Infisical supports service account impersonation to connect with your GCP projects.

Configure Service Account for Infisical

1

Navigate to IAM & Admin > Service Accounts in Google Cloud Console

Service Account Page
2

Create Service Account

Create a new service account with an ID that follows this requirement:Your service account ID must end with the first two sections of your Infisical organization ID.Example:
  • Infisical organization ID: df92581a-0fe9-42b5-b526-0a1e88ec8085
  • Required service account ID suffix: df92581a-0fe9
Create Service Account
3

Configure Service Account Permissions

Add the required permissions for secret syncs: Assign Service Account Permission
After configuring the appropriate roles, press “DONE”.
4

Enable Service Account Impersonation

To enable service account impersonation, you’ll need to grant the Service Account Token Creator role to the Infisical instance’s service account. This configuration allows Infisical to securely impersonate the new service account.
  • Navigate to the IAM & Admin > Service Accounts section in your Google Cloud Console
  • Select the newly created service account
  • Click on the “PERMISSIONS” tab
  • Click “Grant Access” to add a new principal
If you’re using Infisical Cloud US, use the following service account: infisical-us@infisical-us.iam.gserviceaccount.comIf you’re using Infisical Cloud EU, use the following service account: infisical-eu@infisical-eu.iam.gserviceaccount.comService Account Page

Setup GCP Connection in Infisical

1

Navigate to App Connections

Navigate to the App Connections tab on the Organization Settings page. App Connections Tab
2

Add Connection

Select the GCP Connection option from the connection options modal. Select GCP Connection
3

Authorize Connection

Select the Service Account Impersonation method and click Connect to GCP. Connect via GCP impersonation
4

Connection Created

Your GCP Connection is now available for use. Impersonation GCP Connection