Skip to main content
Creates and manages secrets in GCP Secret Manager with automatic versioning.

Config

FieldTypeRequiredDefaultDescription
project_idstringYesGCP project ID
secret_idstringYesSecret identifier (unique per project)
datastringYesSecret payload to store
credentialsdict or stringYesGCP service account credentials JSON

Outputs

FieldTypeDescription
resource_namestringFull GCP resource name (projects/{project}/secrets/{id})
version_namestringFull version resource name including version number
version_idstringThe version number

Dependencies

Depends on: Nothing. Depended on by: Resources that need GCP Secret Manager metadata (version tracking, resource naming).

Example

provider: gcp
resource: secret
name: anthropic-key
config:
  project_id: my-project
  secret_id: anthropic-api-key
  data: "sk-ant-..."
  credentials:
    type: service_account
    project_id: my-project
    # ... rest of service account JSON

Referencing Secrets

gcp/secret outputs GCP metadata (resource_name, version_name, version_id) — not the actual secret value. To inject secret values (like API keys) into other resources, use pragma/secret instead, which outputs its data keys directly as fields: 
# pragma/secret outputs its data keys as fields
# If config.data = {ANTHROPIC_API_KEY: "sk-ant-..."}, then outputs.ANTHROPIC_API_KEY is available
api_key:
  provider: pragma
  resource: secret
  name: anthropic-key
  field: outputs.ANTHROPIC_API_KEY

Notes

  • The project_id and secret_id fields are immutable — changing them requires deleting and recreating the resource.
  • Updates to data create a new secret version automatically.
  • If the secret already exists in GCP, creation is idempotent — it adds a new version to the existing secret.
  • Deletion removes the secret and all its versions permanently.