# GCP Secret Manager ## GCP Secret Manager Connect GCP Secret Manager to Paradime so you can reference secrets by resource name in your environment variables and connection profiles — without ever storing plaintext credentials in Paradime. ### Prerequisites * A Google Cloud project with the **Secret Manager API** enabled. * A service account with the **Secret Manager Secret Accessor** role (`roles/secretmanager.secretAccessor`) on the secrets you want to reference. * A JSON key file for the service account. ### Step 1 — Create a service account 1. In the **Google Cloud Console**, go to **IAM & Admin > Service accounts**. 2. Click **Create Service Account** and give it a descriptive name (e.g. `paradime-secrets`). 3. Grant the service account the **Secret Manager Secret Accessor** role on the project or on individual secrets. 4. Under **Keys**, click **Add Key > Create new key**, select **JSON**, and download the key file. {% hint style="info" %} For least-privilege access, grant the role on individual secrets rather than at the project level. {% endhint %} ### Step 2 — Connect in Paradime 1. Navigate to **Settings > Integrations**. 2. Find **GCP Secret Manager** under the **Secret Managers** category and click **Connect**. 3. Fill in the required fields: | Field | Description | | -------------------------------- | -------------------------------------------------------------------------------------- | | **Service Account JSON** | Paste the full contents of the JSON key file downloaded in Step 1. | | **Default Project** *(optional)* | A default GCP project ID. If set, you can omit the project from short-form references. | 4. Click **Test connection** to verify the credentials. ### Step 3 — Reference secrets Once connected, use GCP Secret Manager resource names anywhere Paradime accepts environment variable values or connection profile fields. #### Reference format ``` projects//secrets//versions/latest ``` To pin a specific version: ``` projects//secrets//versions/ ``` #### Extracting a JSON key If your secret value is a JSON object, append `#key_name` to extract a specific field: ``` projects/my-project/secrets/prod-db-creds/versions/latest#password ``` #### Example — Bolt environment variable | Variable | Value | | -------------------- | ---------------------------------------------------------------- | | `SNOWFLAKE_PASSWORD` | `projects/my-project/secrets/snowflake-password/versions/latest` | Paradime resolves the resource name to the live secret value at schedule run time. The plaintext value is never stored in Paradime. ### Disconnecting To remove the GCP Secret Manager integration: 1. Navigate to **Settings > Integrations**. 2. Click **Disconnect** on the GCP Secret Manager card. {% hint style="warning" %} Any environment variables or profile fields that reference GCP Secret Manager resource names will fail to resolve after disconnecting. Update them to use literal values before disconnecting. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.paradime.io/app-help/integrations/gcp-secret-manager.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.