GCP Dynamic Secrets

You can use Akeyless dynamic secrets to generate programmatic access credentials for GCP (Google Cloud Platform) based on IAM policies which apply to Service Accounts. To do this, configure a dynamic secret with the details required for Akeyless to authenticate and communicate with GCP. This requires privileged account credentials.

There are two GCP dynamic secret modes:

  • Fixed Service Account

  • Dynamic Service Account

Fixed Service Accounts are existing GCP service accounts that Akeyless generates JIT tokens or keys and manage them.

Dynamic Service Accounts are generated and managed by Akeyless Platform, where you can bind a set of IAM roles predefined for that service account. Upon getting a dynamic secret request, Akeyless will generate a Just In time key, or token for this managed service account.

You can generate up to 10 service account keys at the same time. A generated key is revoked when the TTL defined for it expires. If no TTL is defined, you need to revoke the key explicitly.

Service Accounts role bindings define a list of resources and the associated IAM roles for that resource. To bind a set of roles to a Dynamic Service Account, you can provide them inline or as a JSON file using the following format:

{
  "/path/to/resource" : ['roles/rolename']
}

Where path/to/resource should be in the following format according to GCP Resource names guide.

For example:

{
  "projects/<Your Project name>/zones/<us-central1-a>/<resource name>": ["roles/resourcemanager.tagViewer"],
  "buckets/<Bucket Name>": ["roles/storage.objectCreator"]
}

Prerequisites

Create a Dynamic GCP Secret from the CLI

👍

Note

We recommend using dynamic secrets with Targets. While it saves time for multiple secret-level configurations by not requiring you to provide an inline connection string each time, it is also important for security streamlining. Using a target allows you to rotate credentials without breaking the credential chain for the objects connected to the server used, using inline will force you to go and change the credentials in each individual item instead of just the target.

To create a dynamic GCP secret from the CLI using an existing GCP Targets, run the following command:

akeyless dynamic-secret create gcp \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--gcp-sa-email <service account email>
--gcp-cred-type <token|key> \
--gcp-token-scopes <Token Scopes> \
--gcp-key-algo <Service Key Algorithm>
akeyless dynamic-secret create gcp \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--service-account-type dynamic \
--role-binding <Path to JSON roles file> \
--gcp-cred-type <token|key> \
--gcp-token-scopes <Token Scopes> \
--gcp-key-algo <Service Key Algorithm>

Or using an inline connection string:

akeyless dynamic-secret create gcp \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--gcp-sa-email <service account email>
--gcp-cred-type <token|key> \
--gcp-token-scopes <Token Scopes> \
--gcp-key-algo <Service Key Algorithm> \
--gcp-sa-email <GCP Service Account Email> \
--gcp-key-file-path <GCP Service Account Private Key>

Where:

  • name: A unique name of the dynamic secret. The name can include the path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  • target-name: A name of the target that enables connection to the GCP server. The name can include the path to the virtual folder where this target resides.

  • gateway-url: Akeyless Gateway Configuration Manager URL (port 8000).

  • service-account-type: Fixed or Dynamictype. By default set to Fixed.

  • role-binding: A path to a JSON file that holds the relevant resource with roles to bind for the created Service Account. Relevant only for Dynamic type.

  • gcp-sa-email: The email of the Service Account to create JIT keys\tokens. Relevant only for Fixed Service Account.

  • gcp-cred-type: Credentials type. Available options are: token, key.

  • gcp-token-scopes: Access token scopes list.

  • gcp-key-algo: Service account key algorithm, e.g. KEY_ALG_RSA_1024, KEY_ALG_RSA_2048

Inline connection strings

If you don't have a configured GCP Targets yet, you can use the command with your GCP connection strings:

  • gcp-sa-email: privileged service account email.

  • gcp-key-file-path: Path to file with the Base64-encoded privileged service account private key.

You can find the complete list of parameters for this command in the CLI Reference - Dynamic Secrets section.

Fetch a Dynamic GCP Secret value from the CLI

To fetch a dynamic GCP secret value from the CLI, run the following command:

akeyless dynamic-secret get-value --name <Path to your dynamic secret>

Create a Dynamic GCP Secret in the Akeyless Console

👍

Note

To start working with dynamic secrets from the Akeyless Console, you need to configure the Gateway URL thus enabling communication between the Akeyless SaaS and the Akeyless Gateway.

To create dynamic secrets directly from the Akeyless Gateway, you can use the Gateway Configuration Manager.

  1. Log in to the Akeyless Console, and go to Items > New > Dynamic Secret.

  2. Select the GCP secret type and click Next.

  3. Define a Name of the dynamic secret, and specify the Location as a path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  4. Define the remaining parameters as follows:

  • Delete Protection: When enabled, protects the secret from accidental deletion.

  • Target mode: In this section, you can either select an existing GCP Target or specify details of the GCP target explicitly.

    • Use the Choose an existing target drop-down list to select the existing GCP Target.

    • Check the Explicitly specify target properties to provide details of the GCP target in the next step.

  • Fixed: A fixed Service Account. with Service Account Email to create JIT Keys\Tokens for.

  • Dynamic: A Dynamic Service Account with Role Binding to attach an IAM policy and roles for the created Service Account.

  • Access Token: Select this radio button to create a GCP access token as a dynamic secret.

  • Service Account Key: Select this radio button to create a GCP service account key as a dynamic secret.

  • Token Scopes: Provide a comma-separated list of GCP access token scopes. (If Access Token is selected.)

  • Key Algorithm: Key algorithm. Available options: KEY_ALG_UNSPECIFIED, KEY_ALG_RSA_1024, KEY_ALG_RSA_2048. (If Service Account Key is selected.)

  • User TTL: Provide a time-to-live value for a dynamic secret (i.e., a token). When TTL expires, the token becomes obsolete.

  • Time Unit: Select the time unit (seconds, minutes, hours) for the TTL value.

  • Gateway: Select the Gateway through which the dynamic secret will create users.

  • Protection key: To enable zero-Knowledge, select a key with a Customer Fragment. For more information about zero-Knowledge, see Implement Zero Knowledge

  1. If you checked the Explicitly specify target properties radio button, click Next.

  2. Provide the connection string to your GCP :

  • Service Account Email: privileged service account email.

  • Service Account Key: Base64-encoded privileged service account key.

  1. Click Finish.

Fetch a Dynamic GCP Secret Value from the Akeyless Console

  1. Log in to the Akeyless Console, and go to Items.

  2. Browse to the folder where you created a dynamic secret.

  3. Select the secret and click Get Dynamic Secret button.