Manage GCP Service Accounts new in v0.40.0

These CLI commands can be used to manage service accounts that use the SecretHub GCP Identity Provider. For details about the Identity Provider, see the GCP Integration Reference.

All Commands

To manage GCP service accounts, you can use the following commands:


To create a new service account with the GCP Identity Provider, you can use:

secrethub service gcp init [options] <namespace>/<repo>

Note that the CLI requires encryption rights on the Cloud KMS key that you pass, so the appropriate GCP credentials should be configured on the system where you run this command.

For the CLI to access these credentials, they need to be configured as Application Default Credentials, which you can do using the gcloud auth application-default login command.


The service account is attached to the repository in this path.


The Resource ID of the KMS-key to be used for encrypting the service’s account key.
The email of the GCP Service Account that should have access to this service account.
A description for the service so others will recognize it. Defaults to the name of the role that is attached to the service.
Create an access rule giving the service account permission on a directory. Accepted permissions are read, write and admin. Use --permission <permission> to give permission on the root of the repo and --permission <dir>[/<dir> ...]:<permission> to give permission on a subdirectory.


To list all GCP service accounts attached to a repository, you can use the service gcp ls command:

secrethub service gcp ls [options] <namespace>/<repo>

The service gcp ls command prints out the details of all services, including the GCP Service Account email and Cloud KMS Key they use.


The path to the repository to list services for


-q, --quiet
Only print service IDs.
-T, --timestamp
Show timestamps formatted to RFC3339 instead of human readable durations.

To be able to create service accounts with the GCP Identity Provider, you first need to link your GCP project to a SecretHub namespace. After doing this once for a namespace and GCP project, you can create as many service accounts as you like.

To do this, you can use the service gcp link command:

secrethub service gcp link <namespace> <project-id>

This will open a browser window to perform the link. After successfully completing the link, you can close the browser window and continue in the CLI.

The SecretHub namespace to link.
The GCP project to link the namespace to.

To list all the GCP projects that have been linked to a namespace, you can use the service gcp list-links command:

secrethub service gcp list-links [options] <namespace>
The namespace for which to list all existing links to GCP projects.
-T, --timestamp
Show timestamps formatted to RFC3339 instead of human readable durations.

To delete a GCP project link from a namespace, you can use the service gcp delete-link command:

secrethub service gcp delete-link <namespace> <project-id>

After doing so, you cannot create new GCP service accounts anymore in the specified namespace and GCP project. Exisiting service accounts will keep on working.

The SecretHub namespace to delete the link from.
The GCP project to delete the link to.