HOWTO: Sync Secrets to Google Secret Manager¶
GCP-resident workloads and DR scenarios require secrets to be available in Google Secret Manager — not just on-prem in Vault. This HOWTO covers configuring the External Secrets Operator (ESO) to synchronise the relevant subset of platform secrets into GSM, defining the sync policy and version lifecycle, and validating that GCP workloads can consume the secrets at runtime. The GSM sync path is the credential foundation for Cloud SQL DR and GCP-side automation.
What this covers:
- ESO SecretStore and ExternalSecret configuration for GSM synchronisation
- Sync policy: which secrets, which versions, and rotation lifecycle in GSM
- GCP workload consumption validation: Secret Manager IAM binding and runtime secret access