Google Secret Manager Integration
GGScout supports integration with Google Secret Manager to collect and monitor your secrets. This guide will help you set up and configure the integration.
Supported Features
- Multiple secret versions collection
- Service account authentication
- Project-specific secret collection
- IAM role-based access
Configuration
To configure GGScout to work with Google Secret Manager, add the following configuration to your ggscout.toml file:
[sources.gcp]
type = "gcpsecretmanager"
fetch_all_versions = true
projects = ["some-project-id-441517"]
service_account_key_file = ".secure_files/.gcp_key.json"
mode = "read"
env = "production"
[[sources.gcp.include]]
resource_ids = ["app-*", "database-*", "api-key"]
[[sources.gcp.exclude]]
resource_ids = ["test-*", "temp-*", "old-secret"]
Configuration Parameters
| Parameter | Description | Required | Default Value |
|---|---|---|---|
type | Must be set to "gcpsecretmanager" | Yes | |
fetch_all_versions | Whether to collect all versions of secrets | Yes | |
projects | List of GCP project IDs to collect secrets from | Yes | |
service_account_key_file | Path to the service account key file | Yes | |
mode | Integration mode (one of: "read", "write", "read/write") | No | "read" |
env | Environment label for categorizing secrets (e.g., "production", "staging", "development") | No | |
[[sources.<name>.include]] | Table of resource_id patterns to include (see below) | No | |
[[sources.<name>.exclude]] | Table of resource_id patterns to exclude (see below) | No |
Authentication
GGScout supports multiple authentication methods for Google Cloud:
- Service Account Key: Using a JSON key file
- Application Default Credentials: When running on GCP infrastructure
- Environment Variables: Using standard GCP environment variables
Prerequisites: Before setting up the integration, ensure that you have activated the Cloud Resource Manager API in your GCP account, in addition to the Secret Manager API.
Environment Variables
GOOGLE_APPLICATION_CREDENTIALS: Path to the service account key fileGOOGLE_CLOUD_PROJECT: The GCP project ID
Best Practices
- Use Application Default Credentials when running on GCP infrastructure
- Follow the principle of least privilege for IAM permissions
- Enable
fetch_all_versionsto track changes in your secrets over time - Store service account keys securely
- Regularly rotate service account keys
- Use separate projects for different environments
Note:
- Use
[[sources.<name>.include]]and[[sources.<name>.exclude]]tables to specify multiple include/exclude rules. Each table must have aresource_idsarray. - Patterns support wildcards (*) only at the end for prefix matching. For exact matches, specify the complete name without wildcards.
