GCP Secret Manager

Sync secrets from the Keeper Vault with GCP Secret Manager


The Keeper Secrets Manager CLI tool sync command allows you to push secrets from the Keeper Vault to a target GCP Secret Manager project, overwriting the existing values in the target location. This allows the Keeper Vault to be the single source of truth for any services or scripts in GCP that utilize GCP Secret Manager.


  • Use secrets from the Keeper Vault as the source of truth for GCP Secret Manager

  • Seamlessly start using secrets from the Keeper Vault with your existing GCP scripts and services


  • Keeper Secrets Manager access (See the Quick Start Guide for more details)

    • Secrets Manager add-on enabled for your Keeper subscription

    • Membership in a Role with the Secrets Manager enforcement policy enabled

  • A Keeper Secrets Manager Application with secrets shared to it

  • A GCP account with GCP Secret Manager, and optionally the ability to create IAM service account credentials


1. Configure Keeper Secrets Manager CLI

You can skip this step if the KSM CLI is already configured on your machine.

To configure the KSM CLI tool, a profile needs to be created with the Keeper Secrets Manager One Time Access Token.

The simplest way to do this is to initialize the default profile with the following command:

ksm profile init <TOKEN>

For information on creating multiple profiles and other options, see the profile documentation

2. Set GCP Permissions

To use the KSM sync to GCP, GCP Secrets Manager requires standard IAM security credentials with Secret Manager Admin role enabled for the project or on the service account principal to sync.

Secret Manager Access control with IAM:

GCP instructions for creating Service Account Credentials (optional):

3. Create GCP Credentials Record

The KSM CLI needs the credentials for the GCP service account to set secrets. These credentials are stored in a Keeper record which the CLI tool can access using Keeper Secrets Manager.

Record fields with the following labels are required on the credentials record:

"Google Cloud Project ID" "Google Application Credentials" - optional

"Google Application Credentials" field is optional and needed only when Service Account Credentials are used. By default, GCP clients use Application Default Credentials which can be created using gcloud CLI

gcloud auth application-default login

When no longer need these credentials can be revoked:

gcloud auth application-default revoke

(Method 1) Create a GCP Credentials Custom Record Type

A custom record type can be created with the required fields, which makes it easy and clean to create a record.

To create a custom record type, go to the "Custom Record Types" tab in the Keeper Vault and hit "Create Type". Create a new record type with hidden fields that have the correct field label, then click "Publish" to create the new record type.

Then simply create a new record of the GCP Credentials type and enter the details into the corresponding fields.

Make sure this new record is moved to a Shared Folder that is associated with your Secrets Manager application.

(Method 2) Add Custom Fields

To create a credentials record without creating a new record type, the required fields can be added as custom fields to a standard record.

Create a new record of any type, then add Custom Fields of the 'Hidden Field' type for each required GCP field. Click "Edit Label" to change the labels for the corresponding field name.

Any record type will work, but the "File Attachment" standard record type has no fields and will be cleaner looking when custom fields are added

Then fill in each custom field and hit "Save" to save the record.

4. Create Value Mappings

The KSM CLI sync command identifies which values to set using mappings that are defined on the command call. For each mapping passed to the command, a value with the given name will be populated with the given value from the Keeper Vault.

These mappings follow this format:


VALUE KEY is the key name that the value will be assigned in GCP Secret Manager

KEEPER NOTATION is a Keeper notation query of a value from a keeper record to set to the key

Keeper notation is a query notation used by Keeper Secrets Manager to identify specific record values. The notation follows the general format of: UID/[field|custom_field]/fieldname for example: ae3d[...]d22e/field/password

See the Keeper Notation documentation for more information

Note that full record UIDs are not given in these examples

Full Mapping Example: --map "MySQL_PWD" "jd3[...]i-fd/field/password"

Multiple mappings can be added to a single sync command --map "MySQL_PWD" "jd3[...]i-fd/field/password" --map "MySQL_Login" "jd3[...]i-fd/field/login"

Ensure that the records referenced by the Keeper Notation queries are in a shared folder that is shared with your Secrets Manager application

KSM sync is now ready to run

Run Sync

To run the sync, use the KSM CLI sync command with the credentials record and value mapping.

1. Construct the Command

Put together the KSM sync command with the GCP type. The format looks like the following:

ksm sync --type gcp --credentials [UID] --map [...] --map [...]

2. Run a Dry-Run

The sync command supports running a dry-run which will identify all changes that will be made to your GCP Secret Manager values without actually pushing the values or making changes. Use this to make sure your mapping queries are constructed properly.

ksm sync --type gcp --credentials [UID] --map [...] --map [...] --dry-run

3. Run the Sync

When ready, run the sync command without the dry-run option. This will push values from your Keeper Vault to GCP Secret Manager

TIP: you can use -m as short hand for --map

ksm sync --type gcp --credentials [UID] -m [...] -m [...]

Last updated