Google Secret Manager Integration
GGScout supports integration with Google Secret Manager to collect and monitor your secrets. This guide will help you set up and configure the integration.
Supported Features
- Multiple secret versions collection
- Service account authentication
- Project-specific secret collection
- IAM role-based access
Configuration
To configure GGScout to work with Google Secret Manager, add the following configuration to your ggscout.toml file:
[sources.gcp]
type = "gcpsecretmanager"
fetch_all_versions = true
projects = ["some-project-id-441517"]
service_account_key_file = ".secure_files/.gcp_key.json"
Configuration Parameters
| Parameter | Description | Required |
|---|---|---|
type | Must be set to "gcpsecretmanager" | Yes |
fetch_all_versions | Whether to collect all versions of secrets | No |
projects | List of GCP project IDs to collect secrets from | Yes |
service_account_key_file | Path to the service account key file | Yes |
Authentication
GGScout supports multiple authentication methods for Google Cloud:
- Service Account Key: Using a JSON key file
- Application Default Credentials: When running on GCP infrastructure
- Environment Variables: Using standard GCP environment variables
Environment Variables
GOOGLE_APPLICATION_CREDENTIALS: Path to the service account key fileGOOGLE_CLOUD_PROJECT: The GCP project ID
Best Practices
- Use Application Default Credentials when running on GCP infrastructure
- Follow the principle of least privilege for IAM permissions
- Enable
fetch_all_versionsto track changes in your secrets over time - Store service account keys securely
- Regularly rotate service account keys
- Use separate projects for different environments
