Google Cloud Secret Manager
Google Cloud Secret Manager is a secure, centralized service for storing API keys, passwords, certificates, and other sensitive configuration data. The EnvManager Google Cloud integration allows you to automatically sync your environment variables from EnvManager directly to Secret Manager in your GCP project.
When you connect Google Cloud to EnvManager, each variable is stored as an individual secret in Secret Manager. No more manually creating secrets or copying values between tools.
What You Can Do
With the Google Cloud Secret Manager integration, you can:
- Connect your GCP project with a secure service account key
- Sync variables as secrets — each variable becomes its own secret in Secret Manager
- Use a name prefix to namespace your secrets and avoid conflicts with existing ones
- Choose which environments to sync — control exactly which EnvManager environments push to GCP
- Automatic syncing — secrets update in GCP whenever you change variables in EnvManager
- Manual sync control — trigger syncs on demand when you need them
- Track sync history — see when secrets were synced and if any errors occurred
Before You Begin
To connect Google Cloud, you need:
- An EnvManager account with a project created
- A Google Cloud account with an active project
- Admin or Owner role in your EnvManager organization (required to manage integrations)
- The Secret Manager API enabled in your GCP project
- A GCP service account with the Secret Manager Admin role and a JSON key file
The sections below walk you through enabling the API and creating the service account.
How to Enable the Secret Manager API
Open the Google Cloud Console
Go to console.cloud.google.com and make sure you have the correct project selected in the top navigation bar.
Navigate to APIs & Services
In the left menu, click APIs & Services, then click Library.
Search for Secret Manager
In the search box, type Secret Manager API and press Enter.
Enable the API
Click the Secret Manager API result, then click the Enable button.
Wait a few seconds for the API to activate. You'll be redirected to the API overview page once it's ready.
Already enabled? If you see a "Manage" button instead of "Enable", the API is already active in your project. You can skip this section.
How to Create a Service Account
EnvManager connects to GCP using a service account, not your personal Google account. This limits access to only what's needed.
Open IAM & Admin
In the Google Cloud Console, click the left menu and go to IAM & Admin > Service Accounts.
Create a New Service Account
Click Create Service Account at the top of the page.
Fill In Account Details
- Service account name:
envmanager-sync(or any name you prefer) - Service account ID: Auto-filled based on the name
- Description:
Used by EnvManager to sync environment variables to Secret Manager
Click Create and Continue.
Assign the Role
In the "Grant this service account access to project" step:
- Click the Select a role dropdown
- Search for Secret Manager Admin
- Select it
Click Continue, then click Done.
Create and Download a JSON Key
From the Service Accounts list, click on the service account you just created.
- Go to the Keys tab
- Click Add Key > Create new key
- Select JSON as the key type
- Click Create
A JSON file will download to your computer. Keep this file safe — you'll paste its contents into EnvManager in the next step.
Security Note: The JSON key file grants access to your GCP project. Do not commit it to version control, share it publicly, or leave it on your filesystem longer than necessary. EnvManager stores the credentials encrypted.
Connecting Your GCP Project
Navigate to Integrations
From your EnvManager project, click the Integrations tab in the navigation menu.
Open the Google Cloud Connection Modal
Find the Google Cloud Secret Manager card and click the Connect button.
Enter Connection Details
Fill in the form:
- Connection Name — Give this connection a friendly name (e.g., "Production GCP Project")
- Service Account JSON — Paste the full contents of the JSON key file you downloaded
EnvManager will automatically extract the Project ID from the JSON and display it below the field for confirmation.
Validate Credentials
Click Validate Credentials to test the connection. EnvManager will check that:
- The JSON is valid and complete
- The service account exists in GCP
- The credentials have access to Secret Manager in your project
You'll see a success indicator and your Project ID confirmed once validation passes.
Complete the Connection
Click Connect to save the connection. Your GCP project is now linked to this EnvManager organization.
Configuring Your Sync
After connecting GCP, you need to configure which environments sync and how secrets are named.
Open Configuration
On the Google Cloud integration card, click Configure to open the sync configuration modal.
Enable Environments for Sync
You'll see a list of your EnvManager environments. Toggle on each environment you want to sync to GCP Secret Manager.
You can enable all environments or just specific ones — for example, only syncing your Production environment.
Set an Optional Secret Name Prefix
A prefix is added to the beginning of every secret name in GCP. This is useful to:
- Namespace your secrets (e.g.,
myapp_so secrets appear asmyapp_DATABASE_URL) - Avoid naming conflicts with existing secrets in your GCP project
- Identify which secrets were created by EnvManager
Leave this field empty if you don't need a prefix.
Configure Sync Options
Choose what and when to sync:
| Option | Description | Recommended |
|---|---|---|
| Auto-sync | Automatically sync when variables change in EnvManager | Enabled for most use cases |
| Sync secrets | Include secret variables | Enabled |
| Sync regular variables | Include non-secret variables | Enabled |
Save Configuration
Review your settings and click Save Configuration. Your sync is now active.
Syncing Variables
Automatic Syncing
If you enabled auto-sync, EnvManager will automatically push variables to GCP Secret Manager whenever:
- You add a new variable (creates a new secret)
- You edit an existing variable's value (adds a new secret version)
- You delete a variable (the secret remains in GCP — it is not deleted)
Changes typically appear in GCP within seconds.
Manual Syncing
You can trigger a sync manually at any time:
Click Sync Now
On the Google Cloud integration card, click the Sync Now button.
Watch the Progress
A progress indicator shows the sync status. The sync will:
- Gather variables from enabled EnvManager environments
- Create or update each variable as a secret in GCP
- Report success or errors per environment
Verify in GCP Console
Open console.cloud.google.com/security/secret-manager to confirm secrets appeared correctly.
Manual sync is useful when setting up the integration for the first time or when you want to immediately verify a change reached GCP.
Secret Naming in GCP
GCP Secret Manager enforces strict naming rules. EnvManager automatically sanitizes your variable names to comply:
- Only letters, numbers, underscores (
_), and hyphens (-) are allowed - Names must start with a letter
- Maximum length is 255 characters
- Characters that don't meet these rules are replaced with underscores
If you set a prefix, it is prepended before this sanitization step:
| EnvManager Variable | Prefix | GCP Secret Name |
|---|---|---|
DATABASE_URL | (none) | DATABASE_URL |
DATABASE_URL | myapp_ | myapp_DATABASE_URL |
NEXT_PUBLIC_API | prod_ | prod_NEXT_PUBLIC_API |
Secret versions: Every time a variable value changes, GCP Secret Manager stores it as a new version of the existing secret. Previous versions are retained by GCP, so you have a full history of value changes.
Managing Your Connection
Updating Configuration
To change which environments sync or update the prefix:
- Click Configure on the Google Cloud integration card
- Make your changes
- Click Save Configuration
The new configuration takes effect immediately for the next sync.
Disconnecting Google Cloud
To remove the Google Cloud integration:
- Click the Disconnect button on the integration card
- Confirm the disconnection in the dialog that appears
Important: Disconnecting does NOT remove secrets from GCP Secret Manager. Your secrets remain in GCP, but future changes in EnvManager won't sync. You can manually delete secrets from the GCP Console if needed.
Reconnecting
If you disconnect and want to reconnect later:
- Click Connect again and go through the connection process
- You can use the same service account JSON or create a new key
- You'll need to reconfigure your environment toggles and prefix
Tips & Best Practices
Start with Manual Sync
When setting up the integration for the first time:
- Configure with auto-sync disabled
- Trigger a manual sync to verify secrets appear in GCP
- Confirm the secret names and values look correct in the GCP Console
- Enable auto-sync once you're confident everything is working
Use a Prefix to Namespace Your Secrets
If your GCP project is used for multiple applications or already has existing secrets, use a prefix to keep EnvManager-managed secrets clearly identified. For example, myapp_prod_ makes it obvious which secrets belong to this application and environment.
Limit Service Account Permissions
The Secret Manager Admin role grants broad access. If you prefer tighter security, you can use the Secret Manager Secret Accessor and Secret Manager Secret Version Manager roles together instead — they provide only what EnvManager needs to create and update secrets.
Rotate Keys Periodically
Service account keys don't expire automatically. For security, rotate your JSON key every few months:
- Create a new key for the service account in GCP
- Update the connection in EnvManager by disconnecting and reconnecting with the new JSON
- Delete the old key from the service account in GCP
Troubleshooting
"Permission denied" error during validation or sync
Cause: The service account does not have the Secret Manager Admin role in your GCP project.
Solution:
- Go to console.cloud.google.com/iam-admin/iam
- Find the service account in the list
- Confirm it has the Secret Manager Admin role (or the equivalent custom roles)
- If the role is missing, click the edit icon and add it, then try again
"Secret Manager API is not enabled" error
Cause: The Secret Manager API is not active in the GCP project referenced by your service account JSON.
Solution:
- Follow the steps in How to Enable the Secret Manager API above
- Make sure you're enabling the API in the correct project (check the project selector in the top bar)
- Wait a minute after enabling, then retry validation in EnvManager
"Invalid credentials" error during validation
Cause: The service account JSON is incomplete, malformed, or belongs to a different project.
Solution:
- Re-download the JSON key file from GCP — do not copy-paste from a partial view
- Make sure you're pasting the entire contents of the file, including the opening and closing
{} - Verify the
project_idin the JSON matches the GCP project where Secret Manager is enabled
Variables not appearing in GCP Secret Manager
Cause: The sync may have failed, or the environment is not enabled for sync.
Solution:
- Click Configure and verify that the relevant environments are toggled on
- Check the sync history for error messages on the integration card
- Trigger a manual sync and watch for errors
- Confirm the correct GCP project is connected by checking the Project ID shown on the integration card
Auto-sync not triggering
Cause: Auto-sync may be disabled in the configuration, or the sync is failing silently.
Solution:
- Click Configure and verify Auto-sync is enabled
- Check the sync history for recent failed syncs
- Try a manual sync to confirm the connection is still working
- If the service account key was rotated or deleted, reconnect with a valid JSON key
Related Topics
Variables Overview
Learn how to create and manage variables in EnvManager.
Environments
Understand environments and how they organize your variables.
Railway Integration
Sync variables to your Railway deployments.
Access Control
Manage who can configure integrations and sync variables.