# Enable Secrets Management on an Existing BYOVPC Cluster on GCP > For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [cloud-data-platform-full.txt](https://docs.redpanda.com/cloud-data-platform-full.txt) --- title: Enable Secrets Management on an Existing BYOVPC Cluster on GCP page-beta-text: This is a beta feature. Beta features are available for testing and feedback. They are not supported by Redpanda and should not be used in production environments. latest-operator-version: v26.1.4 latest-console-tag: v3.7.3 latest-connect-version: 4.93.0 latest-redpanda-tag: v26.1.9 docname: cluster-types/byoc/gcp/enable-secrets-byovpc-gcp page-component-name: cloud-data-platform page-version: master page-component-version: master page-component-title: Cloud page-relative-src-path: cluster-types/byoc/gcp/enable-secrets-byovpc-gcp.adoc page-edit-url: https://github.com/redpanda-data/cloud-docs/edit/main/modules/get-started/pages/cluster-types/byoc/gcp/enable-secrets-byovpc-gcp.adoc description: Store and read secrets in your existing BYOVPC cluster. # Beta release status page-beta: "true" page-git-created-date: "2025-06-06" page-git-modified-date: "2025-08-20" release-status: beta - This is a beta feature. Beta features are available for testing and feedback. They are not supported by Redpanda and should not be used in production environments. --- > ❗ **IMPORTANT** > > BYOVPC is an add-on feature that may require an additional purchase. To unlock this feature for your account, contact your Redpanda account team or [Redpanda Sales](https://www.redpanda.com/price-estimator). Storing secrets in your cluster allows you to keep your cloud infrastructure secure as you integrate your data across different systems, for example, REST catalogs with your Iceberg-enabled topics. If you do not have secrets management enabled on an existing BYOVPC cluster, you can do so by following the steps on this page to update your cluster configuration. You can also create [a new BYOVPC cluster](https://docs.redpanda.com/cloud-data-platform/get-started/cluster-types/byoc/gcp/vpc-byo-gcp/) with secrets management already enabled. Replace all `` with your own values. 1. Create one new service account with the necessary permissions and roles. Show commands ```bash # Account used to check for and read secrets gcloud iam service-accounts create redpanda-operator \ --display-name="Redpanda Operator Service Account" cat << EOT > redpanda-operator.role { "name": "redpanda_operator_role", "title": "Redpanda Operator Role", "description": "Redpanda Operator Role", "includedPermissions": [ "resourcemanager.projects.get", "secretmanager.secrets.get", "secretmanager.versions.access" ] } EOT gcloud iam roles create redpanda_operator_role --project= --file redpanda-operator.role gcloud projects add-iam-policy-binding \ --member="serviceAccount:redpanda-operator@.iam.gserviceaccount.com" \ --role="projects//roles/redpanda_operator_role" ``` 2. Update the existing Redpanda cluster service account with the necessary permissions to read secrets. Show commands ```bash cat << EOT > redpanda-cluster.role { "name": "redpanda_cluster_role", "title": "Redpanda Cluster Role", "description": "Redpanda Cluster Role", "includedPermissions": [ "resourcemanager.projects.get", "secretmanager.secrets.get", "secretmanager.versions.access" ] } EOT gcloud iam roles create redpanda_cluster_role --project= --file redpanda-cluster.role gcloud projects add-iam-policy-binding \ --member="serviceAccount:redpanda-cluster@.iam.gserviceaccount.com" \ --role="projects//roles/redpanda_cluster_role" ``` 3. Bind the new service account. The account ID of the GCP service account is used to configure service account bindings. This account ID is the local part of the email address for the GCP service account. For example, if the GCP service account is `my-gcp-sa@my-project.iam.gserviceaccount.com`, then the account ID is `my-gcp-sa`. Show commands ```none gcloud iam service-accounts add-iam-policy-binding @.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:.svc.id.goog[redpanda-system/]" ``` 4. Make a [`PATCH /v1/clusters/{cluster-id}`](https://docs.redpanda.com/api/doc/cloud-controlplane/operation/operation-clusterservice_updatecluster) request to update the cluster configuration. Show request ```bash export CLUSTER_PATCH_BODY=`cat << EOF { "customer_managed_resources": { "gcp": { "redpanda_operator_service_account": { "email": "@.iam.gserviceaccount.com" } } } } EOF` curl -v -X PATCH \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $AUTH_TOKEN" \ -d "$CLUSTER_PATCH_BODY" $PUBLIC_API_ENDPOINT/v1/clusters/ ``` 5. Check secrets management is available in the Cloud UI. 1. Log in to [Redpanda Cloud](https://cloud.redpanda.com). 2. Go to the **Secrets Store** page of your cluster. You should be able to create a new secret. ## [](#next-steps)Next steps - [Reference a secret in a cluster property](https://docs.redpanda.com/cloud-data-platform/manage/cluster-maintenance/config-cluster/#set-cluster-configuration-properties). - [Integrate a catalog](https://docs.redpanda.com/cloud-data-platform/manage/iceberg/use-iceberg-catalogs/) for querying Iceberg topics in your cluster.