accounts > Service Account > Keys).
If this is your project’s first cloud integration, then you’ll have to grant Infisical access to your project’s environment variables. Although this step breaks E2EE, it’s necessary for Infisical to sync the environment variables to the cloud platform.
Start integration
In the Connection tab, select which Infisical environment secrets you want to sync to the GCP secret manager project. Lastly, press create integration to start syncing secrets to GCP secret manager.
Note that the GCP Secret Manager integration supports a few options in the Options tab:
- Secret Prefix: If inputted, the prefix is appended to the front of every secret name prior to being synced.
- Secret Suffix: If inputted, the suffix to appended to the back of every name of every secret prior to being synced.
- Label in GCP Secret Manager: If selected, every secret will be labeled in GCP Secret Manager (e.g. as
managed-by:infisical); labels can be customized.
Setting a secret prefix, suffix, or enabling the labeling option ensures that existing secrets in GCP Secret Manager are not overwritten during the sync. As part of this process, Infisical abstains from mutating any secrets in GCP Secret Manager without the specified prefix, suffix, or attached label.
Using Infisical to sync secrets to GCP Secret Manager requires that you enable the Service Usage API and Cloud Resource Manager API in the Google Cloud project you want to sync secrets to. More on that here.
Using the GCP Secret Manager integration (via the OAuth2 method) on a self-hosted instance of Infisical requires configuring an OAuth2 application in GCP and registering your instance with it.
Create an OAuth2 application in GCP
Navigate to your project API & Services > Credentials to create a new OAuth2 application.
Create the application. As part of the form, add to Authorized redirect URIs: https://your-domain.com/integrations/gcp-secret-manager/oauth2/callback.
Add your OAuth2 application credentials to Infisical
Obtain the Client ID and Client Secret for your GCP OAuth2 application.
Back in your Infisical instance, add two new environment variables for the credentials of your GCP OAuth2 application:
CLIENT_ID_GCP_SECRET_MANAGER: The Client ID of your GCP OAuth2 application.CLIENT_SECRET_GCP_SECRET_MANAGER: The Client Secret of your GCP OAuth2 application.
Once added, restart your Infisical instance and use the GCP Secret Manager integration.
Was this page helpful?