The Infisical GCP IAM dynamic secret allows you to generate GCP service account tokens on demand based on service account permissions.
GCP service account access tokens cannot be revoked. As such, revoking or regenerating a token does not invalidate the old one; it remains active until it expires.
You must enable the IAM API and IAM Credentials API in your GCP console as a prerequisite

Create GCP Service Account

1

Navigate to IAM & Admin > Service Accounts

Service Account Page
2

Create Service Account

Create Service Account
3

Configure Service Account Permissions

When you assign specific roles and permissions to this service account, any tokens generated through Infisical’s dynamic secrets functionality will inherit these exact permissions. This means that applications using these dynamically generated tokens will have the same access capabilities as defined by the service account’s role assignments, ensuring proper access control while maintaining the principle of least privilege.After configuring the appropriate roles, press “DONE”.
4

Enable Service Account Impersonation

To enable service account impersonation, you’ll need to grant the Service Account Token Creator role to the Infisical instance’s service account. This configuration allows Infisical to securely impersonate the new service account.
  • Navigate to the IAM & Admin > Service Accounts section in your Google Cloud Console
  • Select the newly created service account
  • Click on the “PERMISSIONS” tab
  • Click “Grant Access” to add a new principal
If you’re using Infisical Cloud US, use the following service account: [email protected]If you’re using Infisical Cloud EU, use the following service account: [email protected]If you’re self-hosting, follow the “Self-Hosted Instance” guide at the top of the page and then use service account you createdService Account Page

Set up Dynamic Secrets with GCP IAM

1

Open Secret Overview Dashboard

Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.
2

Click on the 'Add Dynamic Secret' button

Add Dynamic Secret Button
3

Select 'GCP IAM'

Dynamic Secret Modal
4

Provide the inputs for dynamic secret parameters

Secret Name
string
required
Name by which you want the secret to be referenced
Default TTL
string
required
Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)
Max TTL
string
required
Maximum time-to-live for a generated secret
Service Account Email
string
required
The email tied to the service account created in earlier steps.
5

Click `Submit`

After submitting the form, you will see a dynamic secret created in the dashboard.
6

Generate dynamic secrets

Once you’ve successfully configured the dynamic secret, you’re ready to generate on-demand credentials. To do this, simply click on the ‘Generate’ button which appears when hovering over the dynamic secret item. Alternatively, you can initiate the creation of a new lease by selecting ‘New Lease’ from the dynamic secret lease list section.Dynamic Secret Dynamic SecretWhen generating these secrets, it’s important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.Provision Lease
Ensure that the TTL for the lease falls within the maximum TTL defined when configuring the dynamic secret.
Once you click the Submit button, a new secret lease will be generated and the credentials from it will be shown to you.Dynamic Secret Lease

Audit or Revoke Leases

Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard. This will allow you to see the expiration time of the lease or delete a lease before its set time to live. Lease Data

Renew Leases

To extend the life of the generated dynamic secret leases past its initial time to live, simply click on the Renew button as illustrated below. Lease Renew
Lease renewals cannot exceed the maximum TTL set when configuring the dynamic secret