Creating ESA Credentials

Policy Agent Function requires ESA credentials to be provided as one of the two options:

Secret Manager

Secret Manager is the recommended option for storing ESA credentials.

Create ESA credentials secrets:

  1. Log in to Google Account and select project where Protegrity service will be installed.

  2. Go to Security > Secret Manager.

  3. Select CREATE SECRET.

  4. Specify the Secret Value:

    {
  "username": "{esa_username}", 
  "password": "{esa_password}"
}

  5. Select Create Secret.

  6. Once the secret is created, you should see the secret screen opened. If not click on the secret name to see a screen with secret versions.

  7. Click on Actions, next to the secret version you just created.

  8. Select Copy Resource ID and record the full secret version path, For example, projects/{project-id}/secrets/{secret name}/versions/2.

    Secret resource id: ___________________

Custom Cloud Function

If you have the skills to write code, you may provide a custom Cloud Function that returns the ESA credentials to the Policy Agent. One use case is when reading the ESA credentials from a third-party password vault.

Create the Cloud Function:

  1. Create a new 2nd gen Cloud Function using any runtime.

    1. The Policy Agent does not provide an input payload.

    2. The Cloud Function must return a response according to the following schema:

      response: 
  type: object 
    properties: 
      username: string 
      password: string

      For example,

      example output: {"username": "admin", "password": "Password1234"}

    3. Sample GCP Function in Python:

      def handler(request): 
    return {"username": "admin", "password": "password1234"}

  2. Grant the Cloud Run Invoker role to the Policy Agent function service account.

  3. Grant the cloudfunctions.functions.get permission to the Policy Agent function service account role.

  4. Record the Function name:

    ESA CREDENTIALS FUNCTION NAME: _______________


Last modified : March 31, 2026