GCP Secrets Manager
The current version of Kong Gateway’s implementation supports
GCP Secrets Manager in two
- Environment variables
- Workload Identity
To configure GCP Secrets Manager, the
environment variable must be set to the JSON document referring to the
credentials for your service account:
export GCP_SERVICE_ACCOUNT=$(cat gcp-my-project-c61f2411f321.json)
Kong Gateway uses the key to automatically authenticate
with the GCP API and grant you access.
To use GCP Secrets Manager with
on a GKE cluster, update your pod spec so that the service account is
attached to the pod. For configuration information, read the Workload
With Workload Identity, setting the
GCP_SERVICE_ACCOUNT isn’t necessary.
To use a GCP Secret Manager
with the name
my-secret-name, create a JSON object in GCP that
contains one or more properties:
You can now reference the secret’s individual resources like this:
Note that both the provider (
gcp) as well as the GCP project ID
my_project_id) need to be specified.
Once the database is initialized, a Vault entity can be created
that encapsulates the provider and the GCP project ID:
API Endpoint update
If you’re using 2.8.2 or below, or have not set
kong.conf you will need to replace
/vaults-beta/ in the examples below.
"description": "Storing secrets in GCP Secrets Manager",
With the Vault entity in place, you can reference the GCP secrets
When you use the Vault entity, you no longer need to specify the GCP project ID to access the secrets.