Manage secrets with Secret Manager in Cloud Code for Cloud Shell

Stay organized with collections Save and categorize content based on your preferences.

With Cloud Code's Secret Manager integration, you can create, view, update, and use secrets in your IDE and without storing them in your codebase.

This page describes how to access Secret Manager in your IDE and how you can get started creating and managing secrets.

Enabling Secret Manager

When managing secrets with Cloud Code, secrets are securely stored in Secret Manager and can be programmatically fetched when you need them. All you need is the Secret Manager API enabled and the right permissions to manage secrets:

  1. Make sure that you're working in the project where your application code resides. Your secret must be in the same project as your application code.

  2. To open the Secret Manager Explorer, click Cloud Code - Secret Manager.

  3. If you haven't enabled the Secret Manager API, click Enable Secret Manager API in the Secret Manager section.

Creating secrets using the Secret Manager view

  1. To open the Secret Manager Explorer, click Cloud Code - Secret Manager.

  2. Click Create Secret in the Secret Manager section.

    In the Create Secret dialog, set your secret's project, name, value, and region, and specify labels to organize your secrets.

Creating secrets using the editor view

  1. Open a file containing text that you want to store as a secret in the editor.
  2. Highlight the text to store as a secret, right-click, and then click Create Secret in Secret Manager.
  3. In the Create Secret dialog, customize the secret's project, name, value, region, and labels.

Creating new versions of secrets using the Secret Manager

To update an existing secret, you can create a new version of the secret:

  1. Right-click an existing secret and then choose Create Secret Version.

  2. In the Create Version dialog, set the new value of your existing secret using the Secret value field or by importing a file.

    Create Secret version dialog open with Secret value field for secret 'test-secret' updated as 'bar'

  3. To remove all previous versions of your secret and keep just the new version you're creating, choose Disable all past versions.

  4. Click Create Version. Your version is added and you can see the latest secret version and previous versions listed under the Versions dropdowns.

Creating new versions of secrets using the editor

To update an existing secret, you can create a new version of the secret:

  1. In the editor, open a file and highlight the text to store as a secret.
  2. Right-click the highlighted text and then choose Add Version to Secret in Secret Manager.

Viewing secrets

  1. To open the Kubernetes Explorer, click Cloud Code - Kubernetes.
  2. Expand your cluster and then expand Secrets.
  3. Expand the secret to view its details.

Deleting secrets

To delete a secret using the Secret Manager in Cloud Code, follow these steps:

  1. To open the Secret Manager Explorer, click Cloud Code - Secret Manager.

  2. Right-click an existing secret and select Open in Cloud Console.

  3. On the Secret details page, click DELETE and follow the prompts to delete the secret.

Viewing secrets

To view secrets, in the Secret Manager section, select a secret from the list. Details of the secret such as name, replication policy, creation timestamp, and resource ID are listed below the secret name.

Managing secret versions

To enable, disable, or destroy a version of a secret, right-click the secret and then choose the command for the action you want to perform. For enabled versions of secrets, you can also view the version's value.

Managing secrets in Google Cloud console

To view and manage a secret in your browser, you can also right-click the secret and then click Open in Cloud console.

Right-click secret in Secret Manager to view Open in Google Cloud console option. Properties dropdown also visible in the secret manager view.

Accessing secrets from your application

After your secret is created, you can include it in your code and set up authentication.

To access a secret from your application:

  1. Install the Secret Manager client library.

    1. To open the Cloud APIs Explorer, click Cloud Code - Cloud Run.

    2. Expand Secret Manager > Secret Manager API and then follow the instructions in the Install Client Library section for the language you're using.

  2. Customize and include the relevant code snippet in your application's code.

    To obtain your secret's version name to use in your code, select the secret in the Secret Manager panel, right-click, and then choose Copy Resource ID.

  3. To complete your authentication setup, follow the Client libraries authentication guide:

    • Local development: If you're developing on a local cluster (like minikube or Docker Desktop) or a local emulator, you should complete the steps illustrated in the Local development section relevant to your workflow.
    • Remote development: If you're using a GKE cluster or a Cloud Run service in your application, you should complete the steps illustrated in the Remote development section relevant to your workflow, including the Secret Manager-specific instructions for setting up the required roles on your service account.

Adding a secret as an environment variable

To add an existing Kubernetes secret to the deployment as an environment variable:

  1. To open the Kubernetes Explorer, click Cloud Code - Kubernetes.
  2. Expand your minikube cluster and then expand Secrets.
  3. Right-click a secret that represents a deployment object and then click Add Secret as Environment Variable.

Mounting a secret as a volume

To mount an existing Kubernetes secret as a volume in the deployment's container:

  1. To open the Kubernetes Explorer, click Cloud Code - Kubernetes.
  2. Expand your minikube cluster and then expand Secrets.
  3. Right-click a secret that represents a deployment object and then click Mount Secret as Volume.