docs/integrations/app-connections/gcp.mdx
Infisical supports service account impersonation to connect with your GCP projects.
<Accordion title="Self-Hosted Instance"> Using the GCP integration on a self-hosted instance of Infisical requires configuring a service account on GCP and configuring your instance to use it.<Steps>
<Step title="Enable the IAM Service Account Credentials API">
Enable the IAM Service Account Credentials API for the project containing the service account that will be impersonated. You can do this from the Google Cloud Console or via the command line.
To enable via command line, run the following command, replacing `projectId` with your GCP project ID:
```bash
gcloud services enable iamcredentials.googleapis.com --project=projectId
```
Verify the API is enabled by running:
```bash
gcloud services list --enabled --project=projectId | grep iamcredentials
```
</Step>
<Step title="Navigate to IAM & Admin > Service Accounts in Google Cloud Console">
</Step>
<Step title="Create a Service Account">
Create a new service account that will be used to impersonate other GCP service accounts for your app connections.
Press "DONE" after creating the service account.
</Step>
<Step title="Generate Service Account Key">
Download the JSON key file for your service account. This will be used to authenticate your instance with GCP.
</Step>
<Step title="Configure Your Instance">
1. Copy the entire contents of the downloaded JSON key file.
2. Set it as a string value for the `INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL` environment variable.
3. Restart your Infisical instance to apply the changes.
4. You can now use GCP integration with service account impersonation.
<Note>
Workload identity federation is also supported. Instead of a service account key, you may
set `INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL` to an `external_account` credential
configuration JSON (the file produced by `gcloud iam workload-identity-pools create-cred-config`).
Infisical detects the credential type from the `type` field automatically. The federated identity
needs the `roles/iam.serviceAccountTokenCreator` role on the service accounts it impersonates.
For **AWS** providers, Infisical resolves the instance's AWS credentials through the standard AWS
SDK credential chain, so federation works on EC2, ECS/Fargate, EKS (IRSA), and Lambda, or from
`AWS_ACCESS_KEY_ID` / `AWS_SECRET_ACCESS_KEY` environment variables. The region defaults to
`us-east-1`; set `AWS_REGION` (or `AWS_DEFAULT_REGION`) to use a specific regional STS endpoint.
For other providers, the referenced credential source (a mounted file or URL) must be reachable
from the Infisical instance at runtime.
</Note>
</Step>
</Steps>
Your service account ID must end with the first two sections of your Infisical organization ID.
Example:
- Infisical organization ID: `df92581a-0fe9-42b5-b526-0a1e88ec8085`
- Required service account ID suffix: `df92581a-0fe9`
</Step>
<Step title="Configure Service Account Permissions">
<Tabs>
<Tab title="Secret Sync">
Add the required permissions for secret syncs:
</Tab>
</Tabs>
After configuring the appropriate roles, press "DONE".
</Step>
<Step title="Enable Service Account Impersonation">
To enable service account impersonation, you'll need to grant the **Service Account Token Creator** role to the Infisical instance's service account. This configuration allows Infisical to securely impersonate the new service account.
1. Navigate to the **IAM & Admin > Service Accounts** section in your Google Cloud Console.
2. Select the newly created service account.
3. Click on the **PERMISSIONS** tab.
4. Click **Grant Access** to add a new principal.
5. In the **New principals** field, enter the Infisical service account email for your environment:
- **Infisical Cloud US:** `[email protected]`
- **Infisical Cloud EU:** `[email protected]`
- **Self-hosted:** use the service account you created for your instance (the one whose credentials are set in `INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL`).
6. In the **Role** field, select **Service Account Token Creator**.
7. Click **Save**.
<Note>
**Troubleshooting: "One or more users named in the policy do not belong to a permitted customer."**
If granting access fails with the error *"One or more users named in the policy do not belong to a permitted customer."*, your Google Cloud organization has the Domain Restricted Sharing organization policy (`iam.allowedPolicyMemberDomains`) enabled. This policy only permits identities that belong to allowlisted Google organizations, so the Infisical service account is rejected until it is explicitly allowed.
To resolve this, add Infisical's Google Cloud Customer ID to the policy's allowed values **before** granting the service account a role:
1. In the Google Cloud Console, navigate to **IAM & Admin > Organization Policies**.
2. Search for and open the **Domain restricted sharing** (`iam.allowedPolicyMemberDomains`) policy.
3. Under **Custom values**, add a new allowed value containing Infisical's Google Cloud Customer ID:
```
C03rsjmyl
```
This is **Infisical's Google Cloud Customer ID**, not your own. Infisical uses a single Google Cloud organization, so this one Customer ID covers both the US and EU service accounts.
Enter the bare Customer ID (`C03rsjmyl`) in the Console UI. If you manage this policy with `gcloud`, a policy YAML file, or Terraform instead, use the prefixed form `is:C03rsjmyl`.
4. Save the policy, then return to **Step 4 (Grant Access)** in the main instructions above and complete steps 4–7 to add the Infisical service account as a principal.
</Note>
</Step>