Use Secret Manager with other products

This topic provides resources for using Secret Manager with other Google Cloud services.

Cloud Build

Access Secret Manager secrets using environment variables in build steps on Cloud Build. See using Secret Manager secrets with Cloud Build for more information.

Cloud Code

Create, view, update, and use secrets within VS Code, IntelliJ, or Cloud Shell with Cloud Code's Secret Manager integration.

Cloud Run functions

Access Secret Manager secrets and expose them as environment variables or using the file system from Cloud Run functions. See using Secret Manager secrets with Cloud Run functions for more information.

You can also use Secret Manager with Cloud Run functions by using a Secret Manager client library or by accessing the Secret Manager API directly.

Cloud Run

Access Secret Manager secrets and expose them as environment variables or using the file system from Cloud Run services. See using Secret Manager secrets with Cloud Run for more information.

You can also use Secret Manager with Cloud Run services by using a Secret Manager client library or by accessing the Secret Manager API directly.

Compute Engine

Important: To use Secret Manager with workloads running on Compute Engine or Google Kubernetes Engine, the underlying instance or node must have the cloud-platform OAuth scope. See accessing the Secret Manager API for more information.

Use Secret Manager with workloads running on Compute Engine by using a Secret Manager client library or by accessing the Secret Manager API directly.

Google Kubernetes Engine

Use Secret Manager with workloads running on Google Kubernetes Engine (GKE) using one of the following options:

Client libraries: The recommended way to access Secret Manager secrets from workloads running on Google Kubernetes Engine is to use a Secret Manager client library authenticated using Workload Identity Federation for GKE. For more information, see Secret Manager best practices.
Secret Manager add-on: You can use the Secret Manager add-on to access Secret Manager secrets as volumes mounted in Kubernetes Pods. For information, see Use Secret Manager add-on with Google Kubernetes Engine.

Config Connector

Create and manage Secret Manager secrets with Config Connector using a declarative syntax. See the Secret Manager Config Connector resource documentation for more information.

Key Access Justifications

In Secret Manager, you can use Cloud External Key Manager (Cloud EKM) keys to encrypt and decrypt secrets. Key Access Justifications works by adding an additional field to the Cloud EKM requests that lets you view the reason for every request to access the externally managed keys. It lets you approve or deny the access request based on that justification. With select external key management partners, you can automatically approve or deny these requests, based on the justification. See the Key Access Justifications documentation for more information.