Integrate Secret Manager with Google SecOps

This document explains how to integrate Secret Manager with Google Security Operations.

Use cases

The Secret Manager integration uses Google SecOps capabilities to support the following use cases:

Centralize credential management: Eliminate hardcoded application credentials embedded in your SOAR configuration files and scripts by centrally storing, auditing, and managing them within Google Cloud.
Synchronize parameters: Automate configuration management using a background sync job to fetch entries from Google Cloud Secret Manager and update integration instances, connectors, and jobs.

Before you begin

Before you configure the integration in the Google SecOps platform, verify that you have configured your environment using the following steps:

Create a service account.
Enable the required APIs for your project.
Choose and configure one of the following authentication methods:
- Option 1: JSON key: This method relies on a static, long-lived secret key file. Use this method only if Workload Identity isn't available in your environment.
- Option 2: Workload Identity (recommended): This method uses short-lived, temporary access tokens using service account impersonation, eliminating the need to store any secrets.

Create a service account

To create a service account for the integration, complete the following steps:

In the Google Cloud console, go to IAM & Admin > Service Accounts and select your project.

Go to Service Accounts
Click Create service account.
Provide a name and description and click Done to create the account.
Grant the required IAM permissions to the service account depending on your chosen authentication method:
- For Service Account Key authentication, grant the Secret Manager Secret Accessor (roles/secretmanager.secretAccessor) role.
- For Workload Identity authentication, grant the target service account being impersonated the Secret Manager Secret Accessor (roles/secretmanager.secretAccessor) role, and ensure your runtime environment's identity has the Service Account Token Creator (roles/iam.serviceAccountTokenCreator) role.

Enable the required APIs for your project

In the Google Cloud console, go to APIs & Services.

Go to APIs & Services
Click Enable APIs and Services.
Search for and enable the following API for your project:
- Secret Manager API

Configure a JSON key

You can authenticate the integration using either a static JSON key file or Workload Identity Federation. To maximize your environment security, use the Workload Identity method. Use the JSON key method only if Workload Identity isn't supported in your infrastructure, as static keys require manual rotation and increase credential exposure risks.

To generate the JSON key file required to authenticate the integration, complete the following steps:

In the Google Cloud console, go to IAM & Admin > Service Accounts and select the service account you created.

Go to Service Accounts
Go to the Keys tab.
Click Add key.
Select Create new key.
For the key type, select JSON and click Create. The JSON file downloads to your computer.
Copy the entire content of this file and paste it into Service Account JSON during integration configuration.

Configure Secret Manager permissions

Use the following procedure to grant the administrative privileges that the integration requires to access secret materials stored within your Google Cloud project:

In the Google Cloud console, go to IAM & Admin > IAM.
Locate the service account you created from the principals list and click edit Edit principal.
Click Add another role.
In the role selection field, search for and select Secret Manager Secret Accessor.
Click Save.

Configure Workload Identity credentials

Choose this method or the JSON key method to authenticate the integration. Workload Identity is the recommended and more secure approach because it uses short-lived, temporary access tokens using service account impersonation, minimizing long-lived secret credential exposure risks.

Identify the unique instance identity

To use Workload Identity, you must grant your Google SecOps instance permission to impersonate your service account. This step allows the instance to securely access Google Cloud resources.

In Google SecOps, go to Content Hub > Response Integrations.
Select the integration you're configuring, and enter your service account email in the Workload Identity Email field.
Click Save > Test. The test is expected to fail.
Click close_small to the right of Test and search the error message for the identity email beginning with gke-init-python@... or soar-python@....

Copy this unique email address and paste it into Workload Identity Email during integration configuration.

Authorize the instance identity in Google Cloud

Once you have retrieved the unique identity for your Google SecOps instance, you must authorize it to access your Google Cloud resources. This step enables service account impersonation, allowing the platform to generate short-lived tokens and act on your behalf without the need for static keys.

In the Google Cloud console, go to IAM & Admin > Service Accounts.
Select the target service account and navigate to Permissions > Grant Access.
Paste the unique email address into the New principals field.
Assign the Service Account Token Creator role.

Integration parameters

The Secret Manager integration requires the following configuration parameters:

Parameter	Description
`Service Account JSON`	Optional. The content of the service account key JSON file used to authenticate with Secret Manager. You can configure either this parameter or Workload Identity Email.
`Project ID`	Optional. The Google Cloud Project ID where your secrets are stored. If not provided, the integration attempts to infer this from the Service Account JSON if present, though explicitly specifying it is recommended.
`Workload Identity Email`	Optional. The service account email address to impersonate when authenticating via Workload Identity (Application Default Credentials). Use this configuration instead of the Service Account JSON parameter when the SOAR platform or remote agent runs inside Google Cloud with Workload Identity enabled.
`Verify SSL`	Required. If selected, the integration validates the SSL certificate when establishing a connection to Secret Manager. Enabled by default (`True`).

For instructions about how to configure an integration in Google SecOps, see Configure integrations.

You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.

Actions

For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.

Ping

Use the Ping action to validate connectivity and verify configuration parameters against the target Secret Manager instance.

This action is primarily used for immediate connection testing from the integration configuration page in the Marketplace and does not execute on individual Google Cloud entities.

Action inputs

There are no input parameters required for this action.

Action outputs

The Ping action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Ping action can return the following output messages:

Output message Message description

Output message	Message description
`Successfully connected to the Secret Manager server with the provided connection parameters!`	The action succeeded and credentials are valid.
`Failed to connect to Secret Manager! Error is ERROR_REASON`	The action failed. Check your authentication credentials, Project ID configuration, IAM permissions, or network connectivity.

Successfully connected to the Secret Manager server with the provided connection parameters!

The action succeeded and credentials are valid.

Failed to connect to Secret Manager! Error is 
     ERROR_REASON

The action failed.

Check your authentication credentials, Project ID configuration, IAM permissions, or network connectivity.

Script result

The following table lists the value for the script result output when using the Ping action:

Script result name	Value
`is_success`	`true` or `false`

Jobs

Sync Integration Credentials Job

Use the Secret Manager - Sync Integration Credentials Job to systematically synchronize configuration parameters from Secret Manager entries to automatically update your platform integration instances, connectors, and background job configurations.

This background sync task operates globally and does not execute on individual entities.

Job behavior

The job parses a structured configuration object to query secret definitions, handling two version reference styles:

Implied Notation: Format as projects/<project_id>/secrets/<secret_name>. The sync task dynamically resolves and retrieves the latest active version from Secret Manager during processing.
Explicit Notation: Format as projects/<project_id>/secrets/<secret_name>/versions/<version_id>. The sync task retrieves that exact pinned version entry, even if its state is marked as inactive in Google Cloud.

Each targeted secret path inside Secret Manager must contain a valid JSON object string that maps parameter keys directly to their respective credential values.

Example Credential Mapping configuration

{
    "integration_instances": {
        "AzureActiveDirectory_1": {
            "Client ID": "projects/154371241292/secrets/AzureActiveDirectory"
        }
    },
    "connectors": {
        "Crowdstrike - Alerts Connector": {
            "Client Secret": "projects/154371241292/secrets/CrowdstrikeConnectorSecret",
            "Client ID": "projects/154371241292/secrets/CrowdstrikeConnectorID"
        },
        "Microsoft Graph Mail Connector": {
            "Client Secret": "projects/154371241292/secrets/GraphConnectorSecret",
            "Client ID": "projects/154371241292/secrets/GraphConnectorID/versions/3"
        }
    },
    "jobs": {
        "Sync Incidents": {
            "API Root": "projects/154371241292/secrets/API_Root/versions/2"
        }
    }
}

Job inputs

The Sync Integration Credentials Job requires the following configuration parameters:

Parameter	Description
`Environment Name`	Required. The name of the environment context in which to query target configurations. Default value is `Default Environment`. For setups targeting Shared Environments, provide `*`.
`Credential Mapping`	Required. A valid JSON string structuring the target locations where integration instances, connectors, and jobs map to their explicit Secret Manager resource coordinates.
`Service Account JSON`	Optional. The service account key JSON content dedicated to authorizing this background sync job.
`Project ID`	Optional. The default Google Cloud Project ID scope hosting the target resources.
`Workload Identity Email`	Optional. The application default credentials service account email to impersonate if running inside Google Cloud infrastructures with active Workload Identity.
`Verify SSL`	Required. Validates SSL certificate endpoints during sync tasks. Enabled by default (`True`).

Need more help? Get answers from Community members and Google SecOps professionals.