### Problem to solve We plan to implement Vault as a secrets store bundled with GitLab, but some customers will prefer to use a [GCP-provided service](https://cloud.google.com/solutions/secrets-management/). GCP does provide Vault as one option, but also provides software (KMS) and hardware (HSM) key management. ### Intended users Many developer and operations users will interact with this feature, but the primary integrator will be security operations teams. ### Further details This will provide more flexibility to teams, ensuring that GitLab is valuable even when not using our bundled secrets solution. ### Proposal We should allow for configuration to select a different secrets provider apart from the default provided Vault one. This should be implemented in a way that ### Permissions and Security Implementing this feature will require a comprehensive security evaluation by @gitlab-com/gl-security/appsec. The goal here is to improve security available both to GitLab itself, for CI/CD pipelines, and for users who want to store secrets in general associated with projects under development in GitLab. ### Documentation <!-- See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html Add all known Documentation Requirements here, per https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements --> ### Testing <!-- What risks does this change pose? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? See the test engineering process for further guidelines: https://about.gitlab.com/handbook/engineering/quality/guidelines/test-engineering/ --> ### What does success look like, and how can we measure that? <!-- Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this. --> ### Links / references Other implementations we have completed: 1. Azure Key Vault: https://gitlab.com/gitlab-org/gitlab/-/issues/271271 1. Hashi Vault: https://gitlab.com/gitlab-org/gitlab/-/issues/28321 GCP docs: * https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers * https://cloud.google.com/secret-manager/docs/authentication * https://cloud.google.com/secret-manager/docs/reference/libraries#client-libraries-install-go * https://cloud.google.com/secret-manager/docs/accessing-the-api