Skip to main content

Configure access to Google Secret Manager

This page provides instructions for configuring access to secrets in the Google Secret Manager for your Anyscale workloads.

Anyscale recommends configuring access to Secret Manager for all Anyscale clouds on Google Cloud. Anyscale recommends that you have a dedicated project in your Google account to isolate secrets for each cloud deployment in your organization.

All configuration occurs in the Google Cloud account tied to your Anyscale cloud. You must have sufficient permissions in your Google Cloud to view resources and modify service accounts. Contact your Google Cloud account administrator if you don't have adequate permissions.

Step 1: Enable the Secret Manager API

Follow the instructions in the Google Cloud docs to Enable the Secret Manager API in the Google Project you are using.

Step 2: Create a secret

Follow the instructions in the Google Cloud docs to Create and access a secret using Secret Manager.

Step 3: Determine the service account your cluster uses

You configure the default service account for all clusters in a cloud during cloud deployment. See 4. Create an Anyscale Cloud.

The service account you use depends on the following:

  • Anyscale configures a default cloud-specific service account if you use anyscale cloud setup for cloud deployment.
  • If you deployed your cloud by registering your own resources, you configured a custom service account.
  • Anyscale cloud owners can configure additional IAM mapping. See Anyscale Cloud IAM mapping (Developer Preview).

For more details, see Manage GCP service accounts.

Step 4: Grant the service account access to the secret

Each service account with Anyscale must have the appropriate access control for reading secrets. To grant access, complete the following:

  1. Go to the Google Cloud IAM page.
  2. Search for and select the cluster's service account, then click Edit.
  3. In the Assign Roles section, select Add another role and search for Secret Manager Secret Accessor.
  4. Click Save.
info

These steps grant access to all secrets stored in the project. For more granular access, see the Google Secret Manager docs.

If your security requirements demand it, you may need to add the service account as a principal to specific secrets instead of applying the broader role. For more details, see Principle of least privilege.

See Use secrets on Anyscale.