Is there aws-vault kind of tool for GCP?
I would like to keep my tokens encrypted in my operating system’s keychain and use them easily with gcloud CLI.
So, does https://github.com/99designs/aws-vault for gcp exist?
It sounds like you want https://cloud.google.com/secret-manager .
From the documentation, it claims to:
Store API keys, passwords, certificates, and other sensitive data.
which sounds like it does what you want it to do.
However, you state
I would like to keep my tokens encrypted in my operating system’s keychain
-- I don't see why you would want to do that though, if you have secrets manager. The secrets manager should be the source of truth, and the machine should be authorised via IAM to access specific secrets on demand, not persisted in the OS keychain. If the OS is compromised, the secrets will be exposed, whilst the attacker would need to break secrets manager or IAM in order to access them if they are consumed uniquely from secrets manager.