Self-Hosted Instance
Self-Hosted Instance
Using the GCP integration on a self-hosted instance of Infisical requires configuring a service account on GCP and
configuring your instance to use it.
Enable the IAM Service Account Credentials API
Enable the IAM Service Account Credentials API for the project containing the service account that will be impersonated. You can do this from the Google Cloud Console or via the command line.
To enable via command line, run the following command, replacing Verify the API is enabled by running:
To enable via command line, run the following command, replacing projectId with your GCP project ID:
Create a Service Account
Create a new service account that will be used to impersonate other GCP service accounts for your app connections.
Press “DONE” after creating the service account.
Press “DONE” after creating the service account.Generate Service Account Key
Download the JSON key file for your service account. This will be used to authenticate your instance with GCP.
Configure Your Instance
- Copy the entire contents of the downloaded JSON key file.
- Set it as a string value for the
INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIALenvironment variable. - Restart your Infisical instance to apply the changes.
- You can now use GCP integration with service account impersonation.
Workload identity federation is also supported. Instead of a service account key, you may
set
INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL to an external_account credential
configuration JSON (the file produced by gcloud iam workload-identity-pools create-cred-config).
Infisical detects the credential type from the type field automatically. The federated identity
needs the roles/iam.serviceAccountTokenCreator role on the service accounts it impersonates.For AWS providers, Infisical resolves the instance’s AWS credentials through the standard AWS
SDK credential chain, so federation works on EC2, ECS/Fargate, EKS (IRSA), and Lambda, or from
AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY environment variables. The region defaults to
us-east-1; set AWS_REGION (or AWS_DEFAULT_REGION) to use a specific regional STS endpoint.For other providers, the referenced credential source (a mounted file or URL) must be reachable
from the Infisical instance at runtime.Configure Service Account for Infisical
Create Service Account
Create a new service account with an ID that follows this requirement:Your service account ID must end with the first two sections of your Infisical organization ID.Example:
-
Infisical organization ID:
df92581a-0fe9-42b5-b526-0a1e88ec8085 -
Required service account ID suffix:
df92581a-0fe9
Configure Service Account Permissions
- Secret Sync
Add the required permissions for secret syncs:
Enable Service Account Impersonation
To enable service account impersonation, you’ll need to grant the Service Account Token Creator role to the Infisical instance’s service account. This configuration allows Infisical to securely impersonate the new service account.
- Navigate to the IAM & Admin > Service Accounts section in your Google Cloud Console.
- Select the newly created service account.
- Click on the PERMISSIONS tab.
- Click Grant Access to add a new principal.
-
In the New principals field, enter the Infisical service account email for your environment:
- Infisical Cloud US:
infisical-us@infisical-us.iam.gserviceaccount.com - Infisical Cloud EU:
infisical-eu@infisical-eu.iam.gserviceaccount.com - Self-hosted: use the service account you created for your instance (the one whose credentials are set in
INF_APP_CONNECTION_GCP_SERVICE_ACCOUNT_CREDENTIAL).
- Infisical Cloud US:
- In the Role field, select Service Account Token Creator.
-
Click Save.
Troubleshooting: “One or more users named in the policy do not belong to a permitted customer.”If granting access fails with the error “One or more users named in the policy do not belong to a permitted customer.”, your Google Cloud organization has the Domain Restricted Sharing organization policy (
iam.allowedPolicyMemberDomains) enabled. This policy only permits identities that belong to allowlisted Google organizations, so the Infisical service account is rejected until it is explicitly allowed.To resolve this, add Infisical’s Google Cloud Customer ID to the policy’s allowed values before granting the service account a role:- In the Google Cloud Console, navigate to IAM & Admin > Organization Policies.
-
Search for and open the Domain restricted sharing (
iam.allowedPolicyMemberDomains) policy. -
Under Custom values, add a new allowed value containing Infisical’s Google Cloud Customer ID:
This is Infisical’s Google Cloud Customer ID, not your own. Infisical uses a single Google Cloud organization, so this one Customer ID covers both the US and EU service accounts. Enter the bare Customer ID (
C03rsjmyl) in the Console UI. If you manage this policy withgcloud, a policy YAML file, or Terraform instead, use the prefixed formis:C03rsjmyl. - Save the policy, then return to Step 4 (Grant Access) in the main instructions above and complete steps 4–7 to add the Infisical service account as a principal.
Setup GCP Connection in Infisical
Navigate to App Connections
Navigate to the Integrations tab in the desired project, then select App Connections. 
