GCP Secret Manager

Connect GCP Secret Manager to Paradime so you can reference secrets by resource name in your environment variables and connection profiles — without ever storing plaintext credentials in Paradime.

Prerequisites

A Google Cloud project with the Secret Manager API enabled.
A service account with the Secret Manager Secret Accessor role (roles/secretmanager.secretAccessor) on the secrets you want to reference.
A JSON key file for the service account.

Step 1 — Create a service account

In the Google Cloud Console, go to IAM & Admin > Service accounts.
Click Create Service Account and give it a descriptive name (e.g. paradime-secrets).
Grant the service account the Secret Manager Secret Accessor role on the project or on individual secrets.
Under Keys, click Add Key > Create new key, select JSON, and download the key file.

For least-privilege access, grant the role on individual secrets rather than at the project level.

Step 2 — Connect in Paradime

Navigate to Settings > Integrations.
Find GCP Secret Manager under the Secret Managers category and click Connect.
Fill in the required fields:

Field

Description

Service Account JSON

Paste the full contents of the JSON key file downloaded in Step 1.

Default Project (optional)

A default GCP project ID. If set, you can omit the project from short-form references.

Click Test connection to verify the credentials.

Step 3 — Reference secrets

Once connected, use GCP Secret Manager resource names anywhere Paradime accepts environment variable values or connection profile fields.

Reference format

projects/<project-id>/secrets/<secret-name>/versions/latest

To pin a specific version:

projects/<project-id>/secrets/<secret-name>/versions/<version-number>

Extracting a JSON key

If your secret value is a JSON object, append #key_name to extract a specific field:

projects/my-project/secrets/prod-db-creds/versions/latest#password

Example — Bolt environment variable

Variable

Value

SNOWFLAKE_PASSWORD

projects/my-project/secrets/snowflake-password/versions/latest

Paradime resolves the resource name to the live secret value at schedule run time. The plaintext value is never stored in Paradime.

Disconnecting

To remove the GCP Secret Manager integration:

Navigate to Settings > Integrations.
Click Disconnect on the GCP Secret Manager card.

Any environment variables or profile fields that reference GCP Secret Manager resource names will fail to resolve after disconnecting. Update them to use literal values before disconnecting.

Last updated 24 days ago

Was this helpful?