Google Secret Manager

​

Environment Variables

• If SECRETS_MANAGER_GCP_CREDENTIALS_JSON is set, it is used.
• Else if SECRETS_MANAGER_GCP_CREDENTIALS_FILE is set, it is used.
• Otherwise, default Google credentials are used.

​

Create GCP Resources and Credentials

1. Select or create a GCP project.
2. Enable Secret Manager API:
   • Google Cloud Console -> APIs & Services -> Library -> Secret Manager API -> Enable.
3. Create a service account:
   • IAM & Admin -> Service Accounts -> Create service account.
4. Grant permissions:
   • For quick setup: roles/secretmanager.admin.
   • For least privilege: allow access/create/version-add/delete secret operations.
5. Create a service account key:
   • Service account -> Keys -> Add key -> Create new key -> JSON.
   • Download the JSON key file.

​

Map Credentials to Env Vars

​

Local Switch Example

# env_files/secrets.env
SECRETS_MANAGER_TYPE=gcp_secret_manager
SECRETS_MANAGER_GCP_PROJECT_ID=<project-id>
SECRETS_MANAGER_GCP_CREDENTIALS_FILE=/path/to/service-account.json

​

What to Verify

1. Run the smoke test from Secret Managers.
2. Confirm secrets appear in Google Secret Manager under the configured project.