+ CREATE SECRET
.bigquery_credentials
.CREATE SECRET
.You can mount secrets from Google Secret Manager through Terraform configurations or through the Google Console UI.
Download the credentials JSON file from GCP.
Run Mage and mount the secrets as a volume in Docker. Follow these instructions to learn how to do this.
Here are example code snippets to read from that credentials JSON file:
Note
This code example assumes your credentials JSON file downloaded from GCP is named
gcp_credentials.json
and that the mount path (e.g.-v
) you used when running Docker is/home/secrets
.
gcloud
CLIAuthenticate locally by running this command in your local terminal:
Create a new .env
file in your Mage project folder with the following values:
Run Mage using Docker and set the environment variable GOOGLE_APPLICATION_CREDENTIALS
.
Follow these instructions to learn how to do this.
For example, set the environment variable to:
Run Mage and mount the secrets as a volume in Docker. Follow these instructions to learn how to do this. For example:
Here is an example code snippet:
Try our fully managed solution to access this advanced feature.
Securely manage and inject sensitive credentials into your Mage Pro pipelines using Google Cloud Secret Manager. This Pro-only feature helps enterprises meet cloud security and compliance standards by keeping secrets like API keys, database passwords, and tokens outside of source code.
Before accessing secrets, configure your Mage Pro cluster with the following environment variables:
GOOGLE_APPLICATION_CREDENTIALS
:
Full path to your GCP service account credentials JSON file.
You can upload the credentials file directly to the Mage Pro cluster using the file browser interface.
GCP_PROJECT_ID
:
The Google Cloud Project ID associated with your Secret Manager secrets.
These credentials must have Secret Manager Secret Accessor
permissions for the secrets you intend to retrieve.
You can reference GCP secrets programmatically in Python blocks or declaratively in YAML configs.
Use this approach inside a block in your Mage pipeline:
To inject a secret dynamically into a YAML config (e.g., for a data source, destination, or authentication setting):
Mage will automatically resolve and substitute the secret value at runtime.