Managing secrets with Secret Manager

With Cloud Code's Secret Manager integration, you can create, view, update, and use secrets within your IDE and without having them in your codebase.

This page describes how to access Secret Manager within your IDE and how you can get started creating and managing secrets.

Enabling Secret Manager

When managing secrets with Cloud Code, secrets are securely stored in Secret Manager and can be programmatically fetched when you need them. All you need is the Secret Manager API enabled and the right permissions to manage secrets:

  1. To launch Secret Manager, click on the Secret Manager view Secret Manager icon in the VS Code Activity bar.

  2. If you haven't enabled the Secret Manager API, Cloud Code prompts you to enable it within the Secret Manager panel.

    Your secret also needs to be in the same project as your application code; ensure you have the right project selected or switch using the project selector in the Secret Manager panel.

    Enable API link available within the Secret Manager view

Creating and viewing secrets

Creating secrets

You can create a secret with one of the following methods:

Using the Secret Manager view

  1. Select the Secret Manager view Secret Manager icon.

  2. Click the Add icon.

    This launches a Create Secret dialog where you can set your secret's project, name, and value, as well as choose a region to store your secret and labels to organize your secrets.

    Create Secret dialog open with Name field filled out as 'test-secret-2' and Secret Value filled out as '42'

Using the editor

  1. Open a file containing text you would like to store as a secret in the editor.
  2. Highlight and right-click this text.

    From the menu, select the Create Secret in Secret Manager menu item. This opens the Create Secret dialog with the secret value filled in with the highlighted text. You can customize the secret's project, name, value, region, and labels here.

Creating new versions of secrets

If you have an existing secret and would like to update it, you can do so by within the Secret Manager View:

  1. Right-click an existing secret and choose Create Secret Version.

    This launches a Create Version dialog where you can set the value of your existing secret either using the Secret value field or by importing a file.

    Create Secret version dialog open with Secret value field for secret 'test-secret' updated as 'bar'

  2. If you'd prefer to remove all previous versions of your secret and keep just the new version being created, choose Disable all past versions.

  3. Once you click Create Version and your version is added, you can see your latest secret version, and all the versions of your secret listed under the Versions dropdowns.

Alternatively, to launch the Create Version dialog using the editor, open a file and highlight the text you would like to store as a secret in the editor. Right-click the highlighted text and choose the Add Version to Secret in Secret Manager menu option.

Managing secrets

To view secrets, within the Secret Manager View, select a secret from the list displayed. Details such as name, replication policy, creation timestamp, and resource ID are listed under the Properties dropdown.

Within this view, you can also right-click a secret and enable, disable, or destroy a version of the secret. For enabled versions of secrets, you can also view the version's value.

To view and manage the secret in your browser, you can also right-click the secret and choose Open in Cloud Console.

Right-click secret in Secret Manager to view Open in Cloud Console option. Properties dropdown also visible in the secret manager view.

Accessing secrets from your application

Once your secret is created, you can include it in your code and set up authentication.

To access your newly created secret from your application, follow these steps:

  1. Install the Secret Manager client library.

    Click on the Cloud Code - Cloud APIs icon Cloud Code - Cloud APIs icon from the VS Code Activity bar and within the Google Cloud APIs explorer tree, select Secret Manager > Secret Manager API. Follow the language-specific instructions laid out in the Install Client Library section.

  2. Customize and include the relevant code snippet in your application's code.

    To obtain your secret's version name to use in your code, you can select the secret in the Secret Manager panel, right-click, and choose Copy Resource ID.

  3. Finally, to complete your authentication setup, you need to follow the Client libraries authentication guide:

    • Local development: If you're developing on a local cluster (like minikube, Docker Desktop) or a local emulator, you should complete the steps illustrated in the Local development section relevant to your workflow.
    • Remote development: If you're using a GKE cluster or a Cloud Run service in your application, you should complete the steps illustrated in the Remote development section relevant to your workflow, including the Secret Manager-specific instructions for setting up the required roles on your service account.

Getting Support

To send feedback, report issues on GitHub, or ask a question on Stack Overflow.