Use Vault Secret Credential with GCP Secret Manager

Describes using vault secret credentials, where the credentials secret (password) are stored as a secret in GCP Secret Manager.

You can use vault secret credentials to access cloud resources, to access other databases with database links, or use anywhere that username/password type credentials are required.

Prerequisites to Create Vault Secret Credential with GCP Secret Manager

Describes the required prerequisites to use vault secret credentials with GCP Secret Manager.

To create vault secret credentials where the secret is stored in GCP Secret Manager, first perform the required prerequisites.

  1. Create a secret in GCP Secret Manager.
  2. Enable Google Service Account authentication to provide access to GCP Secret Manager.

    On the Google Cloud console you must grant read access to the secret to the principal authentication credential.

    1. Go to the Secret Manager page in the Google Cloud console.
    2. On the Secret Manager page, click the checkbox next to the name of the secret.
    3. If it is not already open, click Show Info Panel to open the panel.
    4. In the info panel, click Add Principal.
    5. In the New principals text area, enter the service account name to add.
    6. In the Select a role dropdown, choose Secret Manager and then Secret Manager Secret Accessor.

Create Vault Secret Credential with GCP Secret Manager

Describes the steps to use an GCP Secret Manager secret to store secrets for use with the credentials you use to access cloud resources.

This allows you to store a secret in GCP Secret Manager and use the secret with the credentials you create to access cloud resources or to access other databases.

To create vault secret credentials where the secret is stored in GCP Secret Manager:

  1. Create a secret manager secret accessor to allow your Autonomous Database principal to access secrets in GCP Secret Manager.
  2. Enable Google service account based authentication to provide access to the secret in the GCP Secret Manager.
  3. Use DBMS_CLOUD.CREATE_CREDENTIAL to create a vault secret credential to access the GCP Secret Manager secret.

    For example:

    BEGIN DBMS_CLOUD.CREATE_CREDENTIAL(
        credential_name      => 'GCP_SECRET_CRED',
        params               => JSON_OBJECT( 
              'username'   value 'gcp_user1',
              'secret_id'  value 'my-secret',
              'gcp_project_id' value 'my-sample-project-191923' ));
    END;
    /

    Where:

    • username: is the username of the original credential. It can be the username of any type of username/password credential.

    • secret_id: is the secret name. When you store the password mysecret in the vault, use the secret name as the value of the secret_id parameter.

    • gcp_project_id: is the ID of the project where the secret is located.

    See CREATE_CREDENTIAL Procedure for more information.

  4. Use the credential to access a cloud resource.

    For example:

    SELECT count(*) FROM DBMS_CLOUD.LIST_OBJECTS(
               'GCP_SECRET_CRED',
               'https://bucketname.storage.googleapis.com/' );
Note

Every 12 hours the secret (password) is refreshed from the content in the GCP Secret Manager. If you change the secret value in the GCP Secret Manager, it can take up to 12 hours for the Autonomous Database instance to pick up the latest secret value.

Run DBMS_CLOUD.REFRESH_VAULT_CREDENTIAL to immediately refresh a vault secret credential. This procedure gets the latest version of the vault secret from GCP Secret Manager. See REFRESH_VAULT_CREDENTIAL Procedure for more information.