GCP Secret Manager Credentials
Fetch a credential from Google Cloud Secret Manager at proxy startup and inject it into HTTPS requests.
Prerequisites
- CA certificate generated (CA Setup)
- GCP Application Default Credentials configured (
gcloud auth application-default loginor a service account key) - A secret stored in GCP Secret Manager containing the credential value
IAM Permissions
The service account or principal running gatekeeper needs the Secret Manager Secret Accessor role (roles/secretmanager.secretAccessor) on the target secret.
Configuration
Add a gcp-secretmanager credential source to gatekeeper.yaml:
proxy:
host: 127.0.0.1
port: 9080
tls:
ca_cert: ca.crt
ca_key: ca.key
credentials:
- host: api.github.com
header: Authorization
grant: github
source:
type: gcp-secretmanager
project: my-gcp-project
secret: github-token
network:
policy: permissive
log:
level: info
format: text| Field | Required | Default | Description |
|---|---|---|---|
project | Yes | — | GCP project ID |
secret | Yes | — | Secret name in Secret Manager |
version | No | "latest" | Secret version (e.g., "1", "latest") |
Gatekeeper constructs the resource name projects/{project}/secrets/{secret}/versions/{version} and fetches the payload at startup with a 10-second timeout.
Pin a Specific Version
To pin to a specific secret version instead of latest:
source:
type: gcp-secretmanager
project: my-gcp-project
secret: github-token
version: "3"Start the Proxy
gatekeeper --config gatekeeper.yamlIf ADC is not configured or the secret does not exist, gatekeeper exits with an error at startup.
Verification
curl --cacert ca.crt --proxy http://127.0.0.1:9080 https://api.github.com/userThe proxy log confirms credential injection:
level=INFO msg=request http_host=api.github.com credential_injected=true grants=githubNote: Gatekeeper fetches the secret once at startup. To pick up a rotated secret, restart the proxy.
Next Steps
- GitHub App Tokens — auto-refreshing short-lived tokens
- Network Lockdown — restrict proxy traffic to specific hosts