|
| 1 | +{ |
| 2 | + "Id": "a0119b66-831b-407e-b87b-45b19afe18a8", |
| 3 | + "Name": "GCP Secret Manager - Retrieve Secrets (OIDC)", |
| 4 | + "Description": "This step retrieves one or more secrets from [Secret Manager](https://cloud.google.com/secret-manager) on Google Cloud Platform (GCP), and creates [sensitive output variables](https://octopus.com/docs/projects/variables/output-variables#sensitive-output-variables) for each value retrieved. These values can be used in other deployment or runbook process steps.\n\nYou should retrieve secrets with a specific version rather than the *latest* version. You can choose a custom output variable name for each secret, or one will be created dynamically.\n\n---\n\nThe step authenticates with GCP using an [OpenID Connect](https://octopus.com/docs/infrastructure/accounts/openid-connect) account. See our [blog post](https://octopus.com/blog/generic-oidc#using-generic-oidc-accounts-with-google-cloud) for more details on configuring an account for GCP authentication.\n\n---\n\n**Required:** \n- Octopus Server **2021.2** or higher.\n- PowerShell **5.1** or higher.\n- The Google Cloud (`gcloud`) CLI, version **338.0.0** or higher installed on the target or worker. If the CLI can't be found, the step will fail.\n- A Google account with permissions to retrieve secrets from Secret Manager on Google Cloud. Accessing a secret version requires the **Secret Manager Secret Accessor** role (`roles/secretmanager.secretAccessor`) on the secret, project, folder, or organization. \n\nNotes:\n\n- Tested on Octopus **2025.4**.\n- Tested on both Windows Server 2022 and Ubuntu 22.04.", |
| 5 | + "ActionType": "Octopus.GoogleCloudScripting", |
| 6 | + "Version": 1, |
| 7 | + "CommunityActionTemplateId": null, |
| 8 | + "Packages": [], |
| 9 | + "GitDependencies": [], |
| 10 | + "Properties": { |
| 11 | + "Octopus.Action.Script.ScriptSource": "Inline", |
| 12 | + "Octopus.Action.Script.Syntax": "PowerShell", |
| 13 | + "Octopus.Action.GoogleCloud.ImpersonateServiceAccount": "False", |
| 14 | + "Octopus.Action.GoogleCloud.UseVMServiceAccount": "False", |
| 15 | + "Octopus.Action.GoogleCloudAccount.Variable": "#{GCP.SecretManager.RetrieveSecrets.Account}", |
| 16 | + "Octopus.Action.GoogleCloud.Project": "#{GCP.SecretManager.RetrieveSecrets.Project}", |
| 17 | + "Octopus.Action.GoogleCloud.Region": "#{GCP.SecretManager.RetrieveSecrets.Region}", |
| 18 | + "Octopus.Action.GoogleCloud.Zone": "#{GCP.SecretManager.RetrieveSecrets.Zone}", |
| 19 | + "Octopus.Action.Script.ScriptBody": "$ErrorActionPreference = 'Stop'\n\n# Variables\n$SecretNames = $OctopusParameters[\"GCP.SecretManager.RetrieveSecrets.SecretNames\"]\n$PrintVariableNames = $OctopusParameters[\"GCP.SecretManager.RetrieveSecrets.PrintVariableNames\"]\n\n# GCP Project/Region/Zone\n$Project = $OctopusParameters[\"GCP.SecretManager.RetrieveSecrets.Project\"]\n$Region = $OctopusParameters[\"GCP.SecretManager.RetrieveSecrets.Region\"]\n$Zone = $OctopusParameters[\"GCP.SecretManager.RetrieveSecrets.Zone\"]\n\n# Validation\nif ([string]::IsNullOrWhiteSpace($SecretNames)) {\n throw \"Required parameter GCP.SecretManager.RetrieveSecrets.SecretNames not specified\"\n}\n\n$Secrets = @()\n$VariablesCreated = 0\n$StepName = $OctopusParameters[\"Octopus.Step.Name\"]\n\n# Extract secret names\n@(($SecretNames -Split \"`n\").Trim()) | ForEach-Object {\n if (![string]::IsNullOrWhiteSpace($_)) {\n Write-Verbose \"Working on: '$_'\"\n $secretDefinition = ($_ -Split \"\\|\")\n $secretName = $secretDefinition[0].Trim()\n $secretNameAndVersion = ($secretName -Split \" \")\n $secretVersion = \"latest\"\n if ($secretNameAndVersion.Count -gt 1) {\n $secretName = $secretNameAndVersion[0].Trim()\n $secretVersion = $secretNameAndVersion[1].Trim()\n }\n if ([string]::IsNullOrWhiteSpace($secretName)) {\n throw \"Unable to establish secret name from: '$($_)'\"\n }\n $secret = [PsCustomObject]@{\n Name = $secretName\n SecretVersion = $secretVersion\n VariableName = if (![string]::IsNullOrWhiteSpace($secretDefinition[1])) { $secretDefinition[1].Trim() } else { \"\" }\n }\n $Secrets += $secret\n }\n}\n\nWrite-Verbose \"GCP Default Project: $Project\"\nWrite-Verbose \"GCP Default Region: $Region\"\nWrite-Verbose \"GCP Default Zone: $Zone\"\nWrite-Verbose \"Secrets to retrieve: $($Secrets.Count)\"\nWrite-Verbose \"Print variables: $PrintVariableNames\"\n\n# Retrieve Secrets\nforeach ($secret in $secrets) {\n $name = $secret.Name\n $secretVersion = $secret.SecretVersion\n $variableName = $secret.VariableName\n if ([string]::IsNullOrWhiteSpace($variableName)) {\n $variableName = \"$($name.Trim())-$secretVersion\"\n }\n Write-Host \"Retrieving Secret '$name' (version: $secretVersion)\"\n if ($secretVersion -ieq \"latest\") {\n Write-Host \"Note: Retrieving the 'latest' version for secret '$name' isn't recommended. Consider choosing a specific version to retrieve.\"\n }\n \n $secretValue = (gcloud secrets versions access $secretVersion --secret=\"$name\") -Join \"`n\"\n \n if ([string]::IsNullOrWhiteSpace($secretValue)) {\n throw \"Error: Secret '$name' (version: $secretVersion) not found or has no versions.\"\n }\n\n Set-OctopusVariable -Name $variableName -Value $secretValue -Sensitive\n\n if ($PrintVariableNames -eq $True) {\n Write-Host \"Created output variable: ##{Octopus.Action[$StepName].Output.$variableName}\"\n }\n $VariablesCreated += 1\n}\n\nWrite-Host \"Created $VariablesCreated output variables\"\n" |
| 20 | + }, |
| 21 | + "Parameters": [ |
| 22 | + { |
| 23 | + "Id": "98bef883-493d-45ca-8030-9323340f7b8d", |
| 24 | + "Name": "GCP.SecretManager.RetrieveSecrets.Account", |
| 25 | + "Label": "OpenID Connect (OIDC) Account", |
| 26 | + "HelpText": "An [OpenID Connect](https://octopus.com/docs/infrastructure/accounts/openid-connect) account with permission to access Secret Manager secrets.", |
| 27 | + "DefaultValue": "", |
| 28 | + "DisplaySettings": { |
| 29 | + "Octopus.ControlType": "GenericOidcAccount" |
| 30 | + } |
| 31 | + }, |
| 32 | + { |
| 33 | + "Id": "4fce0e10-2378-4008-ace0-0bda4bebef5f", |
| 34 | + "Name": "GCP.SecretManager.RetrieveSecrets.Project", |
| 35 | + "Label": "Google Cloud Project", |
| 36 | + "HelpText": "Specify the default project. This sets the `CLOUDSDK_CORE_PROJECT` [environment variable](https://g.octopushq.com/GCPDefaultProject).", |
| 37 | + "DefaultValue": "", |
| 38 | + "DisplaySettings": { |
| 39 | + "Octopus.ControlType": "SingleLineText" |
| 40 | + } |
| 41 | + }, |
| 42 | + { |
| 43 | + "Id": "0775f353-d9c7-4e5f-87d9-15dd4b7126f7", |
| 44 | + "Name": "GCP.SecretManager.RetrieveSecrets.Region", |
| 45 | + "Label": "Google Cloud Region", |
| 46 | + "HelpText": "Specify the default region. View the [GCP Regions and Zones](https://g.octopushq.com/GCPRegionsZones) documentation for a current list of the available region and zone codes.\n\nThis sets the `CLOUDSDK_COMPUTE_REGION` [environment variable](https://g.octopushq.com/GCPDefaultRegionAndZone).", |
| 47 | + "DefaultValue": "", |
| 48 | + "DisplaySettings": { |
| 49 | + "Octopus.ControlType": "SingleLineText" |
| 50 | + } |
| 51 | + }, |
| 52 | + { |
| 53 | + "Id": "d575b319-cd58-4200-9211-cddd328c1a62", |
| 54 | + "Name": "GCP.SecretManager.RetrieveSecrets.Zone", |
| 55 | + "Label": "Google Cloud Zone", |
| 56 | + "HelpText": "Specify the default zone. View the [GCP Regions and Zones](https://g.octopushq.com/GCPRegionsZones) documentation for a current list of the available region and zone codes.\n\nThis sets the `CLOUDSDK_COMPUTE_ZONE` [environment variable](https://g.octopushq.com/GCPDefaultRegionAndZone).", |
| 57 | + "DefaultValue": "", |
| 58 | + "DisplaySettings": { |
| 59 | + "Octopus.ControlType": "SingleLineText" |
| 60 | + } |
| 61 | + }, |
| 62 | + { |
| 63 | + "Id": "8194e79f-1a22-4126-a7aa-cbd300ef1fda", |
| 64 | + "Name": "GCP.SecretManager.RetrieveSecrets.SecretNames", |
| 65 | + "Label": "Secret names to retrieve", |
| 66 | + "HelpText": "Specify the names of the secrets to be returned from Secret Manager in Google Cloud, in the format:\n\n`SecretName SecretVersion | OutputVariableName` where:\n\n- `SecretName` is the name of the secret to retrieve.\n- `SecretVersion` is the version of the secret to retrieve. *If this value isn't specified, the latest version will be retrieved*.\n- `OutputVariableName` is the _optional_ Octopus [output variable](https://octopus.com/docs/projects/variables/output-variables) name to store the secret's value in. *If this value isn't specified, an output name will be generated dynamically*.\n\n**Note:** Multiple fields can be retrieved by entering each one on a new line.", |
| 67 | + "DefaultValue": "", |
| 68 | + "DisplaySettings": { |
| 69 | + "Octopus.ControlType": "MultiLineText" |
| 70 | + } |
| 71 | + }, |
| 72 | + { |
| 73 | + "Id": "24508f90-d88e-4527-b577-8e13c91d962f", |
| 74 | + "Name": "GCP.SecretManager.RetrieveSecrets.PrintVariableNames", |
| 75 | + "Label": "Print output variable names", |
| 76 | + "HelpText": "Write out the Octopus [output variable](https://octopus.com/docs/projects/variables/output-variables) names to the task log. Default: `False`.", |
| 77 | + "DefaultValue": "False", |
| 78 | + "DisplaySettings": { |
| 79 | + "Octopus.ControlType": "Checkbox" |
| 80 | + } |
| 81 | + } |
| 82 | + ], |
| 83 | + "StepPackageId": "Octopus.GoogleCloudScripting", |
| 84 | + "$Meta": { |
| 85 | + "ExportedAt": "2025-09-18T12:25:52.896Z", |
| 86 | + "OctopusVersion": "2025.4.1096", |
| 87 | + "Type": "ActionTemplate" |
| 88 | + }, |
| 89 | + "LastModifiedBy": "harrisonmeister", |
| 90 | + "Category": "google-cloud", |
| 91 | + "MinimumServerVersion": "2021.2.0" |
| 92 | +} |
0 commit comments