Create new IAM Service AccountRun the following commands with the gcloud CLI.
Copy
# To narrow permission scope use this prefix for envsecrets accessible secrets.SECRET_PREFIX="envsecrets-";# Get current projectPROJECT_ID="$(gcloud config get-value project --quiet)";# Create a new Service Accountgcloud iam service-accounts create envsecrets \ --description="Service account for envsecrets to sync secrets to Secret Manager" \ --display-name="envsecrets";# Attach SecretManagerAdmin policy to the new service accountgcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:envsecrets@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/secretmanager.admin" \ --condition="expression=resource.name.extract(\"secrets/{rest}\").startsWith(\"$SECRET_PREFIX\"),title=\"$SECRET_PREFIX*\"";
Create keys for the new service account
Copy
# Generate a key for your new service accountgcloud iam service-accounts keys create iam-key.json \ --iam-account="envsecrets@$PROJECT_ID.iam.gserviceaccount.com";# Print (and then remove) the JSON credentialscat iam-key.json && rm iam-key.json;
Copy and save the keys printed on your shell.
Configuration
Go to integrations catalog in your envsecrets dashboard and choose “GCP Secrets Manager.”
On the setup/connection page, enter the service account keys you created above and save the form.
We will enable “Automatic Replication” for your GCP secret by default. You can learn more about this from GCP Secret Manager replication docs.
Go to the integrations dashboard in your envsecrets organisation and under “GCP Secrets Manager” choose “Sync New Environment With Your GCP Secrets Manager Account.”
In the page that opens, select your envsecrets project, environment and enter the name with which you wish you save your secret in GCP Secrets Manager.