Expand description
Optional GCP Secret Manager integration for tsafe.
Pulls secrets from GCP Secret Manager and imports them into the local tsafe vault. The local vault remains the single source of truth — Secret Manager is purely a read source. No secret data is ever written back to GCP.
§Configuration (environment variables)
| Variable | Required | Description |
|---|---|---|
GOOGLE_CLOUD_PROJECT | yes* | GCP project ID |
GCLOUD_PROJECT | yes* | Alternate project ID env var |
GOOGLE_OAUTH_TOKEN | auth† | Pre-obtained OAuth2 token (gcloud auth print-access-token) |
GOOGLE_APPLICATION_CREDENTIALS | auth† | Path to ADC JSON file (authorized_user) |
* Project ID falls back to the GCE metadata server if neither env var is set.
† Authentication tries, in order: GOOGLE_OAUTH_TOKEN → GCE metadata server →
ADC file ($GOOGLE_APPLICATION_CREDENTIALS or
~/.config/gcloud/application_default_credentials.json).
§Key normalisation
Secret names such as my-db-password are normalised to MY_DB_PASSWORD
(hyphens and dots → underscores, uppercased) so they are immediately
usable as environment variables.
Re-exports§
pub use config::acquire_token;pub use config::GcpConfig;pub use config::GcpToken;pub use error::GcpError;pub use secretmanager::pull_secrets;
Modules§
- config
- GCP runtime config and credential loading.
- error
- secretmanager
- GCP Secret Manager HTTP client.