Provision Google Cloud Secret Manager
Prerequisites​
- Ascend Environment
- A GCP project with the Secret Manager API enabled
- Ascend Project
Overview​
Ascend Environments can securely access secrets stored in Google Cloud Secret Manager. This guide outlines the necessary steps to configure proper access between your Ascend Environment and Google Cloud Secret Manager.
Create a custom role with list permissions​
First, create a custom role that allows your Ascend Environment to list secrets in Google Cloud Secret Manager:
title: "Ascend Secret Lister"
description: "Custom role for Ascend to access secrets in Google Cloud Secret Manager"
stage: "GA"
includedPermissions:
- secretmanager.secrets.list
Deploy this custom role using the following command:
gcloud iam roles create ascendSecretLister \
--project=<gcp-project-id> \
--file=custom_role.yaml
Note: Replace
<gcp-project-id>with your GCP project ID.
Grant secret access permissions to your service account​
Assign Secret Accessor role with prefix condition​
gcloud projects add-iam-policy-binding <gcp-project-id> \
--member="serviceAccount:<ascend-gcp-service-account>" \
--role="roles/secretmanager.secretAccessor" \
--condition="title=prefixFilter,expression=resource.name.startsWith('projects/<gcp-project-number>/secrets/<prefix>')"
Assign the custom Secret Lister role​
gcloud projects add-iam-policy-binding <gcp-project-id> \
--member="serviceAccount:<ascend-gcp-service-account>" \
--role="projects/<gcp-project-id>/roles/ascendSecretLister" \
--condition=None
Where:
<ascend-gcp-service-account>is your Ascend Environment's service account<gcp-project-id>is your GCP project ID<gcp-project-number>is your GCP project number (different from project ID)<prefix>is a prefix for organizing secrets by environment or instance
Configure the Vault in your Ascend project​
Create the following YAML file in the vaults/ directory of your Ascend project:
vault:
gcp_secret_manager:
project: <gcp-project-id>
You can now reference secrets from Google Cloud Secret Manager in your Ascend Components using the following syntax:
component:
configuration:
api_key: ${vaults.ascend_gcp_vault.<secret_name>}
Replace <secret_name> with the actual name of the secret stored in Google Cloud Secret Manager.
Next steps​
After provisioning Google Cloud Secret Manager for your Project, you can also configure it as an Instance or Environment vault:
- Configure Google Cloud Secret Manager as an Instance Vault
- Configure Google Cloud Secret Manager as an Environment Vault
Setting up vault access at these levels provides more flexibility in managing secrets.