---
layout: docs
page_title: GCP secret import source
description: The Google Cloud Platform Secret Manager source imports secrets from GCP to Vault.
---

# GCP import source

Use the GCP source to import secret data from GCP Secret Manager into your Vault instance. To use dynamic
credentials with GCP import, ensure the [GCP secrets engine](/vault/docs/secrets/gcp) is
already configured.

## Argument reference

Refer to the [HCL syntax](/vault/docs/import#hcl-syntax-1) for arguments common to all source types.

## Additional arguments

- `credentials` `(string: "")` - The path to the service account key credentials file for the service account
  with the [necessary permissions](#permissions). If `credentials` is set, then `vault_mount_path` and
  `vault_role_name` must be unset.

- `vault_mount_path` `(string: "")` - The Vault mount path to a pre-configured GCP
  secrets engine used to generate dynamic credentials for the importer. If
  `vault_mount_path` or `vault_role_name` are set, then `credentials` must be
  unset.

- `vault_role_name` `(string: "")` - The Vault role used to generate a dynamic
  credential for the importer. The role name must exist in the pre-configured
  GCP secrets engine mount. If `vault_role_name` or `vault_mount_path` are set,
  then `credentials` must be unset.

## Example

Define and configure the `my-gcp-source-1` GCP source:

```hcl
source_gcp {
  name                 = "my-gcp-source-1"
  secrets_engine_mount = "gcp"
  secrets_engine_role  = "my-gcp-role-1"
}
```

## Permissions

To use GCP import, you must grant the associated GCP identity permission to read secrets:

```shell-session
"secretmanager.secrets.list",
"secretmanager.versions.access",
```