| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442444344444445444644474448444944504451445244534454445544564457445844594460446144624463446444654466446744684469447044714472447344744475447644774478447944804481448244834484448544864487448844894490449144924493449444954496449744984499450045014502450345044505450645074508450945104511451245134514451545164517451845194520452145224523452445254526452745284529453045314532453345344535453645374538453945404541454245434544454545464547454845494550455145524553455445554556455745584559456045614562456345644565456645674568456945704571457245734574457545764577457845794580458145824583458445854586458745884589459045914592459345944595459645974598459946004601460246034604460546064607460846094610461146124613461446154616461746184619462046214622462346244625462646274628462946304631463246334634463546364637463846394640464146424643464446454646464746484649465046514652465346544655465646574658465946604661466246634664466546664667466846694670467146724673467446754676467746784679468046814682468346844685468646874688468946904691469246934694469546964697469846994700470147024703470447054706470747084709471047114712471347144715471647174718471947204721472247234724472547264727472847294730473147324733473447354736473747384739474047414742474347444745474647474748474947504751475247534754475547564757475847594760476147624763476447654766476747684769477047714772477347744775477647774778477947804781478247834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808480948104811481248134814481548164817481848194820482148224823482448254826482748284829483048314832483348344835483648374838483948404841484248434844484548464847484848494850485148524853485448554856485748584859486048614862486348644865486648674868486948704871487248734874487548764877487848794880488148824883488448854886488748884889489048914892489348944895489648974898489949004901490249034904490549064907490849094910491149124913491449154916491749184919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943494449454946494749484949495049514952495349544955495649574958495949604961496249634964496549664967496849694970497149724973497449754976497749784979498049814982498349844985498649874988498949904991499249934994499549964997499849995000500150025003500450055006500750085009501050115012501350145015501650175018501950205021502250235024502550265027502850295030503150325033503450355036503750385039504050415042504350445045504650475048504950505051505250535054505550565057505850595060506150625063506450655066506750685069507050715072507350745075507650775078507950805081508250835084508550865087508850895090509150925093509450955096509750985099510051015102510351045105510651075108510951105111511251135114511551165117511851195120512151225123512451255126512751285129513051315132513351345135513651375138513951405141514251435144514551465147514851495150515151525153515451555156515751585159516051615162516351645165516651675168516951705171517251735174517551765177517851795180518151825183518451855186518751885189519051915192519351945195519651975198519952005201520252035204520552065207520852095210521152125213521452155216521752185219522052215222522352245225522652275228522952305231523252335234523552365237523852395240524152425243524452455246524752485249525052515252525352545255525652575258525952605261526252635264526552665267526852695270527152725273527452755276527752785279528052815282528352845285528652875288528952905291529252935294529552965297529852995300530153025303530453055306530753085309531053115312531353145315531653175318531953205321532253235324532553265327532853295330533153325333533453355336533753385339534053415342534353445345534653475348534953505351535253535354535553565357535853595360536153625363536453655366536753685369537053715372537353745375537653775378537953805381538253835384538553865387538853895390539153925393539453955396539753985399540054015402540354045405540654075408540954105411541254135414541554165417541854195420542154225423542454255426542754285429543054315432543354345435543654375438543954405441544254435444544554465447544854495450545154525453545454555456545754585459546054615462546354645465546654675468546954705471547254735474547554765477547854795480548154825483548454855486548754885489549054915492549354945495549654975498549955005501550255035504550555065507550855095510551155125513551455155516551755185519552055215522552355245525552655275528552955305531553255335534553555365537553855395540554155425543554455455546554755485549555055515552555355545555555655575558555955605561556255635564556555665567556855695570557155725573557455755576557755785579558055815582558355845585558655875588558955905591559255935594559555965597559855995600560156025603560456055606560756085609561056115612561356145615561656175618561956205621562256235624562556265627562856295630563156325633563456355636563756385639564056415642564356445645564656475648564956505651565256535654565556565657565856595660566156625663566456655666566756685669567056715672567356745675567656775678567956805681568256835684568556865687568856895690569156925693569456955696569756985699570057015702570357045705570657075708570957105711571257135714571557165717571857195720572157225723572457255726572757285729573057315732573357345735573657375738573957405741574257435744574557465747574857495750575157525753575457555756575757585759576057615762576357645765576657675768576957705771577257735774577557765777577857795780578157825783578457855786578757885789579057915792579357945795579657975798579958005801580258035804580558065807580858095810581158125813581458155816581758185819582058215822582358245825582658275828582958305831583258335834583558365837583858395840584158425843584458455846584758485849585058515852585358545855585658575858585958605861586258635864586558665867586858695870587158725873587458755876587758785879588058815882588358845885588658875888588958905891589258935894589558965897589858995900590159025903590459055906590759085909591059115912591359145915591659175918591959205921592259235924592559265927592859295930593159325933593459355936593759385939594059415942594359445945594659475948594959505951595259535954595559565957595859595960596159625963596459655966596759685969597059715972597359745975597659775978597959805981598259835984598559865987598859895990599159925993599459955996599759985999600060016002600360046005600660076008600960106011601260136014601560166017601860196020602160226023602460256026602760286029603060316032603360346035603660376038603960406041604260436044604560466047604860496050605160526053605460556056605760586059606060616062606360646065606660676068606960706071607260736074607560766077607860796080608160826083608460856086608760886089609060916092609360946095609660976098609961006101610261036104610561066107610861096110611161126113611461156116611761186119612061216122612361246125612661276128612961306131613261336134613561366137613861396140614161426143614461456146614761486149615061516152615361546155615661576158615961606161616261636164616561666167616861696170617161726173617461756176617761786179618061816182618361846185618661876188618961906191619261936194619561966197619861996200620162026203620462056206620762086209621062116212621362146215621662176218621962206221622262236224622562266227622862296230623162326233623462356236623762386239624062416242624362446245624662476248624962506251625262536254625562566257625862596260626162626263626462656266626762686269627062716272627362746275627662776278627962806281628262836284628562866287628862896290629162926293629462956296629762986299630063016302630363046305630663076308630963106311631263136314631563166317631863196320632163226323632463256326 |
- <!doctype html>
- <html lang="en" class="no-js">
- <head>
-
- <meta charset="utf-8">
- <meta name="viewport" content="width=device-width,initial-scale=1">
-
-
-
-
- <link rel="prev" href="../conjur/">
-
-
- <link rel="next" href="../hashicorp-vault/">
-
-
-
-
-
- <link rel="icon" href="../../pictures/eso-round-logo.svg">
- <meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.7.6">
-
-
-
- <title>Google Cloud Secret Manager - External Secrets Operator</title>
-
-
-
- <link rel="stylesheet" href="../../assets/stylesheets/main.484c7ddc.min.css">
-
-
- <link rel="stylesheet" href="../../assets/stylesheets/palette.ab4e12ef.min.css">
-
-
-
-
-
-
-
-
-
-
- <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
- <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
- <style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
-
-
-
- <script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
-
-
-
-
-
- <script id="__analytics">function __md_analytics(){function e(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],e("js",new Date),e("config","G-QP38TD8K7V"),document.addEventListener("DOMContentLoaded",(function(){document.forms.search&&document.forms.search.query.addEventListener("blur",(function(){this.value&&e("event","search",{search_term:this.value})}));document$.subscribe((function(){var t=document.forms.feedback;if(void 0!==t)for(var a of t.querySelectorAll("[type=submit]"))a.addEventListener("click",(function(a){a.preventDefault();var n=document.location.pathname,d=this.getAttribute("data-md-value");e("event","feedback",{page:n,data:d}),t.firstElementChild.disabled=!0;var r=t.querySelector(".md-feedback__note [data-md-value='"+d+"']");r&&(r.hidden=!1)})),t.hidden=!1})),location$.subscribe((function(t){e("config","G-QP38TD8K7V",{page_path:t.pathname})}))}));var t=document.createElement("script");t.async=!0,t.src="https://www.googletagmanager.com/gtag/js?id=G-QP38TD8K7V",document.getElementById("__analytics").insertAdjacentElement("afterEnd",t)}</script>
-
- <script>"undefined"!=typeof __md_analytics&&__md_analytics()</script>
-
-
-
- </head>
-
-
-
-
-
-
-
-
-
- <body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
-
-
- <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
- <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
- <label class="md-overlay" for="__drawer"></label>
- <div data-md-component="skip">
-
-
- <a href="#authentication" class="md-skip">
- Skip to content
- </a>
-
- </div>
- <div data-md-component="announce">
-
- </div>
-
- <div data-md-color-scheme="default" data-md-component="outdated" hidden>
-
- <aside class="md-banner md-banner--warning">
- <div class="md-banner__inner md-grid md-typeset">
-
- You're not viewing the latest version.
- <a href="../../..">
- <strong>Click here to go to latest.</strong>
- </a>
- </div>
- <script>var el=document.querySelector("[data-md-component=outdated]"),base=new URL("../.."),outdated=__md_get("__outdated",sessionStorage,base);!0===outdated&&el&&(el.hidden=!1)</script>
- </aside>
-
- </div>
-
-
-
- <header class="md-header" data-md-component="header">
- <nav class="md-header__inner md-grid" aria-label="Header">
- <a href="../.." title="External Secrets Operator" class="md-header__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
-
- <img src="../../pictures/eso-round-logo.svg" alt="logo">
- </a>
- <label class="md-header__button md-icon" for="__drawer">
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg>
- </label>
- <div class="md-header__title" data-md-component="header-title">
- <div class="md-header__ellipsis">
- <div class="md-header__topic">
- <span class="md-ellipsis">
- External Secrets Operator
- </span>
- </div>
- <div class="md-header__topic" data-md-component="header-topic">
- <span class="md-ellipsis">
-
- Google Cloud Secret Manager
-
- </span>
- </div>
- </div>
- </div>
-
-
- <form class="md-header__option" data-md-component="palette">
-
-
-
-
- <input class="md-option" data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to dark mode" type="radio" name="__palette" id="__palette_0">
-
- <label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_1" hidden>
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
- </label>
-
-
-
-
-
- <input class="md-option" data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme="slate" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to light mode" type="radio" name="__palette" id="__palette_1">
-
- <label class="md-header__button md-icon" title="Switch to light mode" for="__palette_0" hidden>
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12s-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
- </label>
-
-
- </form>
-
-
-
- <script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
-
-
-
-
-
- <label class="md-header__button md-icon" for="__search">
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
- </label>
- <div class="md-search" data-md-component="search" role="dialog">
- <label class="md-search__overlay" for="__search"></label>
- <div class="md-search__inner" role="search">
- <form class="md-search__form" name="search">
- <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
- <label class="md-search__icon md-icon" for="__search">
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
- </label>
- <nav class="md-search__options" aria-label="Search">
-
- <button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg>
- </button>
- </nav>
-
- </form>
- <div class="md-search__output">
- <div class="md-search__scrollwrap" tabindex="0" data-md-scrollfix>
- <div class="md-search-result" data-md-component="search-result">
- <div class="md-search-result__meta">
- Initializing search
- </div>
- <ol class="md-search-result__list" role="presentation"></ol>
- </div>
- </div>
- </div>
- </div>
- </div>
-
-
-
- <div class="md-header__source">
- <a href="https://github.com/external-secrets/external-secrets" title="Go to repository" class="md-source" data-md-component="source">
- <div class="md-source__icon md-icon">
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 7.1.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path d="M439.6 236.1 244 40.5c-5.4-5.5-12.8-8.5-20.4-8.5s-15 3-20.4 8.4L162.5 81l51.5 51.5c27.1-9.1 52.7 16.8 43.4 43.7l49.7 49.7c34.2-11.8 61.2 31 35.5 56.7-26.5 26.5-70.2-2.9-56-37.3L240.3 199v121.9c25.3 12.5 22.3 41.8 9.1 55-6.4 6.4-15.2 10.1-24.3 10.1s-17.8-3.6-24.3-10.1c-17.6-17.6-11.1-46.9 11.2-56v-123c-20.8-8.5-24.6-30.7-18.6-45L142.6 101 8.5 235.1C3 240.6 0 247.9 0 255.5s3 15 8.5 20.4l195.6 195.7c5.4 5.4 12.7 8.4 20.4 8.4s15-3 20.4-8.4l194.7-194.7c5.4-5.4 8.4-12.8 8.4-20.4s-3-15-8.4-20.4"/></svg>
- </div>
- <div class="md-source__repository">
- External Secrets Operator
- </div>
- </a>
- </div>
-
- </nav>
-
- </header>
-
- <div class="md-container" data-md-component="container">
-
-
-
-
-
- <nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
- <div class="md-grid">
- <ul class="md-tabs__list">
-
-
-
-
-
-
-
-
- <li class="md-tabs__item">
- <a href="../.." class="md-tabs__link">
-
-
-
-
-
- Introduction
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
- <li class="md-tabs__item">
- <a href="../../api/components/" class="md-tabs__link">
-
-
-
-
-
- API
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
- <li class="md-tabs__item">
- <a href="../../guides/introduction/" class="md-tabs__link">
-
-
-
-
-
- Guides
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-tabs__item md-tabs__item--active">
- <a href="../aws-secrets-manager/" class="md-tabs__link">
-
-
-
-
-
- Provider
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
- <li class="md-tabs__item">
- <a href="../../examples/gitops-using-fluxcd/" class="md-tabs__link">
-
-
-
-
-
- Examples
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-tabs__item">
- <a href="../../contributing/devguide/" class="md-tabs__link">
-
-
-
-
-
- Community
- </a>
- </li>
-
-
-
-
-
- </ul>
- </div>
- </nav>
-
-
-
- <main class="md-main" data-md-component="main">
- <div class="md-main__inner md-grid">
-
-
-
- <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
- <div class="md-sidebar__scrollwrap">
- <div class="md-sidebar__inner">
-
-
- <nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0">
- <label class="md-nav__title" for="__drawer">
- <a href="../.." title="External Secrets Operator" class="md-nav__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
-
- <img src="../../pictures/eso-round-logo.svg" alt="logo">
- </a>
- External Secrets Operator
- </label>
-
- <div class="md-nav__source">
- <a href="https://github.com/external-secrets/external-secrets" title="Go to repository" class="md-source" data-md-component="source">
- <div class="md-source__icon md-icon">
-
- <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 7.1.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path d="M439.6 236.1 244 40.5c-5.4-5.5-12.8-8.5-20.4-8.5s-15 3-20.4 8.4L162.5 81l51.5 51.5c27.1-9.1 52.7 16.8 43.4 43.7l49.7 49.7c34.2-11.8 61.2 31 35.5 56.7-26.5 26.5-70.2-2.9-56-37.3L240.3 199v121.9c25.3 12.5 22.3 41.8 9.1 55-6.4 6.4-15.2 10.1-24.3 10.1s-17.8-3.6-24.3-10.1c-17.6-17.6-11.1-46.9 11.2-56v-123c-20.8-8.5-24.6-30.7-18.6-45L142.6 101 8.5 235.1C3 240.6 0 247.9 0 255.5s3 15 8.5 20.4l195.6 195.7c5.4 5.4 12.7 8.4 20.4 8.4s15-3 20.4-8.4l194.7-194.7c5.4-5.4 8.4-12.8 8.4-20.4s-3-15-8.4-20.4"/></svg>
- </div>
- <div class="md-source__repository">
- External Secrets Operator
- </div>
- </a>
- </div>
-
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_1" >
-
-
- <div class="md-nav__link md-nav__container">
- <a href="../.." class="md-nav__link ">
-
-
-
- <span class="md-ellipsis">
-
-
- Introduction
-
-
- </span>
-
-
- </a>
-
-
- <label class="md-nav__link " for="__nav_1" id="__nav_1_label" tabindex="0">
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- </div>
-
- <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_1_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_1">
- <span class="md-nav__icon md-icon"></span>
-
-
- Introduction
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../introduction/overview/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Overview
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../introduction/glossary/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Glossary
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../introduction/prerequisites/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Prerequisites
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../introduction/getting-started/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Getting started
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../introduction/faq/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- FAQ
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../introduction/stability-support/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Stability and Support
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../introduction/deprecation-policy/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Deprecation Policy
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2" >
-
-
- <label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- API
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_2">
- <span class="md-nav__icon md-icon"></span>
-
-
- API
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/components/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Components
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_2" >
-
-
- <label class="md-nav__link" for="__nav_2_2" id="__nav_2_2_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- Core Resources
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_2_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_2_2">
- <span class="md-nav__icon md-icon"></span>
-
-
- Core Resources
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/externalsecret/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- ExternalSecret
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/secretstore/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- SecretStore
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/clustersecretstore/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- ClusterSecretStore
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/clusterexternalsecret/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- ClusterExternalSecret
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/clusterpushsecret/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- ClusterPushSecret
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/pushsecret/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- PushSecret
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_3" >
-
-
- <div class="md-nav__link md-nav__container">
- <a href="../../api/generator/" class="md-nav__link ">
-
-
-
- <span class="md-ellipsis">
-
-
- Generators
-
-
- </span>
-
-
- </a>
-
-
- <label class="md-nav__link " for="__nav_2_3" id="__nav_2_3_label" tabindex="0">
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- </div>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_3_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_2_3">
- <span class="md-nav__icon md-icon"></span>
-
-
- Generators
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/acr/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Azure Container Registry
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/ecr/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- AWS Elastic Container Registry
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/sts/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- AWS STS Session Token
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/cloudsmith/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Cloudsmith
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/cluster/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Cluster Generator
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/gcr/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Google Container Registry
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/grafana/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Grafana
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/quay/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Quay
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/vault/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Vault Dynamic Secret
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/beyondtrustworkloadcredentials/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- BeyondTrust Workload Credentials
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/password/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Password
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/fake/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Fake
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/webhook/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Webhook
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/github/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Github
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/gitlab/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Gitlab
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/uuid/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- UUID
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/mfa/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- MFA
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/generator/sshkey/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- SSHKey
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_4" >
-
-
- <label class="md-nav__link" for="__nav_2_4" id="__nav_2_4_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- Reference Docs
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_4_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_2_4">
- <span class="md-nav__icon md-icon"></span>
-
-
- Reference Docs
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/spec/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- API specification
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/controller-options/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Controller Options
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/metrics/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Metrics
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../api/selectable-fields/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Selectable Fields
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3" >
-
-
- <label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- Guides
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_3">
- <span class="md-nav__icon md-icon"></span>
-
-
- Guides
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/introduction/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Introduction
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_2" >
-
-
- <label class="md-nav__link" for="__nav_3_2" id="__nav_3_2_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- External Secrets
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_2_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_3_2">
- <span class="md-nav__icon md-icon"></span>
-
-
- External Secrets
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/all-keys-one-secret/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Extract structured data
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/getallsecrets/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Find Secrets by Name or Metadata
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/datafrom-rewrite/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Rewriting Keys
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_2_4" >
-
-
- <label class="md-nav__link" for="__nav_3_2_4" id="__nav_3_2_4_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- Advanced Templating
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="3" aria-labelledby="__nav_3_2_4_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_3_2_4">
- <span class="md-nav__icon md-icon"></span>
-
-
- Advanced Templating
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/templating/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- v2
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/templating-v1/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- v1
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/common-k8s-secret-types/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Kubernetes Secret Types
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/ownership-deletion-policy/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Lifecycle: ownership & deletion
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/decoding-strategy/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Decoding Strategies
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/controller-class/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Controller Classes
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/targeting-custom-resources/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Targeting Custom Resources
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/generator/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Generators
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/pushsecrets/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Push Secrets
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_6" >
-
-
- <label class="md-nav__link" for="__nav_3_6" id="__nav_3_6_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- Operations
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_6_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_3_6">
- <span class="md-nav__icon md-icon"></span>
-
-
- Operations
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/multi-tenancy/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Multi Tenancy
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/security-best-practices/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Security Best Practices
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/threat-model/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Threat Model
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/v1beta1/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Upgrading to v1beta1
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/using-latest-image/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Using Latest Image
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/disable-cluster-features/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Disable Cluster Features
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_7" >
-
-
- <label class="md-nav__link" for="__nav_3_7" id="__nav_3_7_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- Tooling
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_7_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_3_7">
- <span class="md-nav__icon md-icon"></span>
-
-
- Tooling
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../guides/using-esoctl-tool/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Using the esoctl tool
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested">
-
-
-
- <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" checked>
-
-
- <label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="">
-
-
-
- <span class="md-ellipsis">
-
-
- Provider
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="true">
- <label class="md-nav__title" for="__nav_4">
- <span class="md-nav__icon md-icon"></span>
-
-
- Provider
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../aws-secrets-manager/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- AWS Secrets Manager
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../aws-parameter-store/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- AWS Parameter Store
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../aws-access/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- AWS Access
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../azure-key-vault/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Azure Key Vault
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../barbican/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Barbican
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../beyondtrust/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- BeyondTrust
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../beyondtrustworkloadcredentials/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- BeyondTrust Workload Credentials
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../bitwarden-secrets-manager/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Bitwarden Secrets Manager
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../chef/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Chef
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../cloudru/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Cloud.ru Secret Manager
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../conjur/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- CyberArk Conjur
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--active">
-
- <input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
-
-
-
- <label class="md-nav__link md-nav__link--active" for="__toc">
-
-
-
- <span class="md-ellipsis">
-
-
- Google Cloud Secret Manager
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <a href="./" class="md-nav__link md-nav__link--active">
-
-
-
- <span class="md-ellipsis">
-
-
- Google Cloud Secret Manager
-
-
- </span>
-
-
- </a>
-
-
- <nav class="md-nav md-nav--secondary" aria-label="Table of contents">
-
-
-
-
- <label class="md-nav__title" for="__toc">
- <span class="md-nav__icon md-icon"></span>
- Table of contents
- </label>
- <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
-
- <li class="md-nav__item">
- <a href="#authentication" class="md-nav__link">
- <span class="md-ellipsis">
-
- Authentication
-
- </span>
- </a>
-
- <nav class="md-nav" aria-label="Authentication">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#workload-identity-gke" class="md-nav__link">
- <span class="md-ellipsis">
-
- Workload Identity (GKE)
-
- </span>
- </a>
-
- <nav class="md-nav" aria-label="Workload Identity (GKE)">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#prerequisites" class="md-nav__link">
- <span class="md-ellipsis">
-
- Prerequisites
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#using-a-kubernetes-service-account-as-a-gcp-iam-principal" class="md-nav__link">
- <span class="md-ellipsis">
-
- Using a Kubernetes service account as a GCP IAM principal
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#linking-a-kubernetes-service-account-to-a-gcp-service-account" class="md-nav__link">
- <span class="md-ellipsis">
-
- Linking a Kubernetes service account to a GCP service account
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#authorizing-the-core-controller-pod" class="md-nav__link">
- <span class="md-ellipsis">
-
- Authorizing the Core Controller Pod
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#auto-detection-of-gcp-project-id" class="md-nav__link">
- <span class="md-ellipsis">
-
- Auto-detection of GCP project ID
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#projectid-vs-clusterprojectid" class="md-nav__link">
- <span class="md-ellipsis">
-
- projectID vs clusterProjectID
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#explicitly-specifying-the-gke-clusters-name-and-location" class="md-nav__link">
- <span class="md-ellipsis">
-
- Explicitly specifying the GKE cluster's name and location
-
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#workload-identity-federation" class="md-nav__link">
- <span class="md-ellipsis">
-
- Workload Identity Federation
-
- </span>
- </a>
-
- <nav class="md-nav" aria-label="Workload Identity Federation">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#configuration-rules" class="md-nav__link">
- <span class="md-ellipsis">
-
- Configuration rules
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#kubernetes-subject-token-serviceaccountref" class="md-nav__link">
- <span class="md-ellipsis">
-
- Kubernetes subject token (serviceAccountRef)
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#google-service-account-impersonation" class="md-nav__link">
- <span class="md-ellipsis">
-
- Google service account impersonation
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#external-account-json-credconfig" class="md-nav__link">
- <span class="md-ellipsis">
-
- External account JSON (credConfig)
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#aws-subject-token-awssecuritycredentials" class="md-nav__link">
- <span class="md-ellipsis">
-
- AWS subject token (awsSecurityCredentials)
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#other-api-surfaces" class="md-nav__link">
- <span class="md-ellipsis">
-
- Other API surfaces
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#references" class="md-nav__link">
- <span class="md-ellipsis">
-
- References
-
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#authenticating-with-a-gcp-service-account-static-key" class="md-nav__link">
- <span class="md-ellipsis">
-
- Authenticating with a GCP service account (static key)
-
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#using-pushsecret-with-an-existing-google-secret-manager-secret" class="md-nav__link">
- <span class="md-ellipsis">
-
- Using PushSecret with an existing Google Secret Manager secret
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#secret-replication-and-encryption-configuration" class="md-nav__link">
- <span class="md-ellipsis">
-
- Secret Replication and Encryption Configuration
-
- </span>
- </a>
-
- <nav class="md-nav" aria-label="Secret Replication and Encryption Configuration">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#location-and-replication" class="md-nav__link">
- <span class="md-ellipsis">
-
- Location and Replication
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#customer-managed-encryption-keys-cmek" class="md-nav__link">
- <span class="md-ellipsis">
-
- Customer-Managed Encryption Keys (CMEK)
-
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#regional-secrets" class="md-nav__link">
- <span class="md-ellipsis">
-
- Regional Secrets
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#secret-version-management" class="md-nav__link">
- <span class="md-ellipsis">
-
- Secret Version Management
-
- </span>
- </a>
-
- <nav class="md-nav" aria-label="Secret Version Management">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#secret-version-selection-policy" class="md-nav__link">
- <span class="md-ellipsis">
-
- Secret Version Selection Policy
-
- </span>
- </a>
-
- <nav class="md-nav" aria-label="Secret Version Selection Policy">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#available-policies" class="md-nav__link">
- <span class="md-ellipsis">
-
- Available Policies
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#configuration-example" class="md-nav__link">
- <span class="md-ellipsis">
-
- Configuration Example
-
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- </ul>
-
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../hashicorp-vault/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- HashiCorp Vault
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../kubernetes/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Kubernetes
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../ibm-secrets-manager/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- IBM Secrets Manager
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../akeyless/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Akeyless
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../yandex-certificate-manager/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Yandex Certificate Manager
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../yandex-lockbox/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Yandex Lockbox
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../gitlab-variables/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- GitLab Variables
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../github/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Github Actions Secrets
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../oracle-vault/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Oracle Vault
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../ovhcloud/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- OVHcloud
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../1password-automation/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- 1Password Connect Server
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../1password-sdk/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- 1Password SDK
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../webhook/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Webhook
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../fake/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Fake
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../senhasegura-dsm/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- senhasegura DevOps Secrets Management (DSM)
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../doppler/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Doppler
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../keeper-security/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Keeper Security
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../cloak/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Cloak End 2 End Encrypted Secrets
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../scaleway/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Scaleway
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../delinea/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Delinea
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../secretserver/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Secret Server
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../passbolt/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Passbolt
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../pulumi/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Pulumi ESC
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../onboardbase/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Onboardbase
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../provider-passworddepot/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Password Depot
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../fortanix/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Fortanix
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../infisical/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Infisical
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../previder/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Previder
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../openbao/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- OpenBao
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../volcengine/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Volcengine
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../ngrok/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- ngrok
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../devolutions-server/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Devolutions Server
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../nebius-mysterybox/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Nebius MysteryBox
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_5" >
-
-
- <label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- Examples
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_5">
- <span class="md-nav__icon md-icon"></span>
-
-
- Examples
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../examples/gitops-using-fluxcd/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- FluxCD
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../examples/anchore-engine-credentials/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Anchore Engine
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../examples/jenkins-kubernetes-credentials/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Jenkins
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../examples/bitwarden/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Bitwarden
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6" >
-
-
- <label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- Community
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_6">
- <span class="md-nav__icon md-icon"></span>
-
-
- Community
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6_1" >
-
-
- <label class="md-nav__link" for="__nav_6_1" id="__nav_6_1_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- Contributing
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_1_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_6_1">
- <span class="md-nav__icon md-icon"></span>
-
-
- Contributing
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/devguide/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Developer guide
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/process/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Contributing Process
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/release/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Release Process
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/coc/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Code of Conduct
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/calendar/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Community meetings calendar
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/roadmap/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Roadmap
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/burnout-mitigation/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Burnout Prevention
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../contributing/llm-policy/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- LLM Policy
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item md-nav__item--nested">
-
-
-
-
-
- <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6_2" >
-
-
- <label class="md-nav__link" for="__nav_6_2" id="__nav_6_2_label" tabindex="0">
-
-
-
- <span class="md-ellipsis">
-
-
- External Resources
-
-
- </span>
-
-
- <span class="md-nav__icon md-icon"></span>
- </label>
-
- <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_2_label" aria-expanded="false">
- <label class="md-nav__title" for="__nav_6_2">
- <span class="md-nav__icon md-icon"></span>
-
-
- External Resources
-
- </label>
- <ul class="md-nav__list" data-md-scrollfix>
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../eso-talks/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Talks
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../eso-demos/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Demos
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../eso-blogs/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Blogs
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
-
-
-
-
-
-
- <li class="md-nav__item">
- <a href="../../eso-tools/" class="md-nav__link">
-
-
-
- <span class="md-ellipsis">
-
-
- Tools
-
-
- </span>
-
-
- </a>
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
-
- </ul>
- </nav>
-
- </li>
-
-
- </ul>
- </nav>
- </div>
- </div>
- </div>
-
-
-
- <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
- <div class="md-sidebar__scrollwrap">
- <div class="md-sidebar__inner">
-
- <nav class="md-nav md-nav--secondary" aria-label="Table of contents">
-
-
-
-
- <label class="md-nav__title" for="__toc">
- <span class="md-nav__icon md-icon"></span>
- Table of contents
- </label>
- <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
-
- <li class="md-nav__item">
- <a href="#authentication" class="md-nav__link">
- <span class="md-ellipsis">
-
- Authentication
-
- </span>
- </a>
-
- <nav class="md-nav" aria-label="Authentication">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#workload-identity-gke" class="md-nav__link">
- <span class="md-ellipsis">
-
- Workload Identity (GKE)
-
- </span>
- </a>
-
- <nav class="md-nav" aria-label="Workload Identity (GKE)">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#prerequisites" class="md-nav__link">
- <span class="md-ellipsis">
-
- Prerequisites
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#using-a-kubernetes-service-account-as-a-gcp-iam-principal" class="md-nav__link">
- <span class="md-ellipsis">
-
- Using a Kubernetes service account as a GCP IAM principal
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#linking-a-kubernetes-service-account-to-a-gcp-service-account" class="md-nav__link">
- <span class="md-ellipsis">
-
- Linking a Kubernetes service account to a GCP service account
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#authorizing-the-core-controller-pod" class="md-nav__link">
- <span class="md-ellipsis">
-
- Authorizing the Core Controller Pod
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#auto-detection-of-gcp-project-id" class="md-nav__link">
- <span class="md-ellipsis">
-
- Auto-detection of GCP project ID
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#projectid-vs-clusterprojectid" class="md-nav__link">
- <span class="md-ellipsis">
-
- projectID vs clusterProjectID
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#explicitly-specifying-the-gke-clusters-name-and-location" class="md-nav__link">
- <span class="md-ellipsis">
-
- Explicitly specifying the GKE cluster's name and location
-
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#workload-identity-federation" class="md-nav__link">
- <span class="md-ellipsis">
-
- Workload Identity Federation
-
- </span>
- </a>
-
- <nav class="md-nav" aria-label="Workload Identity Federation">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#configuration-rules" class="md-nav__link">
- <span class="md-ellipsis">
-
- Configuration rules
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#kubernetes-subject-token-serviceaccountref" class="md-nav__link">
- <span class="md-ellipsis">
-
- Kubernetes subject token (serviceAccountRef)
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#google-service-account-impersonation" class="md-nav__link">
- <span class="md-ellipsis">
-
- Google service account impersonation
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#external-account-json-credconfig" class="md-nav__link">
- <span class="md-ellipsis">
-
- External account JSON (credConfig)
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#aws-subject-token-awssecuritycredentials" class="md-nav__link">
- <span class="md-ellipsis">
-
- AWS subject token (awsSecurityCredentials)
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#other-api-surfaces" class="md-nav__link">
- <span class="md-ellipsis">
-
- Other API surfaces
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#references" class="md-nav__link">
- <span class="md-ellipsis">
-
- References
-
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#authenticating-with-a-gcp-service-account-static-key" class="md-nav__link">
- <span class="md-ellipsis">
-
- Authenticating with a GCP service account (static key)
-
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#using-pushsecret-with-an-existing-google-secret-manager-secret" class="md-nav__link">
- <span class="md-ellipsis">
-
- Using PushSecret with an existing Google Secret Manager secret
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#secret-replication-and-encryption-configuration" class="md-nav__link">
- <span class="md-ellipsis">
-
- Secret Replication and Encryption Configuration
-
- </span>
- </a>
-
- <nav class="md-nav" aria-label="Secret Replication and Encryption Configuration">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#location-and-replication" class="md-nav__link">
- <span class="md-ellipsis">
-
- Location and Replication
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#customer-managed-encryption-keys-cmek" class="md-nav__link">
- <span class="md-ellipsis">
-
- Customer-Managed Encryption Keys (CMEK)
-
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#regional-secrets" class="md-nav__link">
- <span class="md-ellipsis">
-
- Regional Secrets
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#secret-version-management" class="md-nav__link">
- <span class="md-ellipsis">
-
- Secret Version Management
-
- </span>
- </a>
-
- <nav class="md-nav" aria-label="Secret Version Management">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#secret-version-selection-policy" class="md-nav__link">
- <span class="md-ellipsis">
-
- Secret Version Selection Policy
-
- </span>
- </a>
-
- <nav class="md-nav" aria-label="Secret Version Selection Policy">
- <ul class="md-nav__list">
-
- <li class="md-nav__item">
- <a href="#available-policies" class="md-nav__link">
- <span class="md-ellipsis">
-
- Available Policies
-
- </span>
- </a>
-
- </li>
-
- <li class="md-nav__item">
- <a href="#configuration-example" class="md-nav__link">
- <span class="md-ellipsis">
-
- Configuration Example
-
- </span>
- </a>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- </ul>
- </nav>
-
- </li>
-
- </ul>
-
- </nav>
- </div>
- </div>
- </div>
-
-
-
- <div class="md-content" data-md-component="content">
-
- <article class="md-content__inner md-typeset">
-
-
-
-
- <h1>Google Cloud Secret Manager</h1>
- <p>External Secrets Operator integrates with the <a href="https://cloud.google.com/secret-manager">Google Cloud Secret Manager</a>.</p>
- <h2 id="authentication">Authentication</h2>
- <p>The Google Secret Manager provider resolves credentials in this order: static service account JSON (<code>auth.secretRef</code>), <a href="#workload-identity-gke">GKE Workload Identity</a> (<code>auth.workloadIdentity</code>), <a href="#workload-identity-federation">GCP Workload Identity Federation</a> (<code>auth.workloadIdentityFederation</code>), then <a href="https://cloud.google.com/docs/authentication/application-default-credentials">Application Default Credentials</a> from the environment (for example the GKE metadata server when no explicit auth is configured).</p>
- <p>Pick the mechanism that matches where the operator runs:</p>
- <table>
- <thead>
- <tr>
- <th>Mechanism</th>
- <th>API field</th>
- <th>Typical use</th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td>GKE Workload Identity</td>
- <td><code>auth.workloadIdentity</code></td>
- <td>GKE clusters with <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">Workload Identity</a> enabled; uses the GKE metadata server and the identity binding token flow.</td>
- </tr>
- <tr>
- <td>GCP Workload Identity Federation</td>
- <td><code>auth.workloadIdentityFederation</code></td>
- <td>AKS, EKS, self-hosted Kubernetes, or any setup where you configure an IAM workload identity pool and provider per <a href="https://cloud.google.com/iam/docs/workload-identity-federation-with-kubernetes">Google’s federation docs</a>.</td>
- </tr>
- <tr>
- <td>Static service account key</td>
- <td><code>auth.secretRef</code></td>
- <td>Any cluster; long-lived JSON key in a Kubernetes <code>Secret</code> (not recommended where federation or GKE WI is available).</td>
- </tr>
- </tbody>
- </table>
- <p><a id="workload-identity-gke"></a></p>
- <h3 id="workload-identity-gke">Workload Identity (GKE)</h3>
- <p>Through <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">GKE Workload Identity</a>, workloads on <strong>Google Kubernetes Engine</strong> can call Google APIs (including Secret Manager) without storing long-lived keys. In External Secrets Operator this path is implemented as <code>auth.workloadIdentity</code> and expects the <strong>GCP metadata server</strong> (available on GKE nodes) so the operator can discover the cluster project, name, and location when those fields are omitted.</p>
- <p>Authenticating with GKE Workload Identity is the usual choice when the operator runs on GKE. ESO supports three patterns:</p>
- <ul>
- <li><strong>Using a Kubernetes service account as a GCP IAM principal</strong>: The <code>SecretStore</code> (or <code>ClusterSecretStore</code>) references a <a href="https://kubernetes.io/docs/concepts/security/service-accounts">Kubernetes service account</a> that is authorized to access Secret Manager secrets.</li>
- <li><strong>Linking a Kubernetes service account to a GCP service account:</strong> The <code>SecretStore</code> (or <code>ClusterSecretStore</code>) references a Kubernetes service account, which is linked to a <a href="https://cloud.google.com/iam/docs/service-accounts">GCP service account</a> that is authorized to access Secret Manager secrets. This requires that the Kubernetes service account is annotated correctly and granted the <code>iam.workloadIdentityUser</code> role on the GCP service account.</li>
- <li><strong>Authorizing the Core Controller Pod:</strong> The ESO Core Controller Pod's service account is authorized to access Secret Manager secrets. No authentication is required for <code>SecretStore</code> and <code>ClusterSecretStore</code> instances.</li>
- </ul>
- <p>In the following, we will describe each of these options in detail.</p>
- <h4 id="prerequisites">Prerequisites</h4>
- <ul>
- <li>Enable and use <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">Workload Identity on the GKE cluster</a>.</li>
- </ul>
- <h4 id="using-a-kubernetes-service-account-as-a-gcp-iam-principal">Using a Kubernetes service account as a GCP IAM principal</h4>
- <p>The <code>SecretStore</code> (or <code>ClusterSecretStore</code>) references a Kubernetes service account that is authorized to access Secret Manager secrets.</p>
- <p>To demonstrate this approach, we'll create a <code>SecretStore</code> in the <code>demo</code> namespace.</p>
- <p>First, create a Kubernetes service account in the <code>demo</code> namespace:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ServiceAccount</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-secrets-sa</span>
- <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo</span>
- </code></pre></div>
- <p>To grant a Kubernetes service account access to Secret Manager secret(s), you need to know four values:</p>
- <ul>
- <li><code>PROJECT_ID</code>: Your GCP project ID, which you can find under "Project Info" on your console dashboard. Note that this might be different from your project's <em>name</em>.</li>
- <li><code>PROJECT_NUMBER</code>: Your GCP project number, which you can find under "Project Info" on your console dashboard or through <code>gcloud projects describe $PROJECT_ID --format="value(projectNumber)"</code>.</li>
- <li><code>K8S_SA</code>: The name of the Kubernetes service account you created. (In our example, <code>demo-secrets-sa</code>.)</li>
- <li><code>K8S_NAMESPACE</code>: The namespace where you created the Kubernetes service account (In our example, <code>demo</code>.)</li>
- </ul>
- <p>For example, the following CLI call grants the Kubernetes service account access to a secret <code>demo-secret</code>:</p>
- <div class="highlight"><pre><span></span><code>gcloud<span class="w"> </span>secrets<span class="w"> </span>add-iam-policy-binding<span class="w"> </span>demo-secret<span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--project<span class="o">=</span><span class="nv">$PROJECT_ID</span><span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--role<span class="o">=</span><span class="s2">"roles/secretmanager.secretAccessor"</span><span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--member<span class="o">=</span><span class="s2">"principal://iam.googleapis.com/projects/</span><span class="si">${</span><span class="nv">PROJECT_NUMBER</span><span class="si">}</span><span class="s2">/locations/global/workloadIdentityPools/</span><span class="si">${</span><span class="nv">PROJECT_ID</span><span class="si">}</span><span class="s2">.svc.id.goog/subject/ns/</span><span class="si">${</span><span class="nv">K8S_NAMESPACE</span><span class="si">}</span><span class="s2">/sa/</span><span class="si">${</span><span class="nv">K8S_SA</span><span class="si">}</span><span class="s2">"</span>
- </code></pre></div>
- <p>You can also grant the Kubernetes service account access to <em>all</em> secrets in a GCP project:</p>
- <div class="highlight"><pre><span></span><code>gcloud<span class="w"> </span>projects<span class="w"> </span>add-iam-policy-binding<span class="w"> </span><span class="nv">$PROJECT_ID</span><span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--role<span class="o">=</span><span class="s2">"roles/secretmanager.secretAccessor"</span><span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--member<span class="o">=</span><span class="s2">"principal://iam.googleapis.com/projects/</span><span class="si">${</span><span class="nv">PROJECT_NUMBER</span><span class="si">}</span><span class="s2">/locations/global/workloadIdentityPools/</span><span class="si">${</span><span class="nv">PROJECT_ID</span><span class="si">}</span><span class="s2">.svc.id.goog/subject/ns/</span><span class="si">${</span><span class="nv">K8S_NAMESPACE</span><span class="si">}</span><span class="s2">/sa/</span><span class="si">${</span><span class="nv">K8S_SA</span><span class="si">}</span><span class="s2">"</span>
- </code></pre></div>
- <p>Note that this allows anyone who can create <code>ExternalSecret</code> resources referencing a <code>SecretStore</code> instance using this service account access to all secrets in the project.</p>
- <p><em>For more information about GKE Workload Identity and Secret Manager permissions, refer to:</em></p>
- <ul>
- <li><em><a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">Authenticate to Google Cloud APIs from GKE workloads</a> in the GKE documentation.</em></li>
- <li><em><a href="https://cloud.google.com/secret-manager/docs/access-control">Access control with IAM</a> in the Secret Manager documentation.</em></li>
- </ul>
- <p>Next, create a <code>SecretStore</code> that references the <code>demo-secrets-sa</code> Kubernetes service account:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-store</span>
- <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">gcpsm</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">projectID</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="nv">PROJECT_ID</span><span class="p p-Indicator">]</span>
- <span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">workloadIdentity</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">serviceAccountRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-secrets-sa</span>
- </code></pre></div>
- <p>In the case of a <code>ClusterSecretStore</code>, you additionally have to define the service account's <code>namespace</code> under <code>auth.workloadIdentity.serviceAccountRef</code>.</p>
- <p>Finally, you can create an <code>ExternalSecret</code> for the <code>demo-secret</code> that references this <code>SecretStore</code>:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-external-secret</span>
- <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h0m0s</span>
- <span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-store</span>
- <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-to-be-created</span>
- <span class="w"> </span><span class="nt">creationPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Owner</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">DEMO_SECRET</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-secret</span>
- </code></pre></div>
- <h4 id="linking-a-kubernetes-service-account-to-a-gcp-service-account">Linking a Kubernetes service account to a GCP service account</h4>
- <p>The <code>SecretStore</code> (or <code>ClusterSecretStore</code>) references a Kubernetes service account, which is linked to a GCP service account that is authorized to access Secret Manager secrets.</p>
- <p>To demonstrate this approach, we'll create a <code>SecretStore</code> in the <code>demo</code> namespace.</p>
- <p>To set up the Kubernetes service account, you need to know or choose the following values:</p>
- <ul>
- <li><code>PROJECT_ID</code>: Your GCP project ID, which you can find under "Project Info" on your console dashboard. Note that this might be different from your project's <em>name</em>.</li>
- <li><code>GCP_SA</code>: The name of the GCP service account you are going to create and use (e.g., <code>external-secrets</code>).</li>
- </ul>
- <p>First, create the Kubernetes service account with an annotation that references the GCP service account:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ServiceAccount</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-secrets-sa</span>
- <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo</span>
- <span class="w"> </span><span class="nt">annotations</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">iam.gke.io/gcp-service-account</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="nv">GCP_SA</span><span class="p p-Indicator">]</span><span class="err">@</span><span class="p p-Indicator">[</span><span class="nv">PROJECT_ID</span><span class="p p-Indicator">]</span><span class="l l-Scalar l-Scalar-Plain">.iam.gserviceaccount.com</span>
- </code></pre></div>
- <p>Next, create the GCP service account:</p>
- <div class="highlight"><pre><span></span><code>gcloud<span class="w"> </span>iam<span class="w"> </span>service-accounts<span class="w"> </span>create<span class="w"> </span><span class="nv">$GCP_SA</span><span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--project<span class="o">=</span><span class="nv">$PROJECT_ID</span>
- </code></pre></div>
- <p>To finalize the link between the GCP service account and the Kubernetes service account, you need two additional values:</p>
- <ul>
- <li><code>K8S_SA</code>: The name of the Kubernetes service account you created. (In our example, <code>demo-secrets-sa</code>.)</li>
- <li><code>K8S_NAMESPACE</code>: The namespace where you created the Kubernetes service account (In our example, <code>demo</code>.)</li>
- </ul>
- <p>Grant the Kubernetes service account the <code>iam.workloadIdentityUser</code> role on the GCP service account:</p>
- <div class="highlight"><pre><span></span><code>gcloud<span class="w"> </span>iam<span class="w"> </span>service-accounts<span class="w"> </span>add-iam-policy-binding<span class="w"> </span><span class="se">\</span>
- <span class="w"> </span><span class="si">${</span><span class="nv">GCP_SA</span><span class="si">}</span>@<span class="si">${</span><span class="nv">PROJECT_ID</span><span class="si">}</span>.iam.gserviceaccount.com<span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--role<span class="o">=</span><span class="s2">"roles/iam.workloadIdentityUser"</span><span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--member<span class="w"> </span><span class="s2">"serviceAccount:</span><span class="si">${</span><span class="nv">PROJECT_ID</span><span class="si">}</span><span class="s2">.svc.id.goog[</span><span class="si">${</span><span class="nv">K8S_NAMESPACE</span><span class="si">}</span><span class="s2">/</span><span class="si">${</span><span class="nv">K8S_SA</span><span class="si">}</span><span class="s2">]"</span>
- </code></pre></div>
- <p>Next, grant the GCP service account access to a secret in the Secret Manager.
- For example, the following CLI call grants it access to a secret <code>demo-secret</code>:</p>
- <div class="highlight"><pre><span></span><code>gcloud<span class="w"> </span>secrets<span class="w"> </span>add-iam-policy-binding<span class="w"> </span>demo-secret<span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--project<span class="o">=</span><span class="nv">$PROJECT_ID</span><span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--role<span class="o">=</span><span class="s2">"roles/secretmanager.secretAccessor"</span><span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--member<span class="w"> </span><span class="s2">"serviceAccount:</span><span class="si">${</span><span class="nv">GCP_SA</span><span class="si">}</span><span class="s2">@</span><span class="si">${</span><span class="nv">PROJECT_ID</span><span class="si">}</span><span class="s2">.iam.gserviceaccount.com"</span>
- </code></pre></div>
- <p>You can also grant the GCP service account access to <em>all</em> secrets in a GCP project:</p>
- <div class="highlight"><pre><span></span><code>gcloud<span class="w"> </span>projects<span class="w"> </span>add-iam-policy-binding<span class="w"> </span><span class="nv">$PROJECT_ID</span><span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--role<span class="o">=</span><span class="s2">"roles/secretmanager.secretAccessor"</span><span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--member<span class="w"> </span><span class="s2">"serviceAccount:</span><span class="si">${</span><span class="nv">GCP_SA</span><span class="si">}</span><span class="s2">@</span><span class="si">${</span><span class="nv">PROJECT_ID</span><span class="si">}</span><span class="s2">.iam.gserviceaccount.com"</span>
- </code></pre></div>
- <p>Note that this allows anyone who can create <code>ExternalSecret</code> resources referencing a <code>SecretStore</code> instance using this service account access to all secrets in the project.</p>
- <p><em>For more information about GKE Workload Identity and Secret Manager permissions, refer to:</em></p>
- <ul>
- <li><em><a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">Authenticate to Google Cloud APIs from GKE workloads</a> in the GKE documentation.</em></li>
- <li><em><a href="https://cloud.google.com/secret-manager/docs/access-control">Access control with IAM</a> in the Secret Manager documentation.</em></li>
- </ul>
- <p>Next, create a <code>SecretStore</code> that references the <code>demo-secrets-sa</code> Kubernetes service account:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-store</span>
- <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">gcpsm</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">projectID</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="nv">PROJECT_ID</span><span class="p p-Indicator">]</span>
- <span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">workloadIdentity</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">serviceAccountRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-secrets-sa</span>
- </code></pre></div>
- <p>In the case of a <code>ClusterSecretStore</code>, you additionally have to define the service account's <code>namespace</code> under <code>auth.workloadIdentity.serviceAccountRef</code>.</p>
- <p>Finally, you can create an <code>ExternalSecret</code> for the <code>demo-secret</code> that references this <code>SecretStore</code>:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-external-secret</span>
- <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h0m0s</span>
- <span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-store</span>
- <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="w"> </span><span class="nt">target</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-to-be-created</span>
- <span class="w"> </span><span class="nt">creationPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Owner</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">DEMO_SECRET</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-secret</span>
- </code></pre></div>
- <h4 id="authorizing-the-core-controller-pod">Authorizing the Core Controller Pod</h4>
- <p>Instead of managing authentication at the <code>SecretStore</code> and <code>ClusterSecretStore</code> level, you can give the <a href="../../api/components/">Core Controller</a> Pod's service account access to Secret Manager secrets using one of the two GKE Workload Identity approaches described in the previous sections.</p>
- <p>To demonstrate this approach, we'll assume you installed ESO using Helm into the <code>external-secrets</code> namespace, with <code>external-secrets</code> as the release name:</p>
- <div class="highlight"><pre><span></span><code>helm<span class="w"> </span>repo<span class="w"> </span>add<span class="w"> </span>external-secrets<span class="w"> </span>https://charts.external-secrets.io
- helm<span class="w"> </span>install<span class="w"> </span>external-secrets<span class="w"> </span>external-secrets/external-secrets<span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--namespace<span class="w"> </span>external-secrets<span class="w"> </span>--create-namespace
- </code></pre></div>
- <p>This creates a Kubernetes service account <code>external-secrets</code> in the <code>external-secrets</code> namespace, which is used by the Core Controller Pod.</p>
- <p>To verify this (or to determine the service account's name in a different setup), you can run:</p>
- <div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>get<span class="w"> </span>pods<span class="w"> </span>--namespace<span class="w"> </span>external-secrets<span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--selector<span class="w"> </span>app.kubernetes.io/name<span class="o">=</span>external-secrets<span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--output<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.items[0].spec.serviceAccountName}'</span>
- </code></pre></div>
- <p>Use GKE Workload Identity to grant this Kubernetes service account access to the Secret Manager secrets.
- You can use either of the approaches described in the previous two sections.</p>
- <p><em>For details and further information on GKE Workload Identity and Secret Manager permissions, refer to:</em></p>
- <ul>
- <li><em><a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">Authenticate to Google Cloud APIs from GKE workloads</a> in the GKE documentation.</em></li>
- <li><em><a href="https://cloud.google.com/secret-manager/docs/access-control">Access control with IAM</a> in the Secret Manager documentation.</em></li>
- </ul>
- <p>Once the Core Controller Pod can access the Secret Manager secret(s) through GKE Workload Identity via its Kubernetes service account, you can create <code>SecretStore</code> or <code>ClusterSecretStore</code> instances without authentication configuration. You can optionally specify the GCP project ID, or omit it to use auto-detection from the GCP metadata server:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-store</span>
- <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">gcpsm</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">projectID</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="nv">PROJECT_ID</span><span class="p p-Indicator">]</span>
- </code></pre></div>
- <p>Alternatively, with projectID auto-detection (GKE only):</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gcp-secret-store</span>
- <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">gcpsm</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span><span class="w"> </span><span class="c1"># Both projectID and auth are optional when using Core Controller authentication in GKE</span>
- </code></pre></div>
- <h4 id="auto-detection-of-gcp-project-id">Auto-detection of GCP project ID</h4>
- <p>When creating a <code>SecretStore</code> or <code>ClusterSecretStore</code>, the <code>projectID</code> field is optional only if the provider can infer the Google Cloud project another way. The implementation resolves a fallback project from the <a href="https://cloud.google.com/compute/docs/metadata/overview">GCP metadata server</a> when <strong>no</strong> <code>auth.secretRef</code> is set and the controller runs on <strong>GKE</strong> (metadata is not available on most non-GKE clusters).</p>
- <p>In practice:</p>
- <ul>
- <li>With <strong><code>auth.workloadIdentity</code></strong> or ADC on <strong>GKE</strong>, omitting <code>projectID</code> is supported when Secret Manager secrets live in the <strong>same</strong> project as the cluster (or when <code>clusterProjectID</code> / explicit <code>projectID</code> disambiguates cross-project cases; see below).</li>
- <li>With <strong><code>auth.workloadIdentityFederation</code></strong> on clusters <strong>without</strong> GCP metadata, set <strong><code>projectID</code></strong> explicitly to the project that owns your secrets.</li>
- <li>With <strong><code>auth.secretRef</code></strong>, <code>projectID</code> is <strong>required</strong> (no metadata fallback).</li>
- </ul>
- <p>This allows portable <code>SecretStore</code> configurations on GKE without hard-coding the project when the above conditions hold:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gcp-secret-store</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">gcpsm</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># projectID optional on GKE when metadata resolves the secrets project</span>
- <span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">workloadIdentity</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">serviceAccountRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-secrets-sa</span>
- </code></pre></div>
- <p>You must set <code>projectID</code> explicitly when using static service account credentials (<code>auth.secretRef</code>), when the metadata server is unavailable or points at the wrong project, or when accessing secrets in a different project than the one inferred for the client.</p>
- <h4 id="projectid-vs-clusterprojectid">projectID vs clusterProjectID</h4>
- <p><code>projectID</code> (<code>spec.provider.gcpsm.projectID</code>) tells the provider which GCP project holds the secrets. It is used in secret resource paths like <code>projects/{projectID}/secrets/{name}</code>. For <strong>GKE Workload Identity</strong> (<code>auth.workloadIdentity</code>), it also feeds cluster-side resolution when <code>clusterProjectID</code> is not set.</p>
- <p><code>clusterProjectID</code> (<code>spec.provider.gcpsm.auth.workloadIdentity.clusterProjectID</code>) identifies the project hosting the GKE cluster. It is <strong>only</strong> used by <strong><code>auth.workloadIdentity</code></strong> to build the identity pool and provider URL. When either field is omitted on GKE, the provider can query the <a href="https://cloud.google.com/compute/docs/metadata/overview">GCP metadata server</a> for the project ID. This field does not apply to <code>auth.workloadIdentityFederation</code>.</p>
- <p>For cross-project access, set both fields explicitly:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">gcpsm</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">projectID</span><span class="p">:</span><span class="w"> </span><span class="s">"secrets-project-456"</span>
- <span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">workloadIdentity</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">clusterProjectID</span><span class="p">:</span><span class="w"> </span><span class="s">"cluster-project-123"</span>
- <span class="w"> </span><span class="nt">serviceAccountRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-sa</span>
- </code></pre></div>
- <h4 id="explicitly-specifying-the-gke-clusters-name-and-location">Explicitly specifying the GKE cluster's name and location</h4>
- <p>When creating a <code>SecretStore</code> or <code>ClusterSecretStore</code> that uses <strong><code>auth.workloadIdentity</code></strong>, the GKE cluster's name and location are automatically determined through the <a href="https://cloud.google.com/compute/docs/metadata/overview">GCP metadata server</a>.
- Alternatively, you can explicitly specify some or all of these values.</p>
- <p>For a fully specified configuration, you'll need to know the following three values:</p>
- <ul>
- <li><code>CLUSTER_PROJECT_ID</code>: The ID of GCP project that contains the GKE cluster.</li>
- <li><code>CLUSTER_NAME</code>: The name of the GKE cluster.</li>
- <li><code>CLUSTER_LOCATION</code>: The location of the GKE cluster. For a regional cluster, this is the region. For a zonal cluster, this is the zone.</li>
- </ul>
- <p>You can optionally verify these values through the CLI:</p>
- <div class="highlight"><pre><span></span><code>gcloud<span class="w"> </span>container<span class="w"> </span>clusters<span class="w"> </span>describe<span class="w"> </span><span class="nv">$CLUSTER_NAME</span><span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--project<span class="o">=</span><span class="nv">$CLUSTER_PROJECT_ID</span><span class="w"> </span>--location<span class="o">=</span><span class="nv">$CLUSTER_LOCATION</span>
- </code></pre></div>
- <p>If the three values are correct, this returns information about your GKE cluster.</p>
- <p>Then, you can create a <code>SecretStore</code> or <code>ClusterSecretStore</code> that explicitly specifies the cluster's project ID, name, and location:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-store</span>
- <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">gcpsm</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">projectID</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="nv">PROJECT_ID</span><span class="p p-Indicator">]</span>
- <span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">workloadIdentity</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">clusterProjectID</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="nv">CLUSTER_PROJECT_ID</span><span class="p p-Indicator">]</span>
- <span class="w"> </span><span class="nt">clusterLocation</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="nv">CLUSTER_LOCATION</span><span class="p p-Indicator">]</span>
- <span class="w"> </span><span class="nt">clusterName</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="nv">CLUSTER_NAME</span><span class="p p-Indicator">]</span>
- <span class="w"> </span><span class="nt">serviceAccountRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-secrets-sa</span>
- </code></pre></div>
- <p><a id="workload-identity-federation"></a></p>
- <h3 id="workload-identity-federation">Workload Identity Federation</h3>
- <p><a href="https://cloud.google.com/iam/docs/workload-identity-federation">GCP Workload Identity Federation</a> lets workloads use <strong>short-lived tokens from an external identity provider</strong> (for example a Kubernetes API server or AWS) that Google trusts through an IAM <strong>workload identity pool</strong> and <strong>provider</strong>. This is different from <a href="#workload-identity-gke">GKE Workload Identity</a>: federation uses the <strong>external account</strong> OAuth flow (STS token exchange via <code>golang.org/x/oauth2/google/externalaccount</code>) and does <strong>not</strong> rely on the GKE identity binding token or the default <code>.svc.id.goog</code> pool on the cluster project.</p>
- <p>Use <code>auth.workloadIdentityFederation</code> when you follow Google’s guide to <a href="https://cloud.google.com/iam/docs/workload-identity-federation-with-kubernetes">configure Workload Identity Federation with Kubernetes</a> on AKS, EKS, self-hosted clusters, and OpenShift, or when you <a href="https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds#create-cred-config">configure an AWS workload identity pool provider and credential file</a> for AWS-based subject tokens.</p>
- <h4 id="configuration-rules">Configuration rules</h4>
- <p>Under <code>auth.workloadIdentityFederation</code> you must set <strong>exactly one</strong> of <code>serviceAccountRef</code>, <code>credConfig</code>, or <code>awsSecurityCredentials</code>. The provider rejects any other combination.</p>
- <table>
- <thead>
- <tr>
- <th>Field</th>
- <th>Purpose</th>
- </tr>
- </thead>
- <tbody>
- <tr>
- <td><code>serviceAccountRef</code></td>
- <td>Request a bound token for the named Kubernetes <code>ServiceAccount</code> and use it as the STS subject token (<code>urn:ietf:params:oauth:token-type:jwt</code>). <strong>Requires <code>audience</code>.</strong></td>
- </tr>
- <tr>
- <td><code>credConfig</code></td>
- <td>Load an <code>external_account</code> JSON document from a <code>ConfigMap</code> key (<a href="https://cloud.google.com/docs/authentication/application-default-credentials#external-identities">external identity ADC JSON</a>). <code>audience</code> may come from the JSON or be overridden by the spec field; it must be non-empty after merge.</td>
- </tr>
- <tr>
- <td><code>awsSecurityCredentials</code></td>
- <td>Supply static AWS credentials in a Kubernetes <code>Secret</code> plus <code>region</code> so the subject token type is <code>urn:ietf:params:aws:token-type:aws4_request</code> without using the instance metadata service from inside the pod. <strong>Requires <code>audience</code>.</strong></td>
- </tr>
- </tbody>
- </table>
- <p><strong><code>audience</code>:</strong> Required on the spec when <code>serviceAccountRef</code> or <code>awsSecurityCredentials</code> is set. It must be the full workload identity <strong>provider</strong> resource name, for example <code>//iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID</code>. When only <code>credConfig</code> is used, <code>audience</code> can be supplied in the JSON; a non-empty <code>audience</code> on the spec overrides the file value.</p>
- <p><strong><code>projectID</code>:</strong> Set <code>spec.provider.gcpsm.projectID</code> to the project that contains your Secret Manager secrets whenever the controller cannot rely on GKE metadata (typical for federation off GCP nodes).</p>
- <h4 id="kubernetes-subject-token-serviceaccountref">Kubernetes subject token (<code>serviceAccountRef</code>)</h4>
- <p>ESO uses the Kubernetes <code>TokenRequest</code> API to mint a token for <code>serviceAccountRef</code> with <code>aud</code> equal to <code>spec.provider.gcpsm.auth.workloadIdentityFederation.audience</code>, optionally appending entries from <code>serviceAccountRef.audiences</code>. That token is exchanged at Google STS for a Google access token.</p>
- <p>Grant access on the secret (or project) to the <strong>federated principal</strong> for that Kubernetes identity:</p>
- <div class="highlight"><pre><span></span><code>gcloud<span class="w"> </span>secrets<span class="w"> </span>add-iam-policy-binding<span class="w"> </span><span class="s2">"</span><span class="si">${</span><span class="nv">SECRET_NAME</span><span class="si">}</span><span class="s2">"</span><span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--project<span class="o">=</span><span class="s2">"</span><span class="si">${</span><span class="nv">PROJECT_ID</span><span class="si">}</span><span class="s2">"</span><span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--role<span class="o">=</span><span class="s2">"roles/secretmanager.secretAccessor"</span><span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--member<span class="o">=</span><span class="s2">"principal://iam.googleapis.com/projects/</span><span class="si">${</span><span class="nv">PROJECT_NUMBER</span><span class="si">}</span><span class="s2">/locations/global/workloadIdentityPools/</span><span class="si">${</span><span class="nv">WIF_POOL_NAME</span><span class="si">}</span><span class="s2">/subject/system:serviceaccount:</span><span class="si">${</span><span class="nv">K8S_NAMESPACE</span><span class="si">}</span><span class="s2">:</span><span class="si">${</span><span class="nv">K8S_SA</span><span class="si">}</span><span class="s2">"</span>
- </code></pre></div>
- <p>If the principal does <strong>not</strong> have <code>secretmanager.secrets.get</code> / accessor on a secret, sync fails with <code>PermissionDenied</code> on <code>secretmanager.versions.access</code> even when the <code>SecretStore</code> is <code>Ready</code>—bind IAM to the identity that actually reaches Secret Manager after impersonation (see below).</p>
- <p>Example <code>SecretStore</code> when Kubernetes is the external identity provider (see the <a href="https://external-secrets.io/latest/api/spec/#external-secrets.io/v1.GCPWorkloadIdentityFederation">WorkloadIdentityFederation API</a>):</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-store</span>
- <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">gcpsm</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">projectID</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="nv">PROJECT_ID</span><span class="p p-Indicator">]</span>
- <span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">workloadIdentityFederation</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">audience</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">//iam.googleapis.com/projects/[PROJECT_ID]/locations/[CLUSTER_LOCATION]/workloadIdentityPools/[WORKLOAD_IDENTITY_POOL]/providers/[WORKLOAD_IDENTITY_PROVIDER]</span>
- <span class="w"> </span><span class="nt">serviceAccountRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-secrets-sa</span>
- <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo</span>
- <span class="w"> </span><span class="nt">audiences</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-audience</span>
- </code></pre></div>
- <p>For <code>ClusterSecretStore</code>, set <code>serviceAccountRef.namespace</code> when the <code>ServiceAccount</code> lives outside the referent namespace.</p>
- <h4 id="google-service-account-impersonation">Google service account impersonation</h4>
- <p>After STS returns a federated identity, ESO may call the <a href="https://cloud.google.com/iam/docs/reference/credentials/rest">IAM Credentials API</a> to <strong>impersonate</strong> a Google service account (GSA) and obtain an access token with Secret Manager scopes.</p>
- <p>Impersonation is resolved as follows (see <code>updateServiceAccountImpersonationURL</code> in the provider):</p>
- <ol>
- <li><strong><code>gcpServiceAccountEmail</code></strong> on <code>workloadIdentityFederation</code> — if set, it always sets impersonation for that GSA and overrides any other impersonation hint.</li>
- <li>With <strong><code>credConfig</code> only</strong> (no <code>serviceAccountRef</code>): use <strong><code>service_account_impersonation_url</code></strong> from the <code>external_account</code> JSON when present (unless step 1 already applied).</li>
- <li>With <strong><code>serviceAccountRef</code></strong>: if step 1 did not apply, use the <strong><code>iam.gke.io/gcp-service-account</code></strong> annotation on that <code>ServiceAccount</code> when present.</li>
- </ol>
- <p>The implementation only allows impersonation URLs that match Google’s <code>generateAccessToken</code> endpoint pattern (see validation in the provider).</p>
- <p>Typical patterns:</p>
- <ul>
- <li><strong>Direct access:</strong> bind <code>roles/secretmanager.secretAccessor</code> on secrets to the <strong>workload identity principal</strong> (<code>principal://…/subject/system:serviceaccount:…</code>), as in the previous section. No impersonation.</li>
- <li><strong>Access via a GSA:</strong> bind <code>roles/secretmanager.secretAccessor</code> on secrets to the <strong>GSA</strong> (<code>serviceAccount:my-gsa@project.iam.gserviceaccount.com</code>). Grant the federated principal <strong><code>roles/iam.workloadIdentityUser</code></strong> on that GSA (<a href="https://cloud.google.com/iam/docs/workload-identity-federation-with-kubernetes#kubernetes-sa">grant access to service accounts</a>) so it may impersonate it, and set <code>gcpServiceAccountEmail</code> (or the <code>iam.gke.io/gcp-service-account</code> annotation) so ESO uses impersonation. If the federated principal lacks secret access but the GSA has it, sync fails with <code>PermissionDenied</code> until impersonation is configured—see <a href="https://cloud.google.com/iam/docs/using-workload-identity-federation#impersonation">impersonating a service account</a> and <a href="https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-oauth">creating short-lived credentials</a>.</li>
- </ul>
- <h4 id="external-account-json-credconfig">External account JSON (<code>credConfig</code>)</h4>
- <p>Point <code>credConfig</code> at a <code>ConfigMap</code> key whose value is JSON with <code>"type": "external_account"</code> and the usual fields (<code>audience</code>, <code>subject_token_type</code>, <code>token_url</code>, <code>token_info_url</code>, <code>credential_source</code>, optional <code>service_account_impersonation_url</code>, etc.). Generate a starting file with <a href="https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds#create-cred-config"><code>gcloud iam workload-identity-pools create-cred-config</code></a> as described in Google’s documentation.</p>
- <p>Security and validation notes enforced by the provider:</p>
- <ul>
- <li><strong><code>credential_source.executable</code></strong> is <strong>not allowed</strong>.</li>
- <li>After merge, <strong><code>token_url</code></strong> must look like <code>https://sts.<universe>/v1/token</code> and <strong><code>token_info_url</code></strong> like <code>https://sts.<universe>/v1/introspect</code> (defaults are filled for <code>googleapis.com</code> when omitted).</li>
- <li>If <code>credential_source</code> uses a <strong>non-AWS</strong> HTTP <strong><code>url</code></strong>, set <strong><code>externalTokenEndpoint</code></strong> on the spec to the <strong>same</strong> URL; the provider verifies they match.</li>
- <li>If <code>credential_source</code> uses the <strong>AWS</strong> metadata layout (<code>environment_id</code> starting with <code>aws</code>), URLs must match the expected IMDS patterns (metadata host or <code>169.254.169.254</code>, etc.).</li>
- <li>If the JSON sets <code>credential_source.file</code> to the operator pod’s automounted path (<code>/var/run/secrets/kubernetes.io/serviceaccount/token</code>), that source is <strong>ignored</strong> so the ESO controller does not accidentally use its own service account token; use <strong><code>serviceAccountRef</code></strong> instead to select which Kubernetes identity supplies the subject token.</li>
- </ul>
- <h4 id="aws-subject-token-awssecuritycredentials">AWS subject token (<code>awsSecurityCredentials</code>)</h4>
- <p>For an <strong>AWS</strong> workload identity provider, a <code>credConfig</code> file produced by <a href="https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds#create-cred-config"><code>gcloud iam workload-identity-pools create-cred-config</code></a> typically reads credentials from the EC2 instance metadata service (IMDS). Pods usually <strong>cannot</strong> reach <code>169.254.169.254</code> from the container network, so that approach often fails with <code>connection refused</code> inside the ESO pod even when the node can reach IMDS. In that situation use <strong><code>awsSecurityCredentials</code></strong>: put <strong><code>aws_access_key_id</code></strong>, <strong><code>aws_secret_access_key</code></strong>, and optionally <strong><code>aws_session_token</code></strong> in a Kubernetes <code>Secret</code>, set <strong><code>region</code></strong>, and reference that secret from <code>awsSecurityCredentials.awsCredentialsSecretRef</code> (namespace may be set on <code>ClusterSecretStore</code>). On <strong>Amazon EKS</strong>, Google recommends <a href="https://cloud.google.com/iam/docs/workload-identity-federation-with-kubernetes">federation with Kubernetes</a> and <code>serviceAccountRef</code> when your cluster exposes an OIDC issuer.</p>
- <p>Grant Secret Manager access to the <strong>AWS principal</strong> in the pool using a <code>principalSet</code> on the mapped account attribute, for example:</p>
- <div class="highlight"><pre><span></span><code>gcloud<span class="w"> </span>secrets<span class="w"> </span>add-iam-policy-binding<span class="w"> </span><span class="s2">"</span><span class="si">${</span><span class="nv">SECRET_NAME</span><span class="si">}</span><span class="s2">"</span><span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--project<span class="o">=</span><span class="s2">"</span><span class="si">${</span><span class="nv">PROJECT_ID</span><span class="si">}</span><span class="s2">"</span><span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--role<span class="o">=</span><span class="s2">"roles/secretmanager.secretAccessor"</span><span class="w"> </span><span class="se">\</span>
- <span class="w"> </span>--member<span class="o">=</span><span class="s2">"principalSet://iam.googleapis.com/projects/</span><span class="si">${</span><span class="nv">PROJECT_NUMBER</span><span class="si">}</span><span class="s2">/locations/global/workloadIdentityPools/</span><span class="si">${</span><span class="nv">WIF_POOL_NAME</span><span class="si">}</span><span class="s2">/attribute.account/</span><span class="si">${</span><span class="nv">AWS_ACCOUNT_ID</span><span class="si">}</span><span class="s2">"</span>
- </code></pre></div>
- <p>See <a href="https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers">Manage workload identity pools and providers</a> for creating an AWS provider and attribute mapping, and <a href="https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds">Configure Workload Identity Federation with AWS or Azure VMs</a> for the full AWS setup guide.</p>
- <h4 id="other-api-surfaces">Other API surfaces</h4>
- <p>The same <code>workloadIdentityFederation</code> block (including <code>serviceAccountRef</code>, <code>credConfig</code>, <code>awsSecurityCredentials</code>, <code>audience</code>, and <code>gcpServiceAccountEmail</code>) is available on <strong><code>GCRAccessToken</code></strong> and <strong><code>ClusterGenerator</code></strong> resources that talk to Google APIs; see the <a href="https://external-secrets.io/latest/api/spec/#external-secrets.io/v1.GCPWorkloadIdentityFederation">API spec</a>.</p>
- <h4 id="references">References</h4>
- <ul>
- <li><a href="https://cloud.google.com/iam/docs/workload-identity-federation">Workload Identity Federation overview</a></li>
- <li><a href="https://cloud.google.com/iam/docs/workload-identity-federation-with-kubernetes">Federation with Kubernetes</a></li>
- <li><a href="https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds">Federation with AWS or Azure VMs</a></li>
- <li><a href="https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers">Manage workload identity pools and providers</a></li>
- <li><a href="https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds#create-cred-config">Create credential configuration files</a></li>
- <li><a href="https://cloud.google.com/iam/docs/using-workload-identity-federation">Use Workload Identity Federation (including impersonation)</a></li>
- <li><a href="https://cloud.google.com/docs/authentication/client-libraries#external-identities">External credentials for client libraries</a></li>
- <li><a href="https://cloud.google.com/secret-manager/docs/access-control">Secret Manager access control</a></li>
- </ul>
- <h3 id="authenticating-with-a-gcp-service-account-static-key">Authenticating with a GCP service account (static key)</h3>
- <p>The <code>SecretStore</code> (or <code>ClusterSecretStore</code>) uses a long-lived, static <a href="https://cloud.google.com/iam/docs/service-account-creds#key-types">GCP service account key</a> to authenticate with GCP.
- This approach can be used on any Kubernetes cluster.</p>
- <p>To demonstrate this approach, we'll create a <code>SecretStore</code> in the <code>demo</code> namespace.</p>
- <p>First, create a GCP service account and grant it the <code>secretmanager.secretAccessor</code> role on the Secret Manager secret(s) you want to access.</p>
- <p><em>For details and further information on managing service account permissions and Secret Manager roles, refer to:</em></p>
- <ul>
- <li><em><a href="https://cloud.google.com/iam/docs/attach-service-accounts">Attach service accounts to resources</a> in the IAM documentation.</em></li>
- <li><em><a href="https://cloud.google.com/secret-manager/docs/access-control">Access control with IAM</a> in the Secret Manager documentation.</em></li>
- </ul>
- <p>Then, create a service account key pair using one of the methods described on the page <a href="https://cloud.google.com/iam/docs/keys-create-delete">Create and delete service account keys</a> in the Google Cloud IAM documentation and store the JSON file with the private key in a Kubernetes <code>Secret</code>:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Secret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gcp-sa-secret</span>
- <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo</span>
- <span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Opaque</span>
- <span class="nt">stringData</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">secret-access-credentials</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|-</span>
- <span class="w"> </span><span class="no">{</span>
- <span class="w"> </span><span class="no">"type": "service_account",</span>
- <span class="w"> </span><span class="no">"project_id": "external-secrets-operator",</span>
- <span class="w"> </span><span class="no">"private_key_id": "",</span>
- <span class="w"> </span><span class="no">"private_key": "-----BEGIN PRIVATE KEY-----\nA key\n-----END PRIVATE KEY-----\n",</span>
- <span class="w"> </span><span class="no">"client_email": "test-service-account@external-secrets-operator.iam.gserviceaccount.com",</span>
- <span class="w"> </span><span class="no">"client_id": "client ID",</span>
- <span class="w"> </span><span class="no">"auth_uri": "https://accounts.google.com/o/oauth2/auth",</span>
- <span class="w"> </span><span class="no">"token_uri": "https://oauth2.googleapis.com/token",</span>
- <span class="w"> </span><span class="no">"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",</span>
- <span class="w"> </span><span class="no">"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/test-service-account%40external-secrets-operator.iam.gserviceaccount.com"</span>
- <span class="w"> </span><span class="no">}</span>
- </code></pre></div>
- <p>Finally, reference this secret in the <code>SecretStore</code> manifest:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo-store</span>
- <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">demo</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">gcpsm</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">auth</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">secretRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">secretAccessKeySecretRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gcp-sa-secret</span>
- <span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-access-credentials</span>
- <span class="w"> </span><span class="nt">projectID</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">[</span><span class="nv">PROJECT_ID</span><span class="p p-Indicator">]</span>
- </code></pre></div>
- <p>In the case of a <code>ClusterSecretStore</code>, you additionally have to specify the service account's <code>namespace</code> under <code>auth.secretRef.secretAccessKeySecretRef</code>.</p>
- <h2 id="using-pushsecret-with-an-existing-google-secret-manager-secret">Using PushSecret with an existing Google Secret Manager secret</h2>
- <p>There are some use cases where you want to use PushSecret for an existing Google Secret Manager Secret that already has labels defined. For example when the creation of the secret is managed by another controller like Kubernetes Config Connector (KCC) and the updating of the secret is managed by ESO.</p>
- <p>To allow ESO to take ownership of the existing Google Secret Manager Secret, you need to add the label <code>"managed-by": "external-secrets"</code>.</p>
- <p>By default, the PushSecret spec will replace any existing labels on the existing GCP Secret Manager Secret. To prevent this, a new field was added to the <code>spec.data.metadata</code> object called <code>mergePolicy</code> which defaults to <code>Replace</code> to ensure that there are no breaking changes and is backward compatible. The other option for this field is <code>Merge</code> which will merge the existing labels on the Google Secret Manager Secret with the labels defined in the PushSecret spec. This ensures that the existing labels defined on the Google Secret Manager Secret are retained.</p>
- <p>Example of using the <code>mergePolicy</code> field:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pushsecret-example</span>
- <span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">updatePolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Replace</span>
- <span class="w"> </span><span class="nt">deletionPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">None</span>
- <span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h0m0s</span>
- <span class="w"> </span><span class="nt">secretStoreRefs</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gcp-secretstore</span>
- <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="w"> </span><span class="nt">selector</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">secret</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bestpokemon</span>
- <span class="w"> </span><span class="nt">template</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">bestpokemon</span><span class="p">:</span><span class="w"> </span><span class="s">"{{</span><span class="nv"> </span><span class="s">.bestpokemon</span><span class="nv"> </span><span class="s">}}"</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">conversionStrategy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">None</span>
- <span class="w"> </span><span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes.external-secrets.io/v1alpha1</span>
- <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecretMetadata</span>
- <span class="w"> </span><span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">mergePolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Merge</span>
- <span class="w"> </span><span class="nt">labels</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">anotherLabel</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">anotherValue</span>
- <span class="w"> </span><span class="nt">match</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bestpokemon</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">best-pokemon</span>
- </code></pre></div>
- <h2 id="secret-replication-and-encryption-configuration">Secret Replication and Encryption Configuration</h2>
- <h3 id="location-and-replication">Location and Replication</h3>
- <p>By default, secrets are automatically replicated across multiple regions. You can specify one or more replication locations for your secrets by setting the <code>replicationLocations</code> field:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pushsecret-example</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ... other fields ...</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mykey</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-secret</span>
- <span class="w"> </span><span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes.external-secrets.io/v1alpha1</span>
- <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecretMetadata</span>
- <span class="w"> </span><span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">replicationLocations</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">"us-east1"</span>
- </code></pre></div>
- <h3 id="customer-managed-encryption-keys-cmek">Customer-Managed Encryption Keys (CMEK)</h3>
- <p>You can use your own encryption keys to encrypt secrets at rest. To use Customer-Managed Encryption Keys (CMEK), you need to:</p>
- <ol>
- <li>Create a Cloud KMS key</li>
- <li>Grant the service account the <code>roles/cloudkms.cryptoKeyEncrypterDecrypter</code> role on the key</li>
- <li>Specify the key in the PushSecret metadata</li>
- </ol>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pushsecret-example</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="c1"># ... other fields ...</span>
- <span class="w"> </span><span class="nt">data</span><span class="p">:</span>
- <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mykey</span>
- <span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-secret</span>
- <span class="w"> </span><span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes.external-secrets.io/v1alpha1</span>
- <span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecretMetadata</span>
- <span class="w"> </span><span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">cmekKeyName</span><span class="p">:</span><span class="w"> </span><span class="s">"projects/my-project/locations/us-east1/keyRings/my-keyring/cryptoKeys/my-key"</span>
- </code></pre></div>
- <p>Note: When using CMEK, you must specify a location in the SecretStore as customer-managed encryption keys are region-specific.</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gcp-secret-store</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">gcpsm</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">projectID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-project</span>
- <span class="w"> </span><span class="nt">location</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">us-east1</span><span class="w"> </span><span class="c1"># Required when using CMEK</span>
- </code></pre></div>
- <h2 id="regional-secrets">Regional Secrets</h2>
- <p>GCP Secret Manager Regional Secrets are available to be used with both ExternalSecrets and PushSecrets.</p>
- <p>In order to achieve so, add a <code>location</code> to your SecretStore definition:</p>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gcp-secret-store</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">gcpsm</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">projectID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-project</span>
- <span class="w"> </span><span class="nt">location</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">us-east1</span><span class="w"> </span><span class="c1"># uses regional secrets on us-east1</span>
- </code></pre></div>
- <h2 id="secret-version-management">Secret Version Management</h2>
- <h3 id="secret-version-selection-policy">Secret Version Selection Policy</h3>
- <p>The Google Secret Manager provider includes a <code>secretVersionSelectionPolicy</code> field that controls how the provider handles secret version selection when the default "latest" version is unavailable.</p>
- <p>By default, when you request a secret without specifying a version, the provider attempts to fetch the "latest" version. The <code>secretVersionSelectionPolicy</code> determines what happens if that version is in a DESTROYED or DISABLED state.</p>
- <h4 id="available-policies">Available Policies</h4>
- <ul>
- <li><strong><code>LatestOrFail</code></strong> (default): The provider always uses "latest", or fails if that version is disabled/destroyed.</li>
- <li><strong><code>LatestOrFetch</code></strong>: The provider falls back to fetching the latest enabled version if the "latest" version is DESTROYED or DISABLED.</li>
- </ul>
- <h4 id="configuration-example">Configuration Example</h4>
- <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
- <span class="nt">metadata</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">gcp-secret-store</span>
- <span class="nt">spec</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">provider</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">gcpsm</span><span class="p">:</span>
- <span class="w"> </span><span class="nt">projectID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-project</span>
- <span class="w"> </span><span class="nt">location</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">us-east1</span>
- <span class="w"> </span><span class="nt">secretVersionSelectionPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">LatestOrFetch</span><span class="w"> </span><span class="c1"># or LatestOrFail (default)</span>
- </code></pre></div>
- <p><strong>Note</strong>: When using <code>secretVersionSelectionPolicy: LatestOrFetch</code>, the service account requires additional permissions to list secret versions. You'll need to grant the <code>roles/secretmanager.viewer</code> role (which includes <code>secretmanager.versions.list</code>) or the specific <code>secretmanager.versions.list</code> permission in addition to the standard <code>secretmanager.secretAccessor</code> role.</p>
-
-
- </article>
- </div>
-
-
- <script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
- </div>
-
- </main>
-
- <img referrerpolicy="no-referrer-when-downgrade"
- src="https://static.scarf.sh/a.png?x-pxid=6658a9eb-067d-49f1-94f2-b8b00f21451e" alt=""
- hidden />
-
- <footer class="md-footer">
-
- <div class="md-footer-meta md-typeset">
- <div class="md-footer-meta__inner md-grid">
- <div class="md-copyright">
-
- <div class="md-copyright__highlight">
- © 2025 The external-secrets Authors.<br/>
- © 2025 The Linux Foundation. All rights reserved.<br/><br/>
- The Linux Foundation has registered trademarks and uses trademarks.<br/>
- For a list of trademarks of The Linux Foundation, please see our <a href="https://www.linuxfoundation.org/trademark-usage/">Trademark Usage page</a>.
- </div>
-
-
- Made with
- <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
- Material for MkDocs
- </a>
-
- </div>
-
- </div>
- </div>
- </footer>
-
- </div>
- <div class="md-dialog" data-md-component="dialog">
- <div class="md-dialog__inner md-typeset"></div>
- </div>
-
-
-
-
-
- <script id="__config" type="application/json">{"annotate": null, "base": "../..", "features": ["navigation.tabs", "navigation.indexes", "navigation.expand"], "search": "../../assets/javascripts/workers/search.2c215733.min.js", "tags": null, "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"provider": "mike"}}</script>
-
-
- <script src="../../assets/javascripts/bundle.79ae519e.min.js"></script>
-
-
- </body>
- </html>
|