1apiVersion: external-secrets.io/v1beta1
2kind: ExternalSecret
3metadata:
4 name: db-creds-ext
5spec:
6 dataFrom:
7 - extract:
8 key: sovereign-creds
9 refreshInterval: 1h
10 secretStoreRef:
11 name: gcp-provider
12 kind: ClusterSecretStore
13 target:
14 name: db-creds
15 creationPolicy: Owner
16---
17apiVersion: iam.cnrm.cloud.google.com/v1beta1
18kind: IAMPolicyMember
19metadata:
20 name: essa-sovereign-creds
21spec:
22 member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
23 resourceRef:
24 apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
25 kind: SecretManagerSecret
26 external: projects/${gcp_project_id}/secrets/sovereign-creds
27 role: roles/secretmanager.secretAccessor
View as plain text