You are browsing documentation for an older version. See the latest documentation here.

GCP Secret Manager

Available with Kong Gateway Enterprise subscription - Contact Sales

Configuration

The current version of Kong Gateway’s implementation supports configuring GCP Secret Manager in two ways:

• Environment variables
• Workload Identity

To configure GCP Secret Manager, the GCP_SERVICE_ACCOUNT environment variable must be set to the JSON document referring to the credentials for your service account:

export GCP_SERVICE_ACCOUNT=$(cat gcp-my-project-c61f2411f321.json)

Kong Gateway uses the key to automatically authenticate with the GCP API and grant you access.

To use GCP Secret Manager with Workload Identity on a GKE cluster, update your pod spec so that the service account is attached to the pod. For configuration information, read the Workload Identity configuration documentation.

With Workload Identity, setting the GCP_SERVICE_ACCOUNT isn’t necessary.

Examples

To use a GCP Secret Manager secret with the name my-secret-name, create a JSON object in GCP that contains one or more properties:

{
  "foo": "bar",
  "snip": "snap"
}

You can now reference the secret’s individual resources like this:

{vault://gcp/my-secret-name/foo?project_id=my_project_id}
{vault://gcp/my-secret-name/snip?project_id=my_project_id}

Note that both the provider (gcp) as well as the GCP project ID (my_project_id) need to be specified.

Entity

Once the database is initialized, a Vault entity can be created that encapsulates the provider and the GCP project ID:

API Endpoint update

If you’re using 2.8.2 or below, or have not set vaults_use_new_style_api=on in kong.conf you will need to replace /vaults/ with /vaults-beta/ in the examples below.

curl -i -X PUT http://HOSTNAME:8001/vaults/my-gcp-sm-vault \
  --data name=gcp \
  --data description="Storing secrets in GCP Secret Manager" \
  --data config.project_id="my_project_id"

http -f PUT http://HOSTNAME:8001/vaults/my-gcp-sm-vault \
  name="gcp" \
  description="Storing secrets in GCP Secret Manager" \
  config.project_id="my_project_id"

Result:

{
    "config": {
        "project_id": "my_project_id"
    },
    "created_at": 1657874961,
    "description": "Storing secrets in GCP Secret Manager",
    "id": "90e200be-cf84-4ce9-a1d6-a41c75c79f31",
    "name": "gcp",
    "prefix": "my-gcp-sm-vault",
    "tags": null,
    "updated_at": 1657874961
}

With the Vault entity in place, you can reference the GCP secrets through it:

{vault://my-gcp-sm-vault/my-secret-name/foo}
{vault://my-gcp-sm-vault/my-secret-name/snip}

When you use the Vault entity, you no longer need to specify the GCP project ID to access the secrets.