Google Cloud Secrets Manager

How to store secrets in GCP

This is an older version of the ZenML documentation. To read and view the latest version please visit this up-to-date URL.

The GCP secrets manager is a secrets manager flavor provided with the ZenML gcp integration that uses GCP to store secrets.

When to use it

You should use the GCP secrets manager if:

  • a component of your stack requires a secret for authentication or you want to use secrets inside your steps.

  • you're already using GCP, especially if your orchestrator is running in GCP. If you're using a different cloud provider, take a look at the other secrets manager flavors.

How to deploy it

In order to use the GCP secrets manager, you need to enable it here.

How to use it

To use the GCP secrets manager, we need:

  • The ZenML gcp integration installed. If you haven't done so, run

    zenml integration install gcp
  • The GCP CLI installed and authenticated.

  • The ID of the project in which you want to store secrets. Follow this guide to find your project ID.

We can then register the secrets manager and use it in our active stack:

zenml secrets-manager register <NAME> \
    --flavor=gcp_secrets_manager \

# Add the secrets manager to the active stack
zenml stack update -x <NAME>

You can now register, update or delete secrets using the CLI or fetch secret values inside your steps.

You can use secret scoping with the GCP Secrets Manager to emulate multiple Secrets Manager namespaces on top of a single GCP project.

A concrete example of using the GCP secrets manager can be found here.

For more information and a full list of configurable attributes of the GCP secrets manager, check out the API Docs.

Last updated