gcp-secrets
The gcp-secrets provider enables you to dynamically import Secrets from Google Cloud Secrets Manager into your Environment. The provider will return a map of names to Secrets.
Example
values:
gcp:
login:
fn::open::gcp-login:
project: 123456789
oidc:
workloadPoolId: pulumi-esc
providerId: pulumi-esc
serviceAccount: pulumi-esc@foo-bar-123456.iam.gserviceaccount.com
secrets:
fn::open::gcp-secrets:
login: ${gcp.login}
access:
api-key:
name: api-key
app-secret:
name: app-secret
pulumiConfig:
apiKey: ${gcp.secrets.api-key}
appSecret: ${gcp.secrets.app-secret}
Schema reference
Reference schemas last updated on 2026-07-11, synced automatically from the Pulumi Cloud ESC API.
Inputs
accessmap[string]GCPSecretsAccess requiredA map from names to secrets to read from Google Cloud. The outputs will map each name to the secret’s sensitive data.- ↳
namestring requiredThe name of the secret to access. - ↳
versionnumber optionalThe secret version to access. loginGCPSecretsLogin requiredCredentials used to log in to Google Cloud.- ↳
accessTokenstring requiredThe access token to use for authentication. - ↳
projectnumber requiredThe GCP project number. - ↳
tokenTypestring requiredThe type of the access token.
Outputs
A map from names to secret values.
Type: map[string]string
Configuring OIDC
To learn how to configure OpenID Connect (OIDC) between Pulumi Cloud and Google Cloud, see the OpenID Connect integration documentation. Once you have completed these steps, you can validate that your configuration is working by running either of the following:
pulumi env open <org>/<project>/<environment>command of the Pulumi CLIpulumi env open <org>/<project>/<environment>command of the Pulumi CLI
Make sure to replace <org>, <project>, and <environment> with the values of your Pulumi organization and environment identifier respectively. You should see output similar to the following:
{
"gcp": {
"login": {
"accessToken": "ya29.....",
"expiry": "2023-11-09T11:12:41Z",
"project": 123456789,
"tokenType": "Bearer"
},
"secrets": {
"api-key": "my-api-key",
"app-secret": "my-app-secret"
}
}
}