GKE Dynamic Secrets

You can create a Google Kubernetes Engine (GKE) dynamic secret producer to allow users to dynamically receive access tokens to a GKE cluster.


Your GCP admin needs to create a service account with the permissions that should be given to users. The service account itself will serve as the user for each individual connection, with access tokens that will last for 60 minutes.

Create a GKE Dynamic Secret Producer

  1. In the Akeyless Gateway, select Dynamic Secrets > New > Kubernetes Producer.
  1. Give the producer a name, and define where it should be saved.

  2. From the Kubernetes Engine dropdown list, select Google Kubernetes Engine (GKE).

  3. Define the following parameters:

    • GKE Cluster Name (optional): The GKE cluster name. If no value is configured, this will default to gks-cluster-< service account name >.
    • GKE Cluster CA Certificate: A base64-encoded representation of the cluster CA certificate.
    • GKE Cluster URL Endpoint: The URL of the cluster.
    • GKE Service Account Email: The email of the service account ([email protected]).
    • GKE Service Account Key: The RSA private key generated for this service account to access. This must be a proper PEM encoded PKCS1 or PKCS8 private key. The input string must have actual new lines instead of \n characters.

For guidelines on how to get the GKE service account name and key you need to set up a GKE dynamic secret producer, see here. If you follow this guide, run:

# To get the GKE Service Account Name:
cat ~/gsa-key.json | jq -re .client_email

# To get the GKE Service Account Key:
cat ~/gsa-key.json | jq -re .private_key

Then copy the values to the GKE Producer settings. You can find the rest of the values for the GKE Producer settings in your kubeconfig file or from the GCP console.

Use a GKE Dynamic Secret with Akeyless CLI

The user needs kubectl installed locally on their machine. The Akeyless CLI is optional but preferable.

The user needs to either download the kubeconfig file directly from the Akeyless Console by selecting the Dynamic Secret item and copying the file from the Dynamic Secret Description, or generate the file manually as follows:

apiVersion: v1
- cluster:
    certificate-authority-data: <base 64 encoding of the cluster's certificate>
    server: <cluster DNS/IP address>
  name: <cluster name>
- context:
    cluster: <cluster name>
    user: <some user name>
  name: <cluster context name>
current-context: <cluster context name>
kind: Config
preferences: {}
- name: <some user name>
      apiVersion: client.authentication.k8s.io/v1beta1
        - get-dynamic-secret-value
        - --name
        - <dynamic secret item name>
        - --profile
        - <some profile> 
      command: /usr/local/bin/akeyless

For every new GKE cluster, the user needs to update the kubeconfig file accordingly.

When the user runs kubectl ..., the Akeyless get-dynamic-secret-value command will fetch a new access token for them.

For more general information regarding kubectl and the kubeconfig file, see here.

Use a GKE Dynamic Secret without Akeyless CLI

The user needs to generate the kubeconfig file manually as described above, with the following change:

- name: <some user name>
    token: < Dynamic Secret Value response goes here >

The user can get the dynamic secret value from the Akeyless Console by selecting the Dynamic Secret item and clicking Get Dynamic Secret. They will need to replace < Dynamic Secret Value response goes here > with the response token exactly as they received it.

Did this page help you?