GKE Dynamic Secrets

You can create a dynamic Google Kubernetes Engine (GKE) secret to allow users receive dynamically access tokens to a GKE cluster.


To use a dynamic GKE secret, your GCP administrator needs to create a service account with the permissions that should be given to users. The service account itself will serve as the user for each individual connection, with access tokens that will last for 60 minutes.

Create a Dynamic GKE Secret from the CLI



To set up a dynamic secret, you can either configure a connection to the target server first or provide all parameters of the target server in the secret creation command.

We recommend using dynamic secrets together with targets. It allows saving time on the secrets' configuration. To enable this flow, you must ensure that the user responsible for creating dynamic secrets has permission to access or create targets.

To create a dynamic GKE secret from the CLI using the existing target, run the following command:

akeyless gateway-create-producer-gke \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>'


  • name: A unique name of the dynamic secret. The name can include the path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  • target-name: A name of the target that enables connection to the EKS cluster. The name can include the path to the virtual folder where this target resides.

  • gateway-url: API Gateway URL.

If you don't have a configured GKE target yet, you can use the command with target server connection parameters:

akeyless gateway-create-producer-gke \
--name <Dynamic Secret Name> \
--gateway-url 'https:\\<Your-Akeyless-GW-URL:8000>' \
--gke-account-email <GKE service account email> \
--gke-account-key <GKE service account Key>
--gke-cluster-endpoint <GKE cluster endpoint URL> \
--gke-cluster-ca-cert <Base64-encoded GKE cluster CA certificate> \
--gke-cluster-name <GKE cluster name>


  • gke-cluster-name: The name of the GKE cluster you want to connect to.

  • gke-cluster-ca-cert : Base64-encoded GKE cluster CA certificate.

  • gke-cluster-endpoint: GKE Cluster endpoint URL.

  • gke-account-email: GKE service account email.

  • gke-account-key: GKE service account key.

You can find the complete list of parameters for this command in the CLI Reference - Akeyless Producers section.

For guidelines on how to get the GKE service account name and key, see the API server authentication guide.

If you followed this guide, run:

# To get the GKE Service Account Name:
cat ~/gsa-key.json | jq -re .client_email

# To get the GKE Service Account Key:
cat ~/gsa-key.json | jq -re .private_key

Then copy the values to the dynamic GKE secret settings. You can find the rest of the values for dynamic GKE secret settings in your kubeconfig file or in the GCP console.

Use a Dynamic GKE Secret with the Akeyless CLI running on the same host

If the Akeyless CLI is installed on the same host as the kubectl, you can define a kubeconfig file to automatically run the get-dynamic-secret-value command and fetch new access tokens as required.

You need to either download the kubeconfig file directly from the Akeyless Console by selecting the Dynamic Secret item and copying the file from the Dynamic Secret Description, or generate the file manually as follows:

apiVersion: v1
- cluster:
    certificate-authority-data: <base 64 encoding of the cluster's certificate>
    server: <cluster DNS/IP address>
  name: <cluster name>
- context:
    cluster: <cluster name>
    user: <some user name>
  name: <cluster context name>
current-context: <cluster context name>
kind: Config
preferences: {}
- name: <some user name>
      apiVersion: client.authentication.k8s.io/v1beta1
        - get-dynamic-secret-value
        - --name
        - <dynamic secret item name>
        - --profile
        - <some profile> 
      command: /usr/local/bin/akeyless

For every new GKE cluster, you must update the kubeconfig file accordingly.

When you run kubectl ..., the Akeyless get-dynamic-secret-value command will fetch a new access token for you.

For more information regarding kubectl and the kubeconfig file, see the kubectl installation manual.

Use a Dynamic GKE Secret with the Akeyless CLI running on a different host

If the Akeyless CLI is installed on a different host as the kubectl, you can get a service account token from Akeyless separately, and then manually update the kubeconfig file that uses the token.

First, let's generate the kubeconfig file manually as described above, with the following change:

- name: <some user name>
    token: < Dynamic Secret Value goes here >

To get the dynamic GKE secret value from the CLI, you should run the following command:

akeyless get-dynamic-secret-value --name <Path to the dynamic secret>

Then you need to replace < Dynamic Secret Value goes here > with the response token exactly as you received it.



Working with dynamic secrets from the CLI is not the only available option.

To start working with dynamic secrets from the Akeyless Console, you need to configure the Gateway URL thus enabling communication between the Akeyless SaaS and the Akeyless Gateway.

To create and fetch dynamic secrets directly from the Akeyless Gateway, you can use the Gateway Configuration Manager.

Did this page help you?