Skip to content

Google Cloud Secret Manager Provider

The Google Cloud Secret Manager provider integrates with GCP for centralized secret management.

  • Google Cloud CLI (gcloud)
  • GCP project with Secret Manager API enabled
  • Authenticated via gcloud auth application-default login
  • Build with --features gcsm
gcsm://PROJECT_ID
  • PROJECT_ID: Your GCP project ID
Terminal window
# Set a secret
$ secretspec set DATABASE_URL --provider gcsm://my-gcp-project
# Get a secret
$ secretspec get DATABASE_URL --provider gcsm://my-gcp-project
# Check secrets
$ secretspec check --provider gcsm://my-gcp-project
# Run with secrets
$ secretspec run --provider gcsm://my-gcp-project -- npm start

By default each secret is stored as secretspec-{project}-{profile}-{key}. A secret’s ref field names an existing secret instead: item is the secret id, and the optional version pins a version (defaults to latest; field is not supported). References are read-only in this provider.

[profiles.production]
DATABASE_URL = { description = "DB", ref = { item = "database-url" }, providers = ["gcsm://my-gcp-project"] }
SIGNING_KEY = { description = "Key", ref = { item = "signing-key", version = "3" }, providers = ["gcsm://my-gcp-project"] }
Terminal window
# Set a secret
$ secretspec set DATABASE_URL --provider gcsm://my-gcp-project
Enter value for DATABASE_URL: postgresql://localhost/mydb
Secret 'DATABASE_URL' saved to gcsm (profile: default)
# Import from .env
$ secretspec import dotenv://.env

Secrets are stored as: secretspec-{project}-{profile}-{key}

Example: secretspec-myapp-production-DATABASE_URL

Terminal window
# Set credentials
$ export GOOGLE_APPLICATION_CREDENTIALS="/path/to/key.json"
# Run command
$ secretspec run --provider gcsm://my-gcp-project -- deploy