From b5bae7a339728302e78ca40272b3dc372152f699 Mon Sep 17 00:00:00 2001
From: Valyria McFarland <v.mcfarland@f5.com>
Date: Wed, 21 Jan 2026 14:23:20 -0800
Subject: [PATCH 1/2] feat: update WIF instructions for fetching secrets

This moves the "Identity and access management" page to
be under the "Getting started" section because it no
longer applied to just logging and monitoring. Luckily,
the page's URL is already under getting-started, so that
did not need to change.

This also updated the page's contents to add instructions
to allow fetching secrets from Secret Manager.
---
 .../access-management.md                      | 92 ++++++++++++++-----
 .../monitoring/enable-monitoring.md           |  2 +-
 .../monitoring/enable-nginx-logs.md           |  2 +-
 go.mod                                        |  2 +-
 go.sum                                        |  2 +
 5 files changed, 74 insertions(+), 26 deletions(-)
 rename content/nginxaas-google/{monitoring => getting-started}/access-management.md (51%)

diff --git a/content/nginxaas-google/monitoring/access-management.md b/content/nginxaas-google/getting-started/access-management.md
similarity index 51%
rename from content/nginxaas-google/monitoring/access-management.md
rename to content/nginxaas-google/getting-started/access-management.md
index b0bfc9b6b5..d28a1cce28 100644
--- a/content/nginxaas-google/monitoring/access-management.md
+++ b/content/nginxaas-google/getting-started/access-management.md
@@ -1,6 +1,6 @@
 ---
 title: Identity and access management
-weight: 100
+weight: 600
 toc: true
 nd-docs: DOCS-000
 url: /nginxaas/google/getting-started/access-management/
@@ -10,7 +10,13 @@ nd-product: NGOOGL
 
 
 
-F5 NGINXaaS for Google Cloud (NGINXaaS) uses Workload Identity Federation (WIF) to integrate with Google Cloud services. For example, with WIF configured, your NGINXaaS deployment can export logs and metrics to Cloud Monitoring in your Google project. To learn more, see [Google's Workload Identity Federation documentation](https://cloud.google.com/iam/docs/workload-identity-federation).
+F5 NGINXaaS for Google Cloud (NGINXaaS) uses Workload Identity Federation (WIF) to integrate with Google Cloud services. For example, with WIF configured, your NGINXaaS deployment can perform the following integrations:
+
+ - export logs to Cloud Logging
+ - export metrics to Cloud Monitoring
+ - fetch secrets from Secret Manager
+
+To learn more, see [Google's Workload Identity Federation documentation](https://cloud.google.com/iam/docs/workload-identity-federation).
 
 ## Prerequisites
 
@@ -32,34 +38,74 @@ F5 NGINXaaS for Google Cloud (NGINXaaS) uses Workload Identity Federation (WIF)
 
 ### Grant access to the WIF principal with your desired roles
 
-In the [Google Cloud Console](https://console.cloud.google.com/),
-1. Select your google project you want to grant access on. For example, to grant access to export logs to a Google project, `$LOG_PROJECT_ID`, or to export metrics to a Google project, `$METRIC_PROJECT_ID`, go to that project.
+Depending on your use case, you will need to grant certain roles on specific resources. See [Google's documentation on granting access](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#access) for more information.
+
+{{< details summary="Grant access to export logs to a Google project">}}
+
+To grant access to export logs to a Google project, `$LOG_PROJECT_ID`, in the [Google Cloud Console](https://console.cloud.google.com/),
+
+1. Go to the `$LOG_PROJECT_ID` project.
+1. Go to the **IAM** page.
+1. Select **Grant Access**.
+1. Enter your principal, for example, `principal://iam.googleapis.com/projects/$WIF_PROJECT_NUMBER/locations/global/workloadIdentityPools/$WIF_POOL_ID/subject/$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID`.
+1. Assign the **Logs Writer** role.
+
+Alternatively, to use the Google Cloud CLI, you can run the following `gcloud` command.
+
+```bash
+gcloud projects add-iam-policy-binding "$LOG_PROJECT_ID" \
+    --member="principal://iam.googleapis.com/projects/$WIF_PROJECT_NUMBER/locations/global/workloadIdentityPools/$WIF_POOL_ID/subject/$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID" \
+    --role='roles/logging.logWriter'
+```
+
+{{< /details >}}
+
+{{< details summary="Grant access to export metrics to a Google project">}}
+
+To grant access to export metrics to a Google project, `$METRIC_PROJECT_ID` in the [Google Cloud Console](https://console.cloud.google.com/),
+
+1. Go to the `$METRIC_PROJECT_ID` project.
 1. Go to the **IAM** page.
 1. Select **Grant Access**.
 1. Enter your principal, for example, `principal://iam.googleapis.com/projects/$WIF_PROJECT_NUMBER/locations/global/workloadIdentityPools/$WIF_POOL_ID/subject/$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID`.
-1. Assign roles. For example,
-    - To grant access to export logs, add the **Logs Writer** role.
-    - To grant access to export metrics, add the **Monitoring Metric Writer** role.
-
-Alternatively, to use the Google Cloud CLI, you can run the following `gcloud` commands.
-- To grant access to export logs to a Google project, `$LOG_PROJECT_ID`,
-    ```bash
-    gcloud projects add-iam-policy-binding "$LOG_PROJECT_ID" \
-        --member="principal://iam.googleapis.com/projects/$WIF_PROJECT_NUMBER/locations/global/workloadIdentityPools/$WIF_POOL_ID/subject/$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID" \
-        --role='roles/logging.logWriter'
-    ```
-- To grant access to export metrics to a Google project, `$METRIC_PROJECT_ID`,
-    ```bash
-    gcloud projects add-iam-policy-binding "$METRIC_PROJECT_ID" \
-        --member="principal://iam.googleapis.com/projects/$WIF_PROJECT_NUMBER/locations/global/workloadIdentityPools/$WIF_POOL_ID/subject/$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID" \
-        --role='roles/monitoring.metricWriter'
-    ```
-
-See [Google's documentation on granting access](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#access) for more information.
+1. Assign the **Monitoring Metric Writer** role.
+
+Alternatively, to use the Google Cloud CLI, you can run the following `gcloud` command.
+
+```bash
+gcloud projects add-iam-policy-binding "$METRIC_PROJECT_ID" \
+    --member="principal://iam.googleapis.com/projects/$WIF_PROJECT_NUMBER/locations/global/workloadIdentityPools/$WIF_POOL_ID/subject/$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID" \
+    --role='roles/monitoring.metricWriter'
+```
+
+{{< /details >}}
+
+{{< details summary="Grant access to fetch a secret from Secret Manager">}}
+
+To grant access to fetch a secret, `$SECRET_ID`, in the [Google Cloud Console](https://console.cloud.google.com/),
+
+1. Go to the secret, `$SECRET_ID`, in Secret Manager.
+1. Select the **Permissions** tab.
+1. Select **Grant Access**.
+1. Enter your principal, for example, `principal://iam.googleapis.com/projects/$WIF_PROJECT_NUMBER/locations/global/workloadIdentityPools/$WIF_POOL_ID/subject/$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID`.
+1. Assign the **Secret Manager Secret Accessor** role.
+
+Alternatively, to use the Google Cloud CLI, you can run the following `gcloud` command.
+
+```bash
+gcloud secrets add-iam-policy-binding "$SECRET_ID" \
+    --member="principal://iam.googleapis.com/projects/$WIF_PROJECT_NUMBER/locations/global/workloadIdentityPools/$WIF_POOL_ID/subject/$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID" \
+    --role='roles/secretmanager.secretAccessor'
+```
+
+If you have more than one secret that you would like fetched, you will need to grant access on each secret or grant access on the project your secrets are in.
+
+{{< /details >}}
 
 ### Update your NGINXaaS deployment with the name of your workload identity pool provider
 
 In the NGINXaaS Console,
+
 1. On the navigation menu, select **Deployments**.
 1. Select the deployment you want to update and select **Edit**.
 1. Enter your provider name, for example, `projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>`, under **Workload Identity Pool Provider Name**.
diff --git a/content/nginxaas-google/monitoring/enable-monitoring.md b/content/nginxaas-google/monitoring/enable-monitoring.md
index 03af7be0c2..15ff80c788 100644
--- a/content/nginxaas-google/monitoring/enable-monitoring.md
+++ b/content/nginxaas-google/monitoring/enable-monitoring.md
@@ -13,7 +13,7 @@ Monitoring your application's performance is crucial for maintaining its reliabi
 ## Prerequisites
 
 - Enable the [Cloud Monitoring API](https://cloud.google.com/monitoring/api/enable-api).
-- Configure Workload Identity Federation (WIF). See [our documentation on setting up WIF]({{< ref "/nginxaas-google/monitoring/access-management.md#configure-wif" >}}) for exact steps.
+- Configure Workload Identity Federation (WIF). See [our documentation on setting up WIF]({{< ref "/nginxaas-google/getting-started/access-management.md#configure-wif" >}}) for exact steps.
 - Grant a project-level role or grant your principal access to the `roles/monitoring.viewer` role. See [Google's documentation on controlling access to Cloud Monitoring with IAM](https://cloud.google.com/monitoring/access-control).
 
 ## Export NGINXaaS metrics to a Google Cloud Project
diff --git a/content/nginxaas-google/monitoring/enable-nginx-logs.md b/content/nginxaas-google/monitoring/enable-nginx-logs.md
index 0b4e116385..23aa5e4398 100644
--- a/content/nginxaas-google/monitoring/enable-nginx-logs.md
+++ b/content/nginxaas-google/monitoring/enable-nginx-logs.md
@@ -13,7 +13,7 @@ F5 NGINXaaS for Google (NGINXaaS) supports integrating with Google Cloud service
 ## Prerequisites
 
 - Enable the [Cloud Logging API](https://docs.cloud.google.com/logging/docs/api/enable-api).
-- Configure Workload Identity Federation (WIF). See [our documentation on setting up WIF]({{< ref "/nginxaas-google/monitoring/access-management.md#configure-wif" >}}) for exact steps.
+- Configure Workload Identity Federation (WIF). See [our documentation on setting up WIF]({{< ref "/nginxaas-google/getting-started/access-management.md#configure-wif" >}}) for exact steps.
 - Grant a project-level role or grant your principal access to the `roles/logging.viewer` role. See [Google's documentation on controlling access to Cloud Logging with IAM](https://cloud.google.com/logging/docs/access-control).
 
 ## Setting up error logs
diff --git a/go.mod b/go.mod
index 43b73ce644..af22f6f541 100644
--- a/go.mod
+++ b/go.mod
@@ -2,4 +2,4 @@ module github.com/nginxinc/docs
 
 go 1.19
 
-require github.com/nginxinc/nginx-hugo-theme/v2 v2.0.0 // indirect
+require github.com/nginxinc/nginx-hugo-theme/v2 v2.0.3 // indirect
diff --git a/go.sum b/go.sum
index 92ba848bca..a1cdaae988 100644
--- a/go.sum
+++ b/go.sum
@@ -1,2 +1,4 @@
 github.com/nginxinc/nginx-hugo-theme/v2 v2.0.0 h1:Kgh/zeBP7vgPyXowPL2v9MTlRs0CDe31G+bvp7WbH34=
 github.com/nginxinc/nginx-hugo-theme/v2 v2.0.0/go.mod h1:TAmEMc0T/RKTQ0pI4LROWoUmyLXstrRmM2jE2ErdxWY=
+github.com/nginxinc/nginx-hugo-theme/v2 v2.0.3 h1:2hLeYJ/I3gDmT5aqdjFPclxePJHBpEvQ4zbU/aIJmMU=
+github.com/nginxinc/nginx-hugo-theme/v2 v2.0.3/go.mod h1:TAmEMc0T/RKTQ0pI4LROWoUmyLXstrRmM2jE2ErdxWY=

From 6e652ad1d686bb1164e94d14400af34263702112 Mon Sep 17 00:00:00 2001
From: Valyria McFarland <v.mcfarland@f5.com>
Date: Thu, 22 Jan 2026 13:54:55 -0800
Subject: [PATCH 2/2] feat: add docs on certs in secret manager

NGINXaaS can now fetch secrets from Secret Manger. This adds
instructions on how to integrate with Secret Manager and use
secrets as certificates for NGINX configurations.
---
 .../ssl-tls-certificates/overview.md          |  4 +-
 .../ssl-tls-certificates-secret-manager.md    | 46 +++++++++++++++++++
 2 files changed, 48 insertions(+), 2 deletions(-)
 create mode 100644 content/nginxaas-google/getting-started/ssl-tls-certificates/ssl-tls-certificates-secret-manager.md

diff --git a/content/nginxaas-google/getting-started/ssl-tls-certificates/overview.md b/content/nginxaas-google/getting-started/ssl-tls-certificates/overview.md
index fe0da422ea..36bfe975ed 100644
--- a/content/nginxaas-google/getting-started/ssl-tls-certificates/overview.md
+++ b/content/nginxaas-google/getting-started/ssl-tls-certificates/overview.md
@@ -25,7 +25,7 @@ NGINX supports the following certificate formats:
 
 - PEM format certificates.
 
-NGINXaaS allows you to upload these certificates as text and as files.
+NGINXaaS allows you to upload these certificates as text, as files, and as secrets from [Secret Manager](https://docs.cloud.google.com/secret-manager/docs/overview).
 
 Encrypt your certificates, keys, and PEM files using one of these standards:
 
@@ -36,5 +36,5 @@ Encrypt your certificates, keys, and PEM files using one of these standards:
 
 Add a certificate to your NGINXaaS deployment using your preferred client tool:
 
+- TODO: add link for Secret Manager
 - [Add certificates using the NGINXaaS Console]({{< ref "/nginxaas-google/getting-started/ssl-tls-certificates/ssl-tls-certificates-console.md" >}})
-
diff --git a/content/nginxaas-google/getting-started/ssl-tls-certificates/ssl-tls-certificates-secret-manager.md b/content/nginxaas-google/getting-started/ssl-tls-certificates/ssl-tls-certificates-secret-manager.md
new file mode 100644
index 0000000000..26e3497d37
--- /dev/null
+++ b/content/nginxaas-google/getting-started/ssl-tls-certificates/ssl-tls-certificates-secret-manager.md
@@ -0,0 +1,46 @@
+---
+title: Add certificates from Secret Manager
+weight: 75
+toc: true
+nd-docs: DOCS-000
+url: /nginxaas/google/getting-started/ssl-tls-certificates/ssl-tls-certificates-secret-manager/
+nd-content-type: how-to
+nd-product: NGOOGL
+---
+
+F5 NGINXaaS for Google Cloud (NGINXaaS) can fetch secrets directly from [Secret Manager](https://docs.cloud.google.com/secret-manager/docs/overview) to use as certificates in your NGINX configuration.
+
+## Prerequisites
+
+If you haven't already done so, complete the following prerequisites:
+
+- Enable the [Secret Manager API](https://docs.cloud.google.com/secret-manager/docs/configuring-secret-manager#enable-the-secret-manager-api).
+- Configure Workload Identity Federation (WIF). See [our documentation on setting up WIF]({{< ref "/nginxaas-google/getting-started/access-management.md#configure-wif" >}}) for exact steps.
+
+## Add an SSL/TLS certificate to Secret Manager
+
+If you do not have a certificate in one of our [accepted formats]({{< ref "/nginxaas-google/getting-started/ssl-tls-certificates/overview.md#supported-certificate-types-and-formats" >}}) in Secret Manager, follow Google's [instructions on adding a secret to Secret Manager](https://docs.cloud.google.com/secret-manager/docs/creating-and-accessing-secrets#create-secret-console)
+
+## Use a Secret Manager certificate in an NGINX configuration
+
+To add your Secret Manager certificate to an NGINX configuration in the NGINXaaS console,
+
+- Select **Configurations** in the left menu.
+- Select the ellipsis (three dots) next to the configuration you want to edit, and select **Edit**.
+- Select **Continue** to open the configuration editor.
+- In your configuration, select {{< icon "plus">}} **Add File** and either choose **Google Secret Manager** as the type.
+- Provide the required path information:
+    {{< table >}}
+
+   | Field                       | Description                  | Note |
+   |---------------------------- | ---------------------------- | ---- |
+   | Google Secret ID       | This resource name of the secret in Secret Manager | The resource name must match the format `projects/$PROJECT_ID/secrets/$SECRET_ID/versions/$VERSION` where `$VERSION` can be a specific version or an alias such as `latest`. |
+   | File Path               | This path can match one or more ssl_certificate or ssl_certificate_key directive file arguments in your NGINX configuration. | The path must be unique within the same deployment. |
+
+    {{< /table >}}
+- Update the NGINX configuration to reference the certificate you just added by the path value.
+- Select **Continue** and then **Save** to save your changes.
+
+## What's next
+
+[Upload an NGINX Configuration]({{< ref "/nginxaas-google/getting-started/nginx-configuration/nginx-configuration-console.md" >}})
\ No newline at end of file