Version: 3.0.0

Provision Vault Access for an Environment in GCP

Prerequisites

Ascend Environment with an available service account (service account can be found under IAM & Admin > IAM)
GCP project with the Secret Manager API enabled
Existing Ascend project

Create a custom role with the necessary permissions

Below is the definition for a custom role that has the necessary permissions for the Ascend Environment service account to list secrets in GCP Secret Manager.

custom_role.yaml
title: "Ascend Secret Lister"
description: "Custom role for Ascend to access secrets in GCP Secret Manager"
stage: "GA"
includedPermissions:
- secretmanager.secrets.list

To create the custom role, run the following command:

gcloud iam roles create ascendSecretLister \
  --project=<gcp-project-id> \
  --file=custom_role.yaml

<gcp-project-id> is the project id of the GCP project where the secrets are stored.

Provision permissions for the service account

To access the secrets in your gcp project you will need to assign the secret accessor role with conditions:

gcloud projects add-iam-policy-binding <gcp-project-id> \
 --member="serviceAccount:<ascend-gcp-service-account>" \
 --role="roles/secretmanager.secretAccessor" \
 --condition="title=prefixFilter,expression=resource.name.startsWith('projects/<gcp-project-number>/secrets/<prefix>')"

And then assign the custom role with no condition.

gcloud projects add-iam-policy-binding <gcp-project-id> \
  --member="serviceAccount:<ascend-gcp-service-account>" \
  --role="projects/<gcp-project-id>/roles/ascendSecretLister" \
  --condition=None

<ascend-gcp-service-account> is the environment service account created by Ascend.

<gcp-project-number> uniquely identifies the gcp project but is not the same identifier as the <gcp-project-id>.

<prefix> is a user defined variable to differentiate secrets used for different environments / instance in the same project.

Local
UI

Create the vault file in your Ascend project

Under the vaults/ directory in an Ascend project create the following file:

vaults/ascend_gcp_vault.yaml
vault:
  gcp_secret_manager:
    project: <gcp-project-id>

Access the secret

Secrets stored in your GCP secret manager can now be accessed in your Ascend project using the following syntax:

.
.
.
api_key: ${secret.ascend_gcp_vault.<secret_api_key>}
.
.
.

<secret_api_key> is the name of the secret stored in the GCP Secret Manager.

Prerequisites​

Create a custom role with the necessary permissions​

Provision permissions for the service account​

Create the vault file in your Ascend project​

Access the secret​

Prerequisites

Create a custom role with the necessary permissions

Provision permissions for the service account

Create the vault file in your Ascend project

Access the secret