Google Secret Manager - Cross-project OIDC support
complete
D
Definite Lobster
Currently, the GSM connector only supports pulling secrets from 1 project. This means that if our secrets are spread across 100 projects, we need to create 100 connectors.
Just how multi-project OIDC support for GKE + Cloud Run was released, please add this feature to Google Secret Manager plugin too.
Log In
D
Definite Lobster
Thanks Abhishek. We will test this feature.
A
Abhishek Thamman
marked this post as
complete
A
Abhishek Thamman
Merged in a post:
GSM Connector OIDC: Support separate project IDs for Workload Identity Pool and Secret Manager resources
C
Cute Silverfish
The GSM connector's OIDC authentication configuration uses a single gcpProjectId field for two distinct purposes:
Constructing the Workload Identity Pool (WIP) path for authentication
Specifying which GCP project contains the Secret Manager secrets
This design prevents customers from using a centralized Workload Identity Pool in a separate GCP project from where their secrets are stored - a common enterprise security pattern where IAM infrastructure is managed centrally.
Business Impact
Customer Scenario:
Enterprise customer with centralized IAM management
IAM team controls all service accounts and WIPs from dedicated security/IAM GCP projects
Multiple application teams have secrets in their own GCP projects
Each team's Harness project needs to access secrets from their respective GCP project
Security governance model requires central control of identity infrastructure
Current Limitation:
Customer must create a separate WIP in each application GCP project, which:
Violates their security governance model (decentralized identity management)
Creates operational overhead (WIP per Harness project/team)
Prevents IAM team from maintaining centralized control
This post was marked as
in progress
A
Abhishek Thamman
marked this post as
long-term