Expand description
Google Cloud Secret Manager backend for SecretEnv.
Wraps the gcloud CLI — never a GCP SDK. Every credential
chain gcloud supports (user login, service-account key file,
Workload Identity, metadata server, impersonation) works
transparently because the CLI resolves auth the way the user
already configured it.
§URI shape
<instance>:///<secret-name>[#version=<n>] — scheme is the
instance name (e.g. gcp-prod); path is the Secret Manager secret
name. The optional #version=<n> directive pins a specific
version ID; <n> is either a positive integer or the literal
latest. When absent or latest, the flag is omitted and
gcloud defaults to the newest enabled version.
§Config fields
gcp_project(required) — passed via--projecton every callgcp_impersonate_service_account(optional) — appended as--impersonate-service-account <sa>when setgcloud_bin(test hook) — overrides thegcloudbinary path
§Safety
Every CLI call goes through Command::args([...]) with individual
&strs — never sh -c, never format! into a shell string. The
set path pipes secret values via child stdin (CV-1 discipline).
The OAuth2 bearer token returned by
gcloud auth print-access-token is discarded immediately —
never logged, never interpolated into identity strings, never
included in error messages. A dedicated canary test locks this.
See [[backends/gcp]] in the kb for the full implementation spec.
Structs§
- GcpBackend
- A live instance of the GCP Secret Manager backend.
- GcpFactory
- Factory for the GCP Secret Manager backend.