Google Cloud Secret Manager

Required attributes

• Project Id — the GCP project that owns the secrets.

Authentication methods

• Service Account Key — Project Id, Key JSON. Long-lived; rotate manually. Treat the JSON as a secret and store it inside another vault.
• Default Credentials — Project Id only. Resolves to the attached service account on GCE/GKE/Cloud Run, or the developer's gcloud login locally. Convenient on GCP-hosted Polysync.
• Workload Identity Federation ⭐ (recommended cross-cloud) — Project Id, Provider, Service Account Email. Federates Polysync's Azure / AWS / OIDC identity into GCP, eliminating JSON keys.
• Impersonated Service Account — Project Id, Source Key, Target Service Account Email. Useful for least-privilege chains.

Permissions checklist

• The chosen identity must hold the Secret Manager Secret Accessor role (roles/secretmanager.secretAccessor) on each secret.
• For Workload Identity Federation, configure a Workload Identity Pool and Provider that trusts the Polysync host identity.