GCP Dynamic Secrets

You can use Akeyless dynamic secrets to generate access credentials for GCP (Google Cloud Platform) based on IAM policies. To do this, configure a dynamic secret with the details required for Akeyless to authenticate and communicate with the GCP. This requires privileged account credentials.

There are two GCP dynamic secret modes:

  • Access token generation: Generate access tokens.

  • Service account key generation: Generate and revoke service account keys.

You can generate up to ten service account keys at the same time. A generated key is revoked when the TTL defined for it expires. If no TTL is defined, you need to explicitly revoke the key.

Prerequisites

To create a GCP dynamic secret, ensure that:

  • You have a GCP super-user service account to be used to generate keys and access tokens.

  • You have set the super-user service account roles to include Service Account Key Admin and Service Account Token Creator.

  • You have a key for the super-user service account, and the generated key JSON is stored in either of the following:

    • Copy the key JSON file contents into the copy buffer.

    • Paste or upload the JSON file content into the Service Account Key field. The values will be hidden by default.

Create a Dynamic GCP Secret from the CLI

👍

Tip

To set up a dynamic secret, you can either configure a connection to the target server first or provide all parameters of the target server in the secret creation command.

We recommend using dynamic secrets together with targets. It allows saving time on the secrets' configuration. To enable this flow, you must ensure that the user responsible for creating dynamic secrets has permission to access or create targets.

To create a dynamic GCP secret from the CLI using the existing target, run the following command:

akeyless gateway-create-producer-gcp \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--gcp-cred-type <token|key> \
--gcp-token-scopes <Token Scopes> \
--gcp-key-algo <Service Key Algorithm>

Where:

  • name: A unique name of the dynamic secret. The name can include the path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  • target-name: A name of the target that enables connection to the GCP server. The name can include the path to the virtual folder where this target resides.

  • gateway-url: Akeyless Gateway URL.

  • gcp-cred-type: Credentials type. Available options are: token, key.

  • gcp-token-scopes: Access token scopes list.

  • gcp-key-algo: Service account key algorithm, e.g. KEY_ALG_RSA_1024, KEY_ALG_RSA_2048

If you don't have a configured GCP target yet, you can use the command with your GCP target server connection parameters:

akeyless gateway-create-producer-gcp \
--name <Dynamic Secret Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--gcp-cred-type <token|key> \
--gcp-token-scopes <Token Scopes> \
--gcp-key-algo <Service Key Algorithm> \
--gcp-sa-email <GCP Service Account Email> \
--gcp-key-file-path <GCP Service Account Private Key>

Where:

  • gcp-sa-email: Super-user service account email.

  • gcp-key-file-path: Path to file with the Base64-encoded super-user service account private key.

You can find the complete list of parameters for this command in the CLI Reference - Akeyless Producers section.

Fetch a Dynamic GCP Secret value from the CLI

To fetch a dynamic GCP secret value from the CLI, run the following command:

akeyless get-dynamic-secret-value --name <Path to your dynamic secret>

Create a Dynamic GCP Secret in the Akeyless Console

👍

Tip

To start working with dynamic secrets from the Akeyless Console, you need to configure the Gateway URL thus enabling communication between the Akeyless SaaS and the Akeyless Gateway.

To create dynamic secrets directly from the Akeyless Gateway, you can use the Gateway Configuration Manager.

  1. Log in to the Akeyless Console, and go to Secrets & Keys > New > Dynamic Secret.

  2. Select the GCP secret type and click Next.

  3. Define a Name of the dynamic secret, and specify the Location as a path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  4. Define the remaining parameters as follows:

  • Delete Protection: When enabled, protects the secret from accidental deletion.

  • Target mode: In this section, you can either select an existing GCP Target or specify details of the target GCP server explicitly (e.g., if you are not authorized to create and access Targets in the Akeyless Console).

    • Use the Choose an existing target drop-down list to select the existing GCP Target.

    • Check the Explicitly specify target properties radio button to provide details of the target GCP server on the next step of the wizard.

👍

Tip

We recommend using dynamic secrets together with targets. It allows saving time on the secrets' configuration. To enable this flow, you must ensure that the user responsible for creating dynamic secrets has permission to access or create targets.

  • Access Token: Select this radio button to create a GCP access token as a dynamic secret.

  • Service Account Key: Select this radio button to create a GCP service account key as a dynamic secret.

  • Token Scopes: Provide a comma-separated list of GCP access token scopes. (If Access Token is selected.)

  • Key Algorithm: Key algorithm. Available options: KEY_ALG_UNSPECIFIED, KEY_ALG_RSA_1024, KEY_ALG_RSA_2048. (If Service Account Key is selected.)

  • User TTL: Provide a time-to-live value for a dynamic secret (i.e., a token). When TTL expires, the token becomes obsolete.

  • Time Unit: Select the time unit (seconds, minutes, hours) for the TTL value.

  • Gateway: Select the Gateway through which the dynamic secret will create users.

  • Protection key: To enable zero-Knowledge, select a key with a Customer Fragment. For more information about zero-Knowledge, see Implement Zero Knowledge

  1. If you checked the Explicitly specify target properties radio button, click Next.

  2. Provide details of the target GCP server:

  • Service Account Email: Super-user service account email.

  • Service Account Key: Base64-encoded super-user service account key.

  1. Click Finish.

Fetch a Dynamic GCP Secret Value from the Akeyless Console

  1. Log in to the Akeyless Console, and go to Secrets & Keys.

  2. Browse to the folder where you created a dynamic secret.

  3. Select the secret and click Get Dynamic Secret button.


Did this page help you?