Skip to main content
  1. Docs
  2. Secrets & Configuration
  3. Providers
  4. Secrets & config
  5. gcp-secrets

gcp-secrets

    The gcp-secrets provider enables you to dynamically import Secrets from Google Cloud Secrets Manager into your Environment. The provider will return a map of names to Secrets.

    Example

    values:
      gcp:
        login:
          fn::open::gcp-login:
            project: 123456789
            oidc:
              workloadPoolId: pulumi-esc
              providerId: pulumi-esc
              serviceAccount: pulumi-esc@foo-bar-123456.iam.gserviceaccount.com
        secrets:
          fn::open::gcp-secrets:
            login: ${gcp.login}
            access:
              api-key:
                name: api-key
              app-secret:
                name: app-secret
      pulumiConfig:
        apiKey: ${gcp.secrets.api-key}
        appSecret: ${gcp.secrets.app-secret}
    

    Schema reference

    Reference schemas last updated on 2026-07-11, synced automatically from the Pulumi Cloud ESC API.

    Inputs

    • access map[string]GCPSecretsAccess required
      A map from names to secrets to read from Google Cloud. The outputs will map each name to the secret’s sensitive data.
    • name string required
      The name of the secret to access.
    • version number optional
      The secret version to access.
    • login GCPSecretsLogin required
      Credentials used to log in to Google Cloud.
    • accessToken string required
      The access token to use for authentication.
    • project number required
      The GCP project number.
    • tokenType string required
      The type of the access token.

    Outputs

    A map from names to secret values.

    Type: map[string]string

    Configuring OIDC

    To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Google Cloud, see the OpenID Connect integration documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following:

    • pulumi env open <org>/<project>/<environment> command of the Pulumi CLI
    • pulumi env open <org>/<project>/<environment> command of the Pulumi CLI

    Make sure to replace <org>, <project>, and <environment> with the values of your Pulumi organization and environment identifier respectively. You should see output similar to the following:

    {
      "gcp": {
        "login": {
          "accessToken": "ya29.....",
          "expiry": "2023-11-09T11:12:41Z",
          "project": 123456789,
          "tokenType": "Bearer"
        },
        "secrets": {
          "api-key": "my-api-key",
          "app-secret": "my-app-secret"
        }
      }
    }