Manage secrets with Secret Manager in Cloud Code for Cloud Shell

With Cloud Code's Secret Manager integration, you can create, view, update, and use secrets in your IDE and without storing them in your codebase.

This page describes how to access Secret Manager in your IDE and how you can get started creating and managing secrets.


For step-by-step guidance on this task directly in Cloud Shell Editor, click Guide me:

Guide me


The following sections take you through the same steps as clicking Guide me.

Enabling Secret Manager

When managing secrets with Cloud Code, secrets are securely stored in Secret Manager and can be programmatically fetched when you need them. All you need is the Secret Manager API enabled and the right permissions to manage secrets:

  1. Make sure that you're working in the project where your application code resides. Your secret must be in the same project as your application code.

  2. To launch Secret Manager, click Secret Manager icon Cloud Code - Secret Manager in the Activity bar.

  3. If you haven't enabled the Secret Manager API, enable it in the Secret Manager pane when prompted.

    Enable API link available within the Secret Manager view

Creating secrets using the Secret Manager view

  1. Click Secret Manager icon Cloud Code - Secret Manager in the Activity bar.

  2. Click + Create Secret.

    In the Create Secret dialog, set your secret's project, name, value, and region, and specify labels to organize your secrets.

    Create Secret dialog open with Name field filled out as 'test-secret-2' and Secret Value filled out as '42'

Creating secrets using the editor view

  1. Open a file containing text that you want to store as a secret in the editor.
  2. Highlight the text to store as a secret, right-click, and then click Create Secret in Secret Manager.
  3. In the Create Secret dialog, customize the secret's project, name, value, region, and labels.

Creating new versions of secrets using the Secret Manager

To update an existing secret, you can create a new version of the secret:

  1. Right-click an existing secret and then choose Create Secret Version.

  2. In the Create Version dialog, set the new value of your existing secret using the Secret value field or by importing a file.

Create Secret version dialog open with Secret value field for secret 'test-secret' updated as 'bar'
  1. To remove all previous versions of your secret and keep just the new version you're creating, choose Disable all past versions.

  2. Click Create Version. Your version is added and you can see the latest secret version and previous versions listed under the Versions dropdowns.

Creating new versions of secrets using the editor

To update an existing secret, you can create a new version of the secret:

  1. In the editor, open a file and highlight the text to store as a secret.
  2. Right-click the highlighted text and then choose Add Version to Secret in Secret Manager.

Deleting secrets

To delete a secret via the Secret Manager in Cloud Code , follow these steps:

  1. Click Cloud Code icon Cloud Code and then expand the Secret Manager section.

  2. Right-click an existing secret and select Open in Cloud Console.

  3. On the Secret details page, click DELETE and follow the prompts to delete the secret.

For other methods to deleting secrets, see Managing secrets.

Other functions

To view secrets, in the Secret Manager section, select a secret from the list. Details of the secret such as name, replication policy, creation timestamp, and resource ID are listed below the secret name.

To enable, disable, or destroy a version of a secret, right-click the secret and then choose the command for the action you want to perform. For enabled versions of secrets, you can also view the version's value.

To view and manage a secret in your browser, you can also right-click the secret and then click Open in Cloud console.

Right-click secret in Secret Manager to view Open in Google Cloud console option. Properties dropdown also visible in the secret manager view.

Accessing secrets from your application

After your secret is created, you can include it in your code and set up authentication.

To access a secret from your application, follow these steps:

  1. Install the Secret Manager client library.

    1. Click Cloud Code - Cloud APIs icon Cloud Code - Cloud APIs in the Activity bar.

    2. In the Google Cloud APIs explorer tree, click Secret Manager > Secret Manager API. Follow the instructions in the Install Client Library section for the language you're using.

  2. Customize and include the relevant code snippet in your application's code.

    To obtain your secret's version name to use in your code, select the secret in the Secret Manager panel, right-click, and then choose Copy Resource ID.

  3. To complete your authentication setup, follow the Client libraries authentication guide:

    • Local development: If you're developing on a local cluster (like minikube, Docker Desktop) or a local emulator, you should complete the steps illustrated in the Local development section relevant to your workflow.
    • Remote development: If you're using a GKE cluster or a Cloud Run service in your application, you should complete the steps illustrated in the Remote development section relevant to your workflow, including the Secret Manager-specific instructions for setting up the required roles on your service account.

Adding a secret as an environment variable

To add an existing Kubernetes secret to the deployment as an environment variable:

  1. In the Kubernetes Explorer, expand your minikube cluster and then expand Secrets.
  2. Right-click a secret that represents a deployment object and then click Add Secret as Environment Variable.

Mounting a secret as a volume

To mount an existing Kubernetes secret as a volume in the deployment's container:

  1. In the Kubernetes Explorer, expand your minikube cluster and then expand Secrets.
  2. Right-click a secret that represents a deployment object and then click Mount Secret as Volume.