GCP Secrets Manager
Configuration
The current version of Kong Gateway’s implementation supports configuring GCP Secrets Manager in two ways:
- Environment variables
- Workload Identity
To configure GCP Secrets Manager, the GCP_SERVICE_ACCOUNT
environment variable must be set to the JSON document referring to the credentials for your service account:
export GCP_SERVICE_ACCOUNT=$(cat gcp-my-project-c61f2411f321.json)
Kong Gateway uses the key to automatically authenticate with the GCP API and grant you access.
To use GCP Secrets Manager with Workload Identity on a GKE cluster, update your pod spec so that the service account is attached to the pod. For configuration information, read the Workload Identity configuration documentation.
With Workload Identity, setting the
GCP_SERVICE_ACCOUNT
isn’t necessary.
Examples
To use a GCP Secret Manager secret with the name my-secret-name
, create a JSON object in GCP that contains one or more properties:
{
"foo": "bar",
"snip": "snap"
}
You can now reference the secret’s individual resources like this:
{vault://gcp/my-secret-name/foo?project_id=my_project_id}
{vault://gcp/my-secret-name/snip?project_id=my_project_id}
Note that both the provider (gcp
) as well as the GCP project ID (my_project_id
) need to be specified. You can configure the project ID with an environment variable before starting Kong Gateway:
export KONG_VAULT_GCP_PROJECT_ID=my_project_id
Then you don’t need to repeat it in references:
{vault://gcp/my-secret-name/foo}
{vault://gcp/my-secret-name/snip}
Entity
Once the database is initialized, a Vault entity can be created that encapsulates the provider and the GCP project ID:
Admin API
Declarative configuration
cURL
HTTPie
curl -i -X PUT http://HOSTNAME:8001/vaults/my-gcp-sm-vault \
--data name=gcp \
--data description="Storing secrets in GCP Secrets Manager" \
--data config.project_id="my_project_id"
http -f PUT http://HOSTNAME:8001/vaults/my-gcp-sm-vault \
name="gcp" \
description="Storing secrets in GCP Secrets Manager" \
config.project_id="my_project_id"
Result:
{
"config": {
"project_id": "my_project_id"
},
"created_at": 1657874961,
"description": "Storing secrets in GCP Secrets Manager",
"id": "90e200be-cf84-4ce9-a1d6-a41c75c79f31",
"name": "gcp",
"prefix": "my-gcp-sm-vault",
"tags": null,
"updated_at": 1657874961
}
Secrets management is supported in decK 1.16 and later.
Add the following snippet to your declarative configuration file:
_format_version: "3.0"
vaults:
- config:
project_id: my_project_id
description: Storing secrets in GCP Secrets Manager
name: gcp
prefix: my-gcp-sm-vault
With the Vault entity in place, you can reference the GCP secrets through it:
{vault://my-gcp-sm-vault/my-secret-name/foo}
{vault://my-gcp-sm-vault/my-secret-name/snip}