GCP Secret Management
Creating secrets
- Go to Google Secret Manager UI.
- Click the button at the top labeled
+ CREATE SECRET
. - Fill in the name of your secret; e.g.
bigquery_credentials
. - Under Secret value, upload your service account credentials JSON file or paste the JSON into the text area labeled Secret value.
- Scroll all the way down and click the button
CREATE SECRET
.
You can mount secrets from Google Secret Manager through Terraform configurations or through the Google Console UI.
Using secrets locally
Download credentials from GCP UI
-
Download the credentials JSON file from GCP.
-
Run Mage and mount the secrets as a volume in Docker. Follow these instructions to learn how to do this.
-
Here are example code snippets to read from that credentials JSON file:
Note
This code example assumes your credentials JSON file downloaded from GCP is named
gcp_credentials.json
and that the mount path (e.g.-v
) you used when running Docker is/home/secrets
.
Download credentials using gcloud
CLI
-
Authenticate locally by running this command in your local terminal:
-
Create a new
.env
file in your Mage project folder with the following values: -
Run Mage using Docker and set the environment variable
GOOGLE_APPLICATION_CREDENTIALS
. Follow these instructions to learn how to do this. For example, set the environment variable to: -
Run Mage and mount the secrets as a volume in Docker. Follow these instructions to learn how to do this. For example:
-
Here is an example code snippet:
GCP Secret Manager Integration in Mage Pro
Try our fully managed solution to access this advanced feature.
Securely manage and inject sensitive credentials into your Mage Pro pipelines using Google Cloud Secret Manager. This Pro-only feature helps enterprises meet cloud security and compliance standards by keeping secrets like API keys, database passwords, and tokens outside of source code.
Required Environment Variables
Before accessing secrets, configure your Mage Pro cluster with the following environment variables:
-
GOOGLE_APPLICATION_CREDENTIALS
: Full path to your GCP service account credentials JSON file. You can upload the credentials file directly to the Mage Pro cluster using the file browser interface. -
GCP_PROJECT_ID
: The Google Cloud Project ID associated with your Secret Manager secrets.
These credentials must have Secret Manager Secret Accessor
permissions for the secrets you intend to retrieve.
How to Use the GCP Secret Variable
You can reference GCP secrets programmatically in Python blocks or declaratively in YAML configs.
Python code
Use this approach inside a block in your Mage pipeline:
YAML config
To inject a secret dynamically into a YAML config (e.g., for a data source, destination, or authentication setting):
Mage will automatically resolve and substitute the secret value at runtime.