ContextQMD
Back to Infisical

GCP Secret Manager Sync

docs/integrations/secret-syncs/gcp-secret-manager.mdx

0.159.267.6 KB
Original Source

Prerequisites:

    - Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
    - Create a [GCP Connection](/integrations/app-connections/gcp) with the required **Secret Sync** permissions
    - Enable **Cloud Resource Manager API**, **Secret Manager API**, and **Service Usage API** on your GCP project
        ![Secret Syncs Tab](/images/secret-syncs/gcp-secret-manager/enable-resource-manager-api.png)
        ![Secret Syncs Tab](/images/secret-syncs/gcp-secret-manager/enable-secret-manager-api.png)
        ![Secret Syncs Tab](/images/secret-syncs/gcp-secret-manager/enable-service-usage-api.png)
    - Ensure your network security policies allow incoming requests from Infisical to this secret sync provider, if network restrictions apply.
<Tabs> <Tab title="Infisical UI"> 1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button. ![Secret Syncs Tab](/images/secret-syncs/general/secret-sync-tab.png) 
    2. Select the **GCP Secret Manager** option.
    ![Select GCP Secret Manager](/images/secret-syncs/gcp-secret-manager/select-gcp-secret-manager-option.png)

    3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
    ![Configure Source](/images/secret-syncs/gcp-secret-manager/gcp-secret-manager-source.png)

        - **Environment**: The project environment to retrieve secrets from.
        - **Secret Path**: The folder path to retrieve secrets from.

    <Tip>
        If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
    </Tip>

    4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
    ![Configure Destination](/images/secret-syncs/gcp-secret-manager/gcp-secret-manager-destination.png)

        - **GCP Connection**: The GCP Connection to authenticate with.
        - **Project**: The GCP project to sync with.
        - **Scope**: The GCP project scope that secrets should be synced to:
            - **Global**: Secrets will be synced globally; available to all project regions.
            - **Region**: Secrets will be synced to the specified region.

    5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
    ![Configure Options](/images/secret-syncs/gcp-secret-manager/gcp-secret-manager-options.png)

        - **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
            - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
            - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over GCP Secret Manager when keys conflict.
            - **Import Secrets (Prioritize GCP Secret Manager)**: Imports secrets from the destination endpoint before syncing, prioritizing values from GCP Secret Manager over Infisical when keys conflict.
        - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
        <Note>
            We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
        </Note>
        - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
        - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.

    6. Configure the **Details** of your GCP Secret Manager Sync, then click **Next**.
    ![Configure Details](/images/secret-syncs/gcp-secret-manager/gcp-secret-manager-details.png)

        - **Name**: The name of your sync. Must be slug-friendly.
        - **Description**: An optional description for your sync.

    7. Review your Secret Manager Sync configuration, then click **Create Sync**.
    ![Confirm Configuration](/images/secret-syncs/gcp-secret-manager/gcp-secret-manager-review.png)

    8. If enabled, your GCP Secret Manager Sync will begin syncing your secrets to the destination endpoint.
    ![Sync Secrets](/images/secret-syncs/gcp-secret-manager/gcp-secret-manager-created.png)

</Tab>
<Tab title="API">
    To create a **GCP Secret Manager Sync**, make an API request to the [Create GCP
    Secret Manager Sync](/api-reference/endpoints/secret-syncs/gcp-secret-manager/create) API endpoint.

    ### Sample request

    ```bash Request
    curl    --request POST \
    --url https://app.infisical.com/api/v1/secret-syncs/gcp-secret-manager \
    --header 'Content-Type: application/json' \
    --data '{
        "destinationConfig": {
            "scope": "global",
            "projectId": "infisical-test-playground"
        },
        "name": "my-gcp-sync",
        "description": "this is an example secret sync",
        "secretPath": "/",
        "syncOptions": {
            "initialSyncBehavior": "overwrite-destination"
        },
        "isAutoSyncEnabled": true,
        "connectionId": "eec83609-5eb4-4d8d-9f6e-ded016984f0d",
        "environment": "dev",
        "projectId": "09eda1f8-85a3-47a9-8a6f-e27f133b2a36"
    }'
    ```

    ### Sample response

    ```bash Response
    {
        "secretSync": {
            "id": "aee02c4a-4a5f-488c-82dd-0b3164772871",
            "name": "my-gcp-sync",
            "description": "this is an example secret sync",
            "isAutoSyncEnabled": true,
            "version": 1,
            "projectId": "09eda1f8-85a3-47a9-8a6f-e27f133b2a36",
            "folderId": "1447389e-16fb-49ba-96fd-361b5a2522af",
            "connectionId": "eec83609-5eb4-4d8d-9f6e-ded016984f0d",
            "createdAt": "2025-01-27T12:28:59.408Z",
            "updatedAt": "2025-01-27T12:28:59.408Z",
            "syncStatus": "pending",
            "lastSyncJobId": null,
            "lastSyncMessage": null,
            "lastSyncedAt": null,
            "importStatus": null,
            "lastImportJobId": null,
            "lastImportMessage": null,
            "lastImportedAt": null,
            "removeStatus": null,
            "lastRemoveJobId": null,
            "lastRemoveMessage": null,
            "lastRemovedAt": null,
            "syncOptions": {
                "initialSyncBehavior": "overwrite-destination"
            },
            "connection": {
                "app": "gcp",
                "name": "my-gcp-connection",
                "id": "eec83609-5eb4-4d8d-9f6e-ded016984f0d"
            },
            "environment": {
                "slug": "dev",
                "name": "Development",
                "id": "124e0392-4070-4b1c-900e-ced30cd55bf3"
            },
            "folder": {
                "id": "1447389e-16fb-49ba-96fd-361b5a2522af",
                "path": "/"
            },
            "destination": "gcp-secret-manager",
            "destinationConfig": {
                "projectId": "infisical-test-playground"
            }
        }
    }
    ```
</Tab>
</Tabs>