GCP Dynamic Secrets

You can use Akeyless dynamic secrets to generate access credentials for GCP (Google Cloud Platform) based on IAM policies. To do this, configure a dynamic secret with the details required for Akeyless to authenticate and communicate with the GCP. This requires privileged account credentials.

There are two GCP dynamic secret modes:

  • Access token generation: Generate access tokens.

  • Service account key generation: - Generate and revoke service account keys.

You can generate up to ten service account keys at the same time. A generated key is revoked when the TTL defined for it expires. If no TTL is defined, you need to explicitly revoke the key.


To create a GCP dynamic secret, ensure that:

  • You have administrator access to the Akeyless Gateway.

  • You have a GCP super-user service account to be used to generate keys and access tokens.

  • You have set the super-user service account roles to include Service Account Key Admin and Service Account Token Creator.

  • You have a key for the super-user service account, and the generated key JSON is stored either of the following:

    • Copy the key JSON file contents into the copy buffer.

    • Paste or upload the JSON file content into the Service Account Key field. The values will be hidden by default.

Producer UI

  1. Open Akeyless Gateway and log in using your Gateway credentials.

  2. Navigate to Dynamic Secrets from the left navigation panel Select New=>GCP Producer.

  3. The Create a new GCP Producer window pops up.

GCP Producer Screen

Go to Dynamic Secrets, click New, choose Cloud Producer.

In Cloud Type choose GCP Producer. Choose the GCP producer to generate either Access Tokens or Service Account Key.

Service Account Key GCP Producer screen:

Access Token GCP Producer screen:







Used for token producer and key producer


Enter a unique name that describes the purpose or permissions scope of this producer. Required parameter.

Super-user service account email

Super-user service account email

Super-user service account key

Super-user service account key JSON, encoded with Base64 code.

Either gcp-key or gcp-key-file-path required. Choose to get the value either from gcp-key or gcp-key-file-path

Super-user service account key filepath

Super-user service account key file location. We load the file contents to be gcp-key

Either gcp-key or gcp-key-file-path required. Choose to get the value either from gcp-key or gcp-key-file-path


Key/access token TTL


Producer encryption key

A key to encrypt the producer with


A comma-separated list of GCP access token scopes. List of available scopes

Required for access token producer

Key algorithm

Generated key algorithm

Required for Service Account Key producer.



Command akeyless gateway-create-producer-gcp allows users to create a GCP producer.


  -u, --gateway-url[=http://localhost:8000]   Akeyless Gateway URL (Configuration Management port)
  -n, --name                                 *Producer name
      --gcp-sa-email                         *GCP service account email
      --gcp-cred-type[=token]                *Credentials type, options are [token, key]
      --gcp-key-file-path                     Path to file with the Base64-encoded service account private key
      --gcp-key                               Base64-encoded service account private key text
      --gcp-token-scopes                      Access token scopes list, e.g. scope1,scope2
      --gcp-key-algo                          Service account key algorithm, e.g. KEY_ALG_RSA_1024
      --user-ttl[=60m]                        User TTL (<=60m for access token)
      --producer-encryption-key-name          Dynamic producer encryption key
      --profile                               Use a specific profile from your akeyless/profiles/ folder
      --username                              Required only when the authentication process requires a username and password
      --password                              Required only when the authentication process requires a username and password
      --uid-token                             The universal identity token, Required only for universal_identity authentication
  -h, --help                                  display help information
      --json[=false]                          Set output format to JSON
      --no-creds-cleanup[=false]              Do not clean local temporary expired creds

Create a GCP access token producer:
akeyless-cli gateway-create-producer-gcp --gcp-sa-email [email protected] --gcp-cred-type token --gcp-token-scopes

Create a GCP service account key producer:
akeyless-cli gateway-create-producer-gcp --gcp-sa-email [email protected] --gcp-cred-type key --name gcp-key-producer

Did this page help you?