helm-external-secrets/provider-google-secrets-manager/index.html

<!doctype html>
<html lang="en" class="no-js">
  <head>
    
      <meta charset="utf-8">
      <meta name="viewport" content="width=device-width,initial-scale=1">
      
      
      
      
      <link rel="icon" href="../assets/images/favicon.png">
      <meta name="generator" content="mkdocs-1.1, mkdocs-material-7.1.8">
    
    
      
        <title>Secrets Manager - External Secrets Operator</title>
      
    
    
      <link rel="stylesheet" href="../assets/stylesheets/main.ca7ac06f.min.css">
      
        
        <link rel="stylesheet" href="../assets/stylesheets/palette.f1a3b89f.min.css">
        
      
    
    
    
      
        
        <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
        <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
        <style>:root{--md-text-font-family:"Roboto";--md-code-font-family:"Roboto Mono"}</style>
      
    
    
    
    
      

  


  

  


  <script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],gtag("js",new Date),gtag("config","G-QP38TD8K7V"),document.addEventListener("DOMContentLoaded",function(){"undefined"!=typeof location$&&location$.subscribe(function(t){gtag("config","G-QP38TD8K7V",{page_path:t.pathname})})})</script>
  <script async src="https://www.googletagmanager.com/gtag/js?id=G-QP38TD8K7V"></script>


    
    
  </head>
  
  
    
    
    
    
    
    <body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none">
  
    
    <script>function __prefix(e){return new URL("..",location).pathname+"."+e}function __get(e,t=localStorage){return JSON.parse(t.getItem(__prefix(e)))}</script>
    
    <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
    <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
    <label class="md-overlay" for="__drawer"></label>
    <div data-md-component="skip">
      
        
        <a href="#google-cloud-secret-manager" class="md-skip">
          Skip to content
        </a>
      
    </div>
    <div data-md-component="announce">
      
    </div>
    
      <header class="md-header" data-md-component="header">
  <nav class="md-header__inner md-grid" aria-label="Header">
    <a href=".." title="External Secrets Operator" class="md-header__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
      
  
  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54z"/></svg>

    </a>
    <label class="md-header__button md-icon" for="__drawer">
      <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
    </label>
    <div class="md-header__title" data-md-component="header-title">
      <div class="md-header__ellipsis">
        <div class="md-header__topic">
          <span class="md-ellipsis">
            External Secrets Operator
          </span>
        </div>
        <div class="md-header__topic" data-md-component="header-topic">
          <span class="md-ellipsis">
            
              Secrets Manager
            
          </span>
        </div>
      </div>
    </div>
    
    
    
      <label class="md-header__button md-icon" for="__search">
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
      </label>
      
<div class="md-search" data-md-component="search" role="dialog">
  <label class="md-search__overlay" for="__search"></label>
  <div class="md-search__inner" role="search">
    <form class="md-search__form" name="search">
      <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" data-md-state="active" required>
      <label class="md-search__icon md-icon" for="__search">
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
      </label>
      <button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
      </button>
    </form>
    <div class="md-search__output">
      <div class="md-search__scrollwrap" data-md-scrollfix>
        <div class="md-search-result" data-md-component="search-result">
          <div class="md-search-result__meta">
            Initializing search
          </div>
          <ol class="md-search-result__list"></ol>
        </div>
      </div>
    </div>
  </div>
</div>
    
    
      <div class="md-header__source">
        
<a href="https://github.com/external-secrets/external-secrets/" title="Go to repository" class="md-source" data-md-component="source">
  <div class="md-source__icon md-icon">
    
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
  </div>
  <div class="md-source__repository">
    External Secrets Operator
  </div>
</a>
      </div>
    
  </nav>
</header>
    
    <div class="md-container" data-md-component="container">
      
      
        
      
      <main class="md-main" data-md-component="main">
        <div class="md-main__inner md-grid">
          
            
              
              <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
                <div class="md-sidebar__scrollwrap">
                  <div class="md-sidebar__inner">
                    


<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
  <label class="md-nav__title" for="__drawer">
    <a href=".." title="External Secrets Operator" class="md-nav__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
      
  
  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54z"/></svg>

    </a>
    External Secrets Operator
  </label>
  
    <div class="md-nav__source">
      
<a href="https://github.com/external-secrets/external-secrets/" title="Go to repository" class="md-source" data-md-component="source">
  <div class="md-source__icon md-icon">
    
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
  </div>
  <div class="md-source__repository">
    External Secrets Operator
  </div>
</a>
    </div>
  
  <ul class="md-nav__list" data-md-scrollfix>
    
      
      
      

  
  
  
    <li class="md-nav__item">
      <a href=".." class="md-nav__link">
        Introduction
      </a>
    </li>
  

    
      
      
      

  
  
  
    <li class="md-nav__item">
      <a href="../api-overview/" class="md-nav__link">
        Overview
      </a>
    </li>
  

    
      
      
      

  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3" type="checkbox" id="__nav_3" >
      
      <label class="md-nav__link" for="__nav_3">
        API Types
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="API Types" data-md-level="1">
        <label class="md-nav__title" for="__nav_3">
          <span class="md-nav__icon md-icon"></span>
          API Types
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../api-externalsecret/" class="md-nav__link">
        ExternalSecret
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../api-secretstore/" class="md-nav__link">
        SecretStore
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../api-clustersecretstore/" class="md-nav__link">
        ClusterSecretStore
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

    
      
      
      

  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" >
      
      <label class="md-nav__link" for="__nav_4">
        Guides
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Guides" data-md-level="1">
        <label class="md-nav__title" for="__nav_4">
          <span class="md-nav__icon md-icon"></span>
          Guides
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-introduction/" class="md-nav__link">
        Introduction
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-getting-started/" class="md-nav__link">
        Getting started
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-templating/" class="md-nav__link">
        Advanced Templating
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-all-keys-one-secret/" class="md-nav__link">
        All keys, One secret
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-common-k8s-secret-types/" class="md-nav__link">
        Common K8S Secret Types
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-multi-tenancy/" class="md-nav__link">
        Multi Tenancy
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../guides-metrics/" class="md-nav__link">
        Metrics
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

    
      
      
      

  
  
    
  
  
    
    <li class="md-nav__item md-nav__item--active md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5" type="checkbox" id="__nav_5" checked>
      
      <label class="md-nav__link" for="__nav_5">
        Provider
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Provider" data-md-level="1">
        <label class="md-nav__title" for="__nav_5">
          <span class="md-nav__icon md-icon"></span>
          Provider
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_1" type="checkbox" id="__nav_5_1" >
      
      <label class="md-nav__link" for="__nav_5_1">
        AWS
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="AWS" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_1">
          <span class="md-nav__icon md-icon"></span>
          AWS
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-aws-secrets-manager/" class="md-nav__link">
        Secrets Manager
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-aws-parameter-store/" class="md-nav__link">
        Parameter Store
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
            
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_2" type="checkbox" id="__nav_5_2" >
      
      <label class="md-nav__link" for="__nav_5_2">
        Azure
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Azure" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_2">
          <span class="md-nav__icon md-icon"></span>
          Azure
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-azure-key-vault/" class="md-nav__link">
        Key Vault
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
            
  
  
    
  
  
    
    <li class="md-nav__item md-nav__item--active md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_3" type="checkbox" id="__nav_5_3" checked>
      
      <label class="md-nav__link" for="__nav_5_3">
        Google
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Google" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_3">
          <span class="md-nav__icon md-icon"></span>
          Google
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
    
  
  
    <li class="md-nav__item md-nav__item--active">
      
      <input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
      
      
      
        <label class="md-nav__link md-nav__link--active" for="__toc">
          Secrets Manager
          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <a href="./" class="md-nav__link md-nav__link--active">
        Secrets Manager
      </a>
      
        
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
  
  
  
  
    <label class="md-nav__title" for="__toc">
      <span class="md-nav__icon md-icon"></span>
      Table of contents
    </label>
    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
      
        <li class="md-nav__item">
  <a href="#google-cloud-secret-manager" class="md-nav__link">
    Google Cloud Secret Manager
  </a>
  
    <nav class="md-nav" aria-label="Google Cloud Secret Manager">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#service-account-key-authentication" class="md-nav__link">
    Service account key authentication
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#update-secret-store" class="md-nav__link">
    Update secret store
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#creating-external-secret" class="md-nav__link">
    Creating external secret
  </a>
  
</li>
        
      </ul>
    </nav>
  
</li>
      
        <li class="md-nav__item">
  <a href="#authentication-with-workload-identity" class="md-nav__link">
    Authentication with Workload Identity
  </a>
  
    <nav class="md-nav" aria-label="Authentication with Workload Identity">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#following-the-documentation" class="md-nav__link">
    Following the documentation
  </a>
  
    <nav class="md-nav" aria-label="Following the documentation">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#changing-values" class="md-nav__link">
    Changing Values
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#following-through" class="md-nav__link">
    Following through
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#secretstore-with-workloadidentity" class="md-nav__link">
    SecretStore with WorkloadIdentity
  </a>
  
</li>
        
      </ul>
    </nav>
  
</li>
        
      </ul>
    </nav>
  
</li>
      
    </ul>
  
</nav>
      
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
            
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_4" type="checkbox" id="__nav_5_4" >
      
      <label class="md-nav__link" for="__nav_5_4">
        IBM
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="IBM" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_4">
          <span class="md-nav__icon md-icon"></span>
          IBM
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-ibm-secrets-manager/" class="md-nav__link">
        Secrets Manager
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-akeyless/" class="md-nav__link">
        Akeyless
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-hashicorp-vault/" class="md-nav__link">
        HashiCorp Vault
      </a>
    </li>
  

          
            
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_7" type="checkbox" id="__nav_5_7" >
      
      <label class="md-nav__link" for="__nav_5_7">
        Yandex
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Yandex" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_7">
          <span class="md-nav__icon md-icon"></span>
          Yandex
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-yandex-lockbox/" class="md-nav__link">
        Lockbox
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
            
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_8" type="checkbox" id="__nav_5_8" >
      
      <label class="md-nav__link" for="__nav_5_8">
        Gitlab
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Gitlab" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_8">
          <span class="md-nav__icon md-icon"></span>
          Gitlab
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-gitlab-project-variables/" class="md-nav__link">
        Gitlab Project Variables
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
            
  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5_9" type="checkbox" id="__nav_5_9" >
      
      <label class="md-nav__link" for="__nav_5_9">
        Oracle
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Oracle" data-md-level="2">
        <label class="md-nav__title" for="__nav_5_9">
          <span class="md-nav__icon md-icon"></span>
          Oracle
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../provider-oracle-vault/" class="md-nav__link">
        Oracle Vault
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

    
      
      
      

  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_6" type="checkbox" id="__nav_6" >
      
      <label class="md-nav__link" for="__nav_6">
        References
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="References" data-md-level="1">
        <label class="md-nav__title" for="__nav_6">
          <span class="md-nav__icon md-icon"></span>
          References
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../spec/" class="md-nav__link">
        API specification
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

    
      
      
      

  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7" type="checkbox" id="__nav_7" >
      
      <label class="md-nav__link" for="__nav_7">
        Contributing
        <span class="md-nav__icon md-icon"></span>
      </label>
      <nav class="md-nav" aria-label="Contributing" data-md-level="1">
        <label class="md-nav__title" for="__nav_7">
          <span class="md-nav__icon md-icon"></span>
          Contributing
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
  
  
  
    <li class="md-nav__item">
      <a href="../contributing-devguide/" class="md-nav__link">
        Developer guide
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../contributing-process/" class="md-nav__link">
        Contributing Process
      </a>
    </li>
  

          
            
  
  
  
    <li class="md-nav__item">
      <a href="../contributing-coc/" class="md-nav__link">
        Code of Conduct
      </a>
    </li>
  

          
        </ul>
      </nav>
    </li>
  

    
      
      
      

  
  
  
    <li class="md-nav__item">
      <a href="../deprecation-policy/" class="md-nav__link">
        Deprecation Policy
      </a>
    </li>
  

    
  </ul>
</nav>
                  </div>
                </div>
              </div>
            
            
              
              <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
                <div class="md-sidebar__scrollwrap">
                  <div class="md-sidebar__inner">
                    
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
  
  
  
  
    <label class="md-nav__title" for="__toc">
      <span class="md-nav__icon md-icon"></span>
      Table of contents
    </label>
    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
      
        <li class="md-nav__item">
  <a href="#google-cloud-secret-manager" class="md-nav__link">
    Google Cloud Secret Manager
  </a>
  
    <nav class="md-nav" aria-label="Google Cloud Secret Manager">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#service-account-key-authentication" class="md-nav__link">
    Service account key authentication
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#update-secret-store" class="md-nav__link">
    Update secret store
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#creating-external-secret" class="md-nav__link">
    Creating external secret
  </a>
  
</li>
        
      </ul>
    </nav>
  
</li>
      
        <li class="md-nav__item">
  <a href="#authentication-with-workload-identity" class="md-nav__link">
    Authentication with Workload Identity
  </a>
  
    <nav class="md-nav" aria-label="Authentication with Workload Identity">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#following-the-documentation" class="md-nav__link">
    Following the documentation
  </a>
  
    <nav class="md-nav" aria-label="Following the documentation">
      <ul class="md-nav__list">
        
          <li class="md-nav__item">
  <a href="#changing-values" class="md-nav__link">
    Changing Values
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#following-through" class="md-nav__link">
    Following through
  </a>
  
</li>
        
          <li class="md-nav__item">
  <a href="#secretstore-with-workloadidentity" class="md-nav__link">
    SecretStore with WorkloadIdentity
  </a>
  
</li>
        
      </ul>
    </nav>
  
</li>
        
      </ul>
    </nav>
  
</li>
      
    </ul>
  
</nav>
                  </div>
                </div>
              </div>
            
          
          <div class="md-content" data-md-component="content">
            <article class="md-content__inner md-typeset">
              
                
                  <a href="https://github.com/external-secrets/external-secrets/edit/master/docs/provider-google-secrets-manager.md" title="Edit this page" class="md-content__button md-icon">
                    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20.71 7.04c.39-.39.39-1.04 0-1.41l-2.34-2.34c-.37-.39-1.02-.39-1.41 0l-1.84 1.83 3.75 3.75M3 17.25V21h3.75L17.81 9.93l-3.75-3.75L3 17.25z"/></svg>
                  </a>
                
                
                  <h1>Secrets Manager</h1>
                
                <h2 id="google-cloud-secret-manager">Google Cloud Secret Manager</h2>
<p>External Secrets Operator integrates with <a href="https://cloud.google.com/secret-manager">GCP Secret Manager</a> for secret management.</p>
<h3 id="service-account-key-authentication">Service account key authentication</h3>
<p>A service account key is created and the JSON keyfile is stored in a <code>Kind=Secret</code>. The <code>project_id</code> and <code>private_key</code> should be configured for the project.</p>
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Secret</span>
<span class="nt">metadata</span><span class="p">:</span>
  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">gcpsm-secret</span>
  <span class="nt">labels</span><span class="p">:</span>
    <span class="nt">type</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">gcpsm</span>
<span class="nt">type</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Opaque</span>
<span class="nt">stringData</span><span class="p">:</span>
  <span class="nt">secret-access-credentials</span><span class="p">:</span> <span class="p p-Indicator">|-</span>
    <span class="no">{</span>
      <span class="no">&quot;type&quot;: &quot;service_account&quot;,</span>
      <span class="no">&quot;project_id&quot;: &quot;external-secrets-operator&quot;,</span>
      <span class="no">&quot;private_key_id&quot;: &quot;&quot;,</span>
      <span class="no">&quot;private_key&quot;: &quot;-----BEGIN PRIVATE KEY-----\nA key\n-----END PRIVATE KEY-----\n&quot;,</span>
      <span class="no">&quot;client_email&quot;: &quot;test-service-account@external-secrets-operator.iam.gserviceaccount.com&quot;,</span>
      <span class="no">&quot;client_id&quot;: &quot;client ID&quot;,</span>
      <span class="no">&quot;auth_uri&quot;: &quot;https://accounts.google.com/o/oauth2/auth&quot;,</span>
      <span class="no">&quot;token_uri&quot;: &quot;https://oauth2.googleapis.com/token&quot;,</span>
      <span class="no">&quot;auth_provider_x509_cert_url&quot;: &quot;https://www.googleapis.com/oauth2/v1/certs&quot;,</span>
      <span class="no">&quot;client_x509_cert_url&quot;: &quot;https://www.googleapis.com/robot/v1/metadata/x509/test-service-account%40external-secrets-operator.iam.gserviceaccount.com&quot;</span>
    <span class="no">}</span>
</code></pre></div>

<h3 id="update-secret-store">Update secret store</h3>
<p>Be sure the <code>gcpsm</code> provider is listed in the <code>Kind=SecretStore</code></p>
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
<span class="nt">metadata</span><span class="p">:</span>
  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example</span>
<span class="nt">spec</span><span class="p">:</span>
  <span class="nt">provider</span><span class="p">:</span>
      <span class="nt">gcpsm</span><span class="p">:</span>                                  <span class="c1"># gcpsm provider</span>
        <span class="nt">auth</span><span class="p">:</span>
          <span class="nt">secretRef</span><span class="p">:</span>
            <span class="nt">secretAccessKeySecretRef</span><span class="p">:</span>
              <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">gcpsm-secret</span>              <span class="c1"># secret name containing SA key</span>
              <span class="nt">key</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">secret-access-credentials</span>  <span class="c1"># key name containing SA key</span>
        <span class="nt">projectID</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">myproject</span>                  <span class="c1"># name of Google Cloud project</span>
</code></pre></div>

<h3 id="creating-external-secret">Creating external secret</h3>
<p>To create a kubernetes secret from the GCP Secret Manager secret a <code>Kind=ExternalSecret</code> is needed.</p>
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
<span class="nt">metadata</span><span class="p">:</span>
  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example</span>
<span class="nt">spec</span><span class="p">:</span>
  <span class="nt">refreshInterval</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">1h</span>           <span class="c1"># rate SecretManager pulls GCPSM</span>
  <span class="nt">secretStoreRef</span><span class="p">:</span>
    <span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
    <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example</span>               <span class="c1"># name of the SecretStore (or kind specified)</span>
  <span class="nt">target</span><span class="p">:</span>
    <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">secret-to-be-created</span>  <span class="c1"># name of the k8s Secret to be created</span>
    <span class="nt">creationPolicy</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Owner</span>
  <span class="nt">data</span><span class="p">:</span>
  <span class="p p-Indicator">-</span> <span class="nt">secretKey</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">dev-secret-test</span>  <span class="c1"># name of the GCPSM secret key</span>
    <span class="nt">remoteRef</span><span class="p">:</span>
      <span class="nt">key</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">dev-secret-test</span>
</code></pre></div>

<p>The operator will fetch the GCP Secret Manager secret and inject it as a <code>Kind=Secret</code>
<div class="highlight"><pre><span></span><code>kubectl get secret secret-to-be-created -n &lt;namespace&gt; | -o jsonpath=&#39;{.data.dev-secret-test}&#39; | base64 -d
</code></pre></div></p>
<h2 id="authentication-with-workload-identity">Authentication with Workload Identity</h2>
<p>This makes it possible for your Google Kubernetes Engine (GKE) applications to consume services provided by Google APIs, namely Secrets Manager service in this case.</p>
<p>Here we will assume that you installed ESO using helm and that you named the chart installation <code>external-secrets</code> and the namespace where it lives <code>es</code> like:</p>
<div class="highlight"><pre><span></span><code>helm install external-secrets external-secrets/external-secrets --namespace es
</code></pre></div>

<p>Then most of the resources would have this name, the important one here being the k8s service account attached to the external-secrets operator deployment:</p>
<div class="highlight"><pre><span></span><code># ...
      containers:
      - image: ghcr.io/external-secrets/external-secrets:vVERSION
        name: external-secrets
        ports:
        - containerPort: 8080
          protocol: TCP
      restartPolicy: Always
      schedulerName: default-scheduler
      serviceAccount: external-secrets
      serviceAccountName: external-secrets # &lt;--- here
</code></pre></div>

<h3 id="following-the-documentation">Following the documentation</h3>
<p>You can find the documentation for Workload Identity under <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">this url</a>. We will walk you through how to navigate it here.</p>
<h4 id="changing-values">Changing Values</h4>
<p>Search <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">the documment</a> for this editable values and change them to your values:</p>
<ul>
<li>CLUSTER_NAME: The name of your cluster</li>
<li>PROJECT_ID: Your project ID (not your Project number nor your Project name)</li>
<li>K8S_NAMESPACE: For us folowing these steps here it will be <code>es</code>, but this will be the namespace where you deployed the external-secrets operator</li>
<li>KSA_NAME: external-secrets (if you are not creating a new one to attach to the deployemnt)</li>
<li>GSA_NAME: external-secrets for simplicity, or something else if you have to follow different naming convetions for cloud resources</li>
<li>ROLE_NAME: roles/secretmanager.secretAccessor so you make the pod only be able to access secrets on Secret Manager</li>
</ul>
<h4 id="following-through">Following through</h4>
<p>You can follow through the documentation and adapt it to your specific use case. If you want to just use the serviceaccount that we deployed with the helm chart, for example, you don't need to create a new service account on 2 of <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to">Authenticating to Google Cloud</a>.</p>
<h4 id="secretstore-with-workloadidentity">SecretStore with WorkloadIdentity</h4>
<p>To use workload identity you can just omit the auth field of the secret store and let the operator client fall back to defaults using the roles attached to your service account.</p>
<div class="highlight"><pre><span></span><code>apiVersion: external-secrets.io/v1alpha1
kind: SecretStore
metadata:
  name: example
spec:
  provider:
    gcpsm:
      projectID: pid
</code></pre></div>
                
              
              
                


              
            </article>
          </div>
        </div>
        
      </main>
      
        
<footer class="md-footer">
  
    <nav class="md-footer__inner md-grid" aria-label="Footer">
      
        
        <a href="../provider-azure-key-vault/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Key Vault" rel="prev">
          <div class="md-footer__button md-icon">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
          </div>
          <div class="md-footer__title">
            <div class="md-ellipsis">
              <span class="md-footer__direction">
                Previous
              </span>
              Key Vault
            </div>
          </div>
        </a>
      
      
        
        <a href="../provider-ibm-secrets-manager/" class="md-footer__link md-footer__link--next" aria-label="Next: Secrets Manager" rel="next">
          <div class="md-footer__title">
            <div class="md-ellipsis">
              <span class="md-footer__direction">
                Next
              </span>
              Secrets Manager
            </div>
          </div>
          <div class="md-footer__button md-icon">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg>
          </div>
        </a>
      
    </nav>
  
  <div class="md-footer-meta md-typeset">
    <div class="md-footer-meta__inner md-grid">
      <div class="md-footer-copyright">
        
        Made with
        <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
          Material for MkDocs
        </a>
        
      </div>
      
    </div>
  </div>
</footer>
      
    </div>
    <div class="md-dialog" data-md-component="dialog">
      <div class="md-dialog__inner md-typeset"></div>
    </div>
    <script id="__config" type="application/json">{"base": "..", "features": [], "translations": {"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "search": "../assets/javascripts/workers/search.b0710199.min.js", "version": null}</script>
    
    
      <script src="../assets/javascripts/bundle.76f349be.min.js"></script>
      
    
  </body>
</html>