Skip to main content
Version: 3.0.0

Provision Vault access for an Environment in GCP

Prerequisites​

  • Ascend Environment with an available service account (service account can be found under IAM & Admin > IAM)
  • GCP project with the Secret Manager API enabled
  • Existing Ascend project

Create a custom role with the necessary permissions​

Below is the definition for a custom role that has the necessary permissions for the Ascend Environment service account to list secrets in GCP Secret Manager.

custom_role.yaml
title: "Ascend Secret Lister"
description: "Custom role for Ascend to access secrets in GCP Secret Manager"
stage: "GA"
includedPermissions:
- secretmanager.secrets.list

To create the custom role, run the following command:

gcloud iam roles create ascendSecretLister \
--project=<gcp-project-id> \
--file=custom_role.yaml

<gcp-project-id> is the project id of the GCP project where the secrets are stored.

Provision permissions for the service account​

To access the secrets in your gcp project you will need to assign the secret accessor role with conditions:

gcloud projects add-iam-policy-binding <gcp-project-id> \
--member="serviceAccount:<ascend-gcp-service-account>" \
--role="roles/secretmanager.secretAccessor" \
--condition="title=prefixFilter,expression=resource.name.startsWith('projects/<gcp-project-number>/secrets/<prefix>')"

And then assign the custom role with no condition.

gcloud projects add-iam-policy-binding <gcp-project-id> \
--member="serviceAccount:<ascend-gcp-service-account>" \
--role="projects/<gcp-project-id>/roles/ascendSecretLister" \
--condition=None

<ascend-gcp-service-account> is the environment service account created by Ascend.

<gcp-project-number> uniquely identifies the gcp project but is not the same identifier as the <gcp-project-id>.

<prefix> is a user defined variable to differentiate secrets used for different environments / instance in the same project.

Create the vault file in your Ascend project​

Under the vaults/ directory in an Ascend project create the following file:

vaults/ascend_gcp_vault.yaml
vault:
gcp_secret_manager:
project: <gcp-project-id>

Access the secret​

Secrets stored in your GCP secret manager can now be accessed in your Ascend project using the following syntax:

.
.
.
api_key: ${vaults.ascend_gcp_vault.<secret_api_key>}
.
.
.

<secret_api_key> is the name of the secret stored in the GCP Secret Manager.