---
title: ''
description: Telegraf plugin for retrieving secrets from GoogleCloud Credentials
url: https://docs.influxdata.com/telegraf/v1/secretstore-plugins/googlecloud/
estimated_tokens: 561
product: Telegraf Controller
version: v1
publisher: InfluxData
canonical: https://docs.influxdata.com/telegraf/v1/secretstore-plugins/googlecloud/
date: '2026-06-11T17:00:50+02:00'
lastmod: '2026-06-11T17:00:50+02:00'
---

==========

* Telegraf v1.37.0+

[Plugin source](https://github.com/influxdata/telegraf/tree/v1.39.0/plugins/secretstores/googlecloud/)[Download configuration](https://raw.githubusercontent.com/influxdata/telegraf/refs/tags/v1.39.0/plugins/secretstores/googlecloud/sample.conf)

# GoogleCloud Credentials Secret Store Plugin

This plugin allows to retrieve token-based [Google Cloud Credentials](https://docs.cloud.google.com/docs/authentication).

**Introduced in:** Telegraf v1.37.0**Tags:** cloud**OS support:** all

## Usage

Secrets defined by a store are referenced with `@{<store-id>:<secret_key>}`the Telegraf configuration. Only certain Telegraf plugins and options of
support secret stores. To see which plugins and options support
secrets, see their respective documentation (e.g.`plugins/outputs/influxdb/README.md`). If the plugin’s README has the`Secret store support` section, it will detail which options support secret
store usage.

## Configuration

```toml
## Fetch tokens from Google Cloud Authentication
[[secretstores.googlecloud]]
  ## Unique identifier for the secret store.
  ## This id can later be used in plugins to reference the secrets
  ## in this secret store via @{<id>:token}(mandatory)
  id = "googlecloud_secret"

  ## Path to the service account credentials file
  credentials_file = "./testdata/gdch.json"

  ## OAuth2 scopes for the generated access token.
  ## Defaults to cloud-platform for service-account credentials.
  ## GDCH/STS users can ignore this option as only the audience
  ## parameter is evaluated for those credential types.
  # scopes = ["https://www.googleapis.com/auth/cloud-platform"]

  ## Audience sent to when retrieving an STS token.
  ## Currently only used for GDCH auth flow
  sts_audience = "https://{AUDIENCE_URL}"
```

> [!Important]
> This plugin only provides one secret with the key `token`,
> other keys lead to errors.

## Additional Information

This plugin only supports reading the secrets, it cannot create or modify them.

To generate a Google-Distributed-Cloud-Hosted service account credentials file
check the [Manage service accounts](https://docs.cloud.google.com/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/iam/service-identities) page.