Strategy One

Configure Cross-project GCP Secret Manager Vault Connections with Default Service Account Mode

The following functionality is only available for Managed Cloud Enterprise (MCE) environments.

Starting in Strategy One (May 2026), you can configure cross-project Google Cloud Platform (GCP) Secret Manager vault connections using a default service account for a more secure workflow.

Prerequisites

  • Strategy requires the remote Google project ID for each Google Secret Manager vault connection with Default Service Account mode.

  • Strategy requires the Strategy default service account to be granted the Secret Manager Secret Accessor role in the remote Google project.

  • A secret that includes the username and password for your database must use the following JSON format: {"username": "my-username", "password": "my-password"}

Grant Permission to Strategy Default Service Account

  1. Contact the Strategy Support team for the Strategy Default Service Account used in your MCE environment.

  2. In GCP, go to Security and Secret manager.

  3. Select your Strategy default service account and click the Permissions tab.

  4. Click Grant access.

  5. In Assign roles, select Secret Manager Secret Accessor.

Create a Google Secret Manager Vault Connection with Default Service Account Mode

  1. Open the Workstation window.
  2. In the Navigation pane, click Data Sources.
  3. Click the Vault Connections tab.
  4. Click Add New Vault Connection.
  5. Enter values in the following fields:
    • Name: Type a name for your connection.
    • Type: Choose Google Secret Manager.
    • Gateway Agent: Leave empty.
    • Authentication Mode: Choose Default Service Account.

    • Project ID: Type your Project ID.

      To find your Project ID, go to the Google Cloud Console Dashboard and find it under Project info.

  6. Click Save.

Validate the Vault Connection with Default Service Account Mode

  1. Open the Workstation window.
  2. In the Navigation pane, click Data Sources.
  3. Click the Database Logins tab.
  4. Click Add New Database Login.
  5. Toggle on Use Vault.
  6. Type a database login Name.
  7. Optionally type a Description.
  8. Expand the Type drop-down list and choose Google Secret Manager.
  9. Expand the Vault Connection drop-down list and choose your newly created vault connection.
  10. In Secret Name, type the secret name that was granted cross-project access.
  11. Click Save.