The Akeyless Dev Hub

If you're looking for help with the only zero-trust, SaaS, unified platform for secrets management - you've come to the right place.

This is our documentation and updates center.

Documentation

GCP Dynamic Secrets

You can use Akeyless dynamic secrets to generate access credentials for GCP (Google Cloud Platform) based on IAM policies. To do this, configure a dynamic secret with the details required for Akeyless to authenticate and communicate with the GCP. This requires privileged account credentials.

There are two GCP dynamic secret modes:

  • Access token generation: Generate access tokens.

  • Service account key generation: - Generate and revoke service account keys.

You can generate up to ten service account keys at the same time. A generated key is revoked when the TTL defined for it expires. If no TTL is defined, you need to explicitly revoke the key.

Prerequisites

To create a GCP dynamic secret, ensure that:

  • You have administrator access to the Akeyless Gateway.

  • You have a GCP super-user service account to be used to generate keys and access tokens.

  • You have set the super-user service account roles to include Service Account Key Admin and Service Account Token Creator.

  • You have a key for the super-user service account, and the generated key JSON is stored either of the following:

    • Copy the key JSON file contents into the copy buffer.

    • Store the key JSON file in the /path/to/file location, and set the environment variable GOOGLE_APPLICATION_CREDENTIALS to be /path/to/file.

Producer UI

  1. Open Akeyless Gateway and log in using your Gateway credentials.

  2. Navigate to Dynamic Secrets from the left navigation panel Select New=>GCP Producer.

  3. The Create a new GCP Producer window pops up.

GCP Producer Screen

Go to Dynamic Secrets, click New, choose Cloud Producer.

In Cloud Type choose GCP Producer. Choose the GCP producer to generate either Access Tokens or Service Account Key.

Service Account Key GCP Producer screen:

Access Token GCP Producer screen:

Usage

Field

Description

Default

Comment

COMMON

Used for token producer and key producer

Name

Enter a unique name that describes the purpose or permissions scope of this producer. Required parameter.

Super-user service account email

Super-user service account email

Super-user service account key

Super-user service account key JSON, encoded with Base64 code.

Either gcp-key or gcp-key-file-path required. Choose to get the value either from gcp-key or gcp-key-file-path

Super-user service account key filepath

Super-user service account key file location. We load the file contents to be gcp-key

Either gcp-key or gcp-key-file-path required. Choose to get the value either from gcp-key or gcp-key-file-path

TTL

Key/access token TTL

60m

Producer encryption key

A key to encrypt the producer with

Scopes

A comma-separated list of GCP access token scopes. List of available scopes

Required for access token producer

Key algorithm

Generated key algorithm

Required for Service Account Key producer.

Examples:
KEY_ALG_UNSPECIFIED
KEY_ALG_RSA_1024
KEY_ALG_RSA_2048

CLI

Command akeyless gateway-create-producer-gcp allows users to create a GCP producer.

Options:

  -u, --gateway-url[=http://localhost:8000]   Akeyless Gateway URL (Configuration Management port)
  -n, --name                                 *Producer name
      --gcp-sa-email                         *GCP service account email
      --gcp-cred-type[=token]                *Credentials type, options are [token, key]
      --gcp-key-file-path                     Path to file with the Base64-encoded service account private key
      --gcp-key                               Base64-encoded service account private key text
      --gcp-token-scopes                      Access token scopes list, e.g. scope1,scope2
      --gcp-key-algo                          Service account key algorithm, e.g. KEY_ALG_RSA_1024
      --user-ttl[=60m]                        User TTL (<=60m for access token)
      --producer-encryption-key-name          Dynamic producer encryption key
      --profile                               Use a specific profile from your akeyless/profiles/ folder
      --username                              Required only when the authentication process requires a username and password
      --password                              Required only when the authentication process requires a username and password
      --uid-token                             The universal identity token, Required only for universal_identity authentication
  -h, --help                                  display help information
      --json[=false]                          Set output format to JSON
      --no-creds-cleanup[=false]              Do not clean local temporary expired creds

Create a GCP access token producer:
akeyless-cli gateway-create-producer-gcp --gcp-sa-email [email protected] --gcp-cred-type token --gcp-token-scopes

Create a GCP service account key producer:
akeyless-cli gateway-create-producer-gcp --gcp-sa-email [email protected] --gcp-cred-type key --name gcp-key-producer

Updated 2 months ago

GCP Dynamic Secrets


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.