OpenMCF logoOpenMCF

Loading...

GCP Secrets Manager

Deploys secrets in Google Cloud Secret Manager with automatic replication and placeholder secret versions. Each secret name in the spec produces a dedicated Secret resource and an initial SecretVersion, with secret IDs optionally prefixed by the environment label for multi-environment isolation.

What Gets Created

When you deploy a GcpSecretsManager resource, OpenMCF provisions:

  • Secret — one secretmanager.Secret per entry in secretNames, created in the specified GCP project with automatic replication enabled and OpenMCF-managed labels (resource kind, name, organization, environment)
  • Secret Version (placeholder) — one secretmanager.SecretVersion per secret, initialized with a placeholder value and configured with ignoreChanges on secretData so that subsequent manual or programmatic updates to the secret value are never overwritten by OpenMCF
  • Environment-Prefixed IDs — when metadata.env is set, each secret ID is formatted as {env}-{secretName}; otherwise the secret ID matches the secret name exactly

Prerequisites

  • GCP credentials configured via environment variables or OpenMCF provider config
  • A GCP project where the secrets will be created
  • Secret Manager API enabled on the target GCP project (secretmanager.googleapis.com)
  • IAM permissions to create secrets and secret versions in the target project (e.g., roles/secretmanager.admin)

Quick Start

Create a file secrets.yaml:

apiVersion: gcp.openmcf.org/v1
kind: GcpSecretsManager
metadata:
  name: my-app-secrets
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: dev.GcpSecretsManager.my-app-secrets
spec:
  projectId: my-gcp-project-123
  secretNames:
    - database-password

Deploy:

openmcf apply -f secrets.yaml

This creates a single secret named database-password in Google Cloud Secret Manager with a placeholder version. Update the secret value through the GCP Console, gcloud, or application code after deployment.

Configuration Reference

Required Fields

FieldTypeDescriptionValidation
projectIdstring or valueFromThe GCP project ID where the secrets will be created. Can be a literal value or a reference to a GcpProject resource.Required

Optional Fields

FieldTypeDefaultDescription
secretNamesstring[][]A list of secret names to create in Google Cloud Secret Manager. Each name produces one Secret resource and one placeholder SecretVersion. Empty strings in the list are skipped.

Examples

Single Secret for a Database Password

A minimal deployment that creates one secret for storing a database credential:

apiVersion: gcp.openmcf.org/v1
kind: GcpSecretsManager
metadata:
  name: db-credentials
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: dev.GcpSecretsManager.db-credentials
spec:
  projectId: my-gcp-project-123
  secretNames:
    - db-password

Multiple Secrets for a Microservice

Create several secrets that a backend service needs at runtime:

apiVersion: gcp.openmcf.org/v1
kind: GcpSecretsManager
metadata:
  name: payment-service-secrets
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: staging.GcpSecretsManager.payment-service-secrets
  env: staging
spec:
  projectId: my-gcp-project-123
  secretNames:
    - stripe-api-key
    - stripe-webhook-secret
    - database-url
    - jwt-signing-key

Because metadata.env is staging, the resulting secret IDs in GCP will be staging-stripe-api-key, staging-stripe-webhook-secret, staging-database-url, and staging-jwt-signing-key.

Production Secrets with Foreign Key Reference

Reference an OpenMCF-managed GcpProject instead of hardcoding the project ID, suitable for a production environment with full application secrets:

apiVersion: gcp.openmcf.org/v1
kind: GcpSecretsManager
metadata:
  name: platform-secrets
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: prod.GcpSecretsManager.platform-secrets
  env: prod
spec:
  projectId:
    valueFrom:
      kind: GcpProject
      name: production-project
      fieldPath: status.outputs.project_id
  secretNames:
    - database-password
    - redis-auth-token
    - smtp-credentials
    - oauth-client-secret
    - encryption-master-key
    - third-party-api-key

Stack Outputs

After deployment, the following outputs are available in status.outputs:

OutputTypeDescription
secretIdMapmap<string, string>A map where each key is the original secret name from secretNames and each value is the resolved secret ID in GCP Secret Manager. When metadata.env is set, the secret ID is {env}-{secretName}; otherwise it equals the secret name.

Related Components

  • GcpProject — provides the GCP project where secrets are created
  • GcpServiceAccount — creates service accounts that can be granted roles/secretmanager.secretAccessor to read secret values at runtime
  • GcpCloudRun — Cloud Run services that consume secrets as environment variables or mounted volumes
  • GcpGkeCluster — GKE clusters whose workloads can access secrets via workload identity

Next article

GCP Service Account

GCP Service Account Deploys a Google Cloud service account with optional JSON key generation and IAM role bindings at the project and organization levels. The module creates the account, attaches the specified roles using per-role IAMMember bindings, and exports the resulting email address and (when requested) the base64-encoded private key. What Gets Created When you deploy a GcpServiceAccount resource, OpenMCF provisions: Service Account — a GCP service account in the specified project, with...
Read next article
Presets
1 ready-to-deploy configurationView presets →