GCP Secret Manager
Integrate an environment with Google Cloud Secret Manager
The GCP Secret Manager integration lets you connect a Stashbase environment with a Google Cloud project and sync secrets from Stashbase to GCP Secret Manager.
Common use cases
- Use Stashbase as the source of truth and publish selected secrets to GCP Secret Manager.
- Keep runtime secrets in Google Cloud while managing change workflows in Stashbase.
- Maintain a one-way sync flow from Stashbase to GCP Secret Manager.
Connection configuration
In order to connect an environment with GCP Secret Manager, you need to create workspace integration connection. In order to create a GCP Secret Manager connection, you need to provide the following information:
- Connection name: A name for the connection.
- Project ID: The Google Cloud project ID where secrets are managed.
- Client email: The service account client email.
- Private key: The private key from your service account credentials.
Alternatively, you can paste the full service account JSON and the form will be filled automatically.
Example service account JSON (sanitized):
{
"type": "service_account",
"project_id": "project",
"private_key_id": "c8833...",
"private_key": "-----BEGIN PRIVATE KEY-----...",
"client_email": "stashbase-integration@project.iam.gserviceaccount.com",
"client_id": "10352....",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/...",
"universe_domain": "googleapis.com"
}Required GCP Project Setup
- Enable API: Secret Manager API (
secretmanager.googleapis.com). - Create a Service Account in the target GCP project.
- Generate Service Account JSON key (or paste full JSON if your flow supports direct JSON input).
Required IAM Permissions (Service Account)
Minimum permissions for integration behavior:
secretmanager.secrets.list(connection validation + reconcile + cleanup discovery)secretmanager.secrets.createsecretmanager.secrets.update(labels patch)secretmanager.secrets.delete(stale/cleanup delete)secretmanager.versions.add(write secret values)
Optional/not required by current sync:
secretmanager.versions.access(not needed; integration does not read secret payloads)
Practical role guidance:
- Easiest:
roles/secretmanager.admin - Least-privilege: custom role with only the 5 permissions above
Integration configuration
To create a GCP Secret Manager integration, you need to configure the following settings.
Secret name prefix
Optional prefix to use for secret names in GCP Secret Manager. This helps to organize secrets and avoid naming conflicts.
Labels
The labels to apply to secrets created or updated by Stashbase in GCP Secret Manager. You can add custom labels in addition to the labels that Stashbase applies to all managed secrets. Stashbase automatically adds and manages integration labels that identify the workspace and environment ownership of each secret.
Deletion in GCP is irreversible (there is no AWS-style recovery window).