1. Docs
  2. Pulumi ESC
  3. Integrations
  4. Dynamic secrets
  5. gcp-secrets

gcp-secrets

    The gcp-secrets provider enables you to dynamically import Secrets from Google Cloud Secrets Manager into your Environment. The provider will return a map of names to Secrets.

    Example

      gcp:
        login:
          fn::open::gcp-login:
            project: 123456789
            oidc:
              workloadPoolId: pulumi-esc
              providerId: pulumi-esc
              serviceAccount: pulumi-esc@foo-bar-123456.iam.gserviceaccount.com
        secrets:
          fn::open::gcp-secrets:
            login: ${gcp.login}
            access:
              api-key:
                name: api-key
              app-secret:
                name: app-secret
    

    Configuring OIDC

    To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Google Cloud, see the OpenID Connect integration documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following:

    • esc open <your-org>/<your-environment> command of the Pulumi ESC CLI
    • pulumi env open <your-org>/<your-environment> command of the Pulumi CLI

    Make sure to replace <your-org> and <your-environment> with the values of your Pulumi organization and environment file respectively. You should see output similar to the following:

    {
      "environmentVariables": {
        "GOOGLE_PROJECT": 111111111111
        "CLOUDSDK_AUTH_ACCESS_TOKEN": "ya29...."
      },
      "gcp": {
        "login": {
          "accessToken": "ya29.....",
          "expiry": "2023-11-09T11:12:41Z",
          "project": 111111111111,
          "tokenType": "Bearer"
        }
      },
      "pulumiConfig": {
        "gcp:accessToken": "ya29...."
      }
    }
    

    Inputs

    PropertyTypeDescription
    loginGCPSecretsLoginCredentials used to log in to Google Cloud.
    accessmap[string]GCPSecretsAccessA map from names to secrets to read from Google Cloud Secrets Manager. The outputs will map each name to the secret’s sensitive data.

    GCPSecretsLogin

    PropertyTypeDescription
    projectstringThe numerical ID of the GCP project, aka project number. (e.g. 951040570662)
    accessTokenstringThe access token used to authenticate with Google Cloud.
    tokenTypestringThe type of the access token.
    expirystring[Optional] - The access token’s expiry time.

    GCPSecretsAccess

    PropertyTypeDescription
    namestringThe name of the secret to import.
    versionstring[Optional] - The version of the secret to import.

    Outputs

    PropertyTypeDescription
    N/AobjectA map of names to imported Secrets.
      PulumiUP 2024. Watch On Demand.