Skip to main content
Infisical supports service account impersonation to connect with your GCP projects.
Using the GCP integration on a self-hosted instance of Infisical requires configuring a service account on GCP and configuring your instance to use it.
1

Enable the IAM Service Account Credentials API

Service Account API
2

Navigate to IAM & Admin > Service Accounts in Google Cloud Console

Service Account IAM Page
3

Create a Service Account

Create a new service account that will be used to impersonate other GCP service accounts for your app connections.
Create Service Account Page
Press “DONE” after creating the service account.
4

Generate Service Account Key

Download the JSON key file for your service account. This will be used to authenticate your instance with GCP.
Service Account Credential Page
5

Configure Your Instance

  1. Copy the entire contents of the downloaded JSON key file.
  2. Set it as a string value for the INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL environment variable.
  3. Restart your Infisical instance to apply the changes.
  4. You can now use GCP integration with service account impersonation.

Configure Service Account for Infisical

1

Navigate to IAM & Admin > Service Accounts in Google Cloud Console

Service Account Page
2

Create Service Account

Create a new service account with an ID that follows this requirement:Your service account ID must end with the first two sections of your Infisical organization ID.Example:
  • Infisical organization ID: df92581a-0fe9-42b5-b526-0a1e88ec8085
  • Required service account ID suffix: df92581a-0fe9
    Create Service Account
3

Configure Service Account Permissions

  • Secret Sync
Add the required permissions for secret syncs:
Assign Service Account Permission
After configuring the appropriate roles, press “DONE”.
4

Enable Service Account Impersonation

To enable service account impersonation, you’ll need to grant the Service Account Token Creator role to the Infisical instance’s service account. This configuration allows Infisical to securely impersonate the new service account.
  • Navigate to the IAM & Admin > Service Accounts section in your Google Cloud Console
  • Select the newly created service account
  • Click on the “PERMISSIONS” tab
  • Click “Grant Access” to add a new principal
If you’re using Infisical Cloud US, use the following service account: [email protected]If you’re using Infisical Cloud EU, use the following service account: [email protected]
Service Account Page

Setup GCP Connection in Infisical

1

Navigate to App Connections

Navigate to the App Connections page in the desired project. App Connections Tab
2

Add Connection

Select the GCP Connection option from the connection options modal.
Select GCP Connection
3

Authorize Connection

Select the Service Account Impersonation method and click Connect to GCP. Connect via GCP impersonation
4

Connection Created

Your GCP Connection is now available for use. Impersonation GCP Connection