Provision Vault access for an Environment in GCP
Prerequisites​
- Ascend Environment with an available service account (service account can be found under IAM & Admin > IAM)
- GCP project with the Secret Manager API enabled
- Existing Ascend project
Create a custom role with the necessary permissions​
Below is the definition for a custom role that has the necessary permissions for the Ascend Environment service account to list secrets in GCP Secret Manager.
title: "Ascend Secret Lister"
description: "Custom role for Ascend to access secrets in GCP Secret Manager"
stage: "GA"
includedPermissions:
- secretmanager.secrets.list
To create the custom role, run the following command:
gcloud iam roles create ascendSecretLister \
--project=<gcp-project-id> \
--file=custom_role.yaml
<gcp-project-id>
is the project id of the GCP project where the secrets are stored.
Provision permissions for the service account​
To access the secrets in your gcp project you will need to assign the secret accessor role with conditions:
gcloud projects add-iam-policy-binding <gcp-project-id> \
--member="serviceAccount:<ascend-gcp-service-account>" \
--role="roles/secretmanager.secretAccessor" \
--condition="title=prefixFilter,expression=resource.name.startsWith('projects/<gcp-project-number>/secrets/<prefix>')"
And then assign the custom role with no condition.
gcloud projects add-iam-policy-binding <gcp-project-id> \
--member="serviceAccount:<ascend-gcp-service-account>" \
--role="projects/<gcp-project-id>/roles/ascendSecretLister" \
--condition=None
<ascend-gcp-service-account>
is the environment service account created by Ascend.
<gcp-project-number>
uniquely identifies the gcp project but is not the same identifier as the <gcp-project-id>
.
<prefix>
is a user defined variable to differentiate secrets used for different environments / instance in the same project.
- Local
- UI
Create the vault file in your Ascend project​
Under the vaults/
directory in an Ascend project create the following file:
vault:
gcp_secret_manager:
project: <gcp-project-id>
Access the secret​
Secrets stored in your GCP secret manager can now be accessed in your Ascend project using the following syntax:
.
.
.
api_key: ${vaults.ascend_gcp_vault.<secret_api_key>}
.
.
.
<secret_api_key>
is the name of the secret stored in the GCP Secret Manager.
🚧 Under construction 🚧