A Secret is a logical secret whose value and versions can be accessed.
A Secret is made up of zero or more SecretVersions that represent the secret data.
JSON representation
{"name": string,"createTime": string,"labels": {string: string,...},"topics": [{object (Topic)}],"etag": string,"rotation": {object (Rotation)},"versionAliases": {string: string,...},"annotations": {string: string,...},"versionDestroyTtl": string,"customerManagedEncryption": {object (CustomerManagedEncryption)},// Union field expiration can be only one of the following:"expireTime": string,"ttl": string// End of list of possible types for union field expiration.}
Fields
name
string
Output only. The resource name of the Secret in the format projects/*/locations/*/secrets/*.
Output only. The time at which the Secret was created.
A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
labels
map (key: string, value: string)
The labels assigned to this Secret.
Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62}
Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}\p{N}_-]{0,63}
No more than 64 labels can be assigned to a given resource.
An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Optional. Mapping from version alias to version name.
A version alias is a string with a maximum length of 63 characters and can contain uppercase and lowercase letters, numerals, and the hyphen (-) and underscore ('_') characters. An alias string must start with a letter and cannot be the string 'latest' or 'NEW'. No more than 50 aliases can be assigned to a given secret.
Version-Alias pairs will be viewable via secrets.get and modifiable via secrets.patch. Access by alias is only be supported on GetSecretVersion and AccessSecretVersion.
An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
annotations
map (key: string, value: string)
Optional. Custom metadata about the secret.
Annotations are distinct from various forms of labels. Annotations exist to allow client tools to store their own state information without requiring a database.
Annotation keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, begin and end with an alphanumeric character ([a-z0-9A-Z]), and may have dashes (-), underscores (_), dots (.), and alphanumerics in between these symbols.
The total size of annotation keys and values must be less than 16KiB.
An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Optional. Secret Version TTL after destruction request
This is a part of the Delayed secret version destroy feature. For secret with TTL>0, version destruction doesn't happen immediately on calling destroy instead the version goes to a disabled state and destruction happens after the TTL expires.
A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".
Optional. The customer-managed encryption configuration of the regionalized secrets. If no configuration is provided, Google-managed default encryption is used.
Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions.
Union field expiration. Expiration policy attached to the Secret. If specified the Secret and all SecretVersions will be automatically deleted at expiration. Expired secrets are irreversibly deleted.
Expiration is not the recommended way to set time-based permissions. IAM Conditions is recommended for granting time-based permissions because the operation can be reversed. expiration can be only one of the following:
Optional. Timestamp in UTC when the Secret is scheduled to expire. This is always provided on output, regardless of what was sent on input.
A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".
Replication
A policy that defines the replication and encryption configuration of data.
JSON representation
{// Union field replication can be only one of the following:"automatic": {object (Automatic)},"userManaged": {object (UserManaged)}// End of list of possible types for union field replication.}
Fields
Union field replication. The replication policy for this secret. replication can be only one of the following:
Optional. The customer-managed encryption configuration of the Secret. If no configuration is provided, Google-managed default encryption is used.
Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions.
CustomerManagedEncryption
Configuration for encrypting secret payloads using customer-managed encryption keys (CMEK).
JSON representation
{"kmsKeyName": string}
Fields
kmsKeyName
string
Required. The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads.
For secrets using the UserManaged replication policy type, Cloud KMS CryptoKeys must reside in the same location as the [replica location][Secret.UserManaged.Replica.location].
For secrets using the Automatic replication policy type, Cloud KMS CryptoKeys must reside in global.
The expected format is projects/*/locations/*/keyRings/*/cryptoKeys/*.
UserManaged
A replication policy that replicates the Secret payload into the locations specified in [Secret.replication.user_managed.replicas][]
Optional. The customer-managed encryption configuration of the [User-Managed Replica][Replication.UserManaged.Replica]. If no configuration is provided, Google-managed default encryption is used.
Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions.
Topic
A Pub/Sub topic which Secret Manager will publish to when control plane events occur on this secret.
JSON representation
{"name": string}
Fields
name
string
Identifier. The resource name of the Pub/Sub topic that will be published to, in the following format: projects/*/topics/*. For publication to succeed, the Secret Manager service agent must have the pubsub.topic.publish permission on the topic. The Pub/Sub Publisher role (roles/pubsub.publisher) includes this permission.
Rotation
The rotation time and period for a Secret. At nextRotationTime, Secret Manager will send a Pub/Sub notification to the topics configured on the Secret. Secret.topics must be set to configure rotation.
Optional. Timestamp in UTC at which the Secret is scheduled to rotate. Cannot be set to less than 300s (5 min) in the future and at most 3153600000s (100 years).
A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-05-14 UTC."],[],[],null,["# REST Resource: projects.locations.secrets\n\n- [Resource: Secret](#Secret)\n - [JSON representation](#Secret.SCHEMA_REPRESENTATION)\n - [CustomerManagedEncryption](#Secret.CustomerManagedEncryption)\n - [JSON representation](#Secret.CustomerManagedEncryption.SCHEMA_REPRESENTATION)\n - [Topic](#Secret.Topic)\n - [JSON representation](#Secret.Topic.SCHEMA_REPRESENTATION)\n - [Rotation](#Secret.Rotation)\n - [JSON representation](#Secret.Rotation.SCHEMA_REPRESENTATION)\n- [Methods](#METHODS_SUMMARY)\n\nResource: Secret\n----------------\n\nA [Secret](/secret-manager/docs/reference/rest/v1/projects.locations.secrets#Secret) is a logical secret whose value and versions can be accessed.\n\nA [Secret](/secret-manager/docs/reference/rest/v1/projects.locations.secrets#Secret) is made up of zero or more [SecretVersions](/secret-manager/docs/reference/rest/v1/projects.locations.secrets.versions#SecretVersion) that represent the secret data.\n\n### Replication\n\nA policy that defines the replication and encryption configuration of data.\n\n### Automatic\n\nA replication policy that replicates the [Secret](/secret-manager/docs/reference/rest/v1/projects.locations.secrets#Secret) payload without any restrictions.\n\n### CustomerManagedEncryption\n\nConfiguration for encrypting secret payloads using customer-managed encryption keys (CMEK).\n\n### UserManaged\n\nA replication policy that replicates the [Secret](/secret-manager/docs/reference/rest/v1/projects.locations.secrets#Secret) payload into the locations specified in \\[Secret.replication.user_managed.replicas\\]\\[\\]\n\n### Replica\n\nRepresents a Replica for this [Secret](/secret-manager/docs/reference/rest/v1/projects.locations.secrets#Secret).\n\n### Topic\n\nA Pub/Sub topic which Secret Manager will publish to when control plane events occur on this secret.\n\n### Rotation\n\nThe rotation time and period for a [Secret](/secret-manager/docs/reference/rest/v1/projects.locations.secrets#Secret). At nextRotationTime, Secret Manager will send a Pub/Sub notification to the topics configured on the Secret. [Secret.topics](/secret-manager/docs/reference/rest/v1/projects.locations.secrets#Secret.FIELDS.topics) must be set to configure rotation."]]
