Manage secrets with Secret Manager in Cloud Code for VS Code

With Cloud Code's Secret Manager integration, you can create, view, update, and use secrets in your IDE and without storing them in your codebase.

This page describes how to access Secret Manager in your IDE and how you can get started creating and managing secrets.


For step-by-step guidance on this task directly in Cloud Shell Editor, click Guide me:

Guide me


The following sections take you through the same steps as clicking Guide me.

Enabling Secret Manager

When managing secrets with Cloud Code, secrets are securely stored in Secret Manager and can be programmatically fetched when you need them. All you need is the Secret Manager API enabled and the right permissions to manage secrets:

  1. Make sure that you're working in the project where your application code resides. Your secret must be in the same project as your application code.

  2. Click Cloud Code and then expand the Secret Manager section.

  3. If you haven't enabled the Secret Manager API, click Enable Secret Manager API in the Secret Manager section.

    Enable API link available within the Secret Manager section

Creating secrets using the Secret Manager view

  1. Click Cloud Code and then expand the Secret Manager section.

  2. Click Create Secret in the Secret Manager section.

    In the Create Secret dialog, set your secret's project, name, value, and region, and specify labels to organize your secrets.

    Create Secret dialog open with Name field filled out as 'test-secret-1' and Secret Value filled out as '42'

Creating secrets using the editor view

  1. Open a file containing text that you want to store as a secret in the editor.
  2. Highlight the text to store as a secret, right-click, and then click Create Secret in Secret Manager.
  3. In the Create Secret dialog, customize the secret's project, name, value, region, and labels.

Creating new versions of secrets using the Secret Manager

To update an existing secret, you can create a new version of the secret:

  1. Right-click an existing secret and then choose Create Secret Version.

  2. In the Create Version dialog, set the new value of your existing secret using the Secret value field or by importing a file.

    Create Secret version dialog open with Secret value field for secret 'test-secret' updated as 'bar'

  3. To remove all previous versions of your secret and keep just the new version you're creating, choose Disable all past versions.

  4. Click Create Version. Your version is added and you can see the latest secret version and previous versions listed under the Versions dropdowns.

Creating new versions of secrets using the editor

To update an existing secret, you can create a new version of the secret:

  1. In the editor, open a file and highlight the text to store as a secret.
  2. Right-click the highlighted text and then choose Add Version to Secret in Secret Manager.

Viewing secrets

  1. Click Cloud Code and then expand the Kubernetes section.
  2. Expand your cluster and then expand Secrets.
  3. Expand the secret to view its details.

Deleting secrets

To delete a secret using the Secret Manager in Cloud Code, follow these steps:

  1. Click Cloud Code and then expand the Secret Manager section.

  2. Right-click an existing secret and select Open in Cloud Console.

  3. On the Secret details page, click DELETE and follow the prompts to delete the secret.

Viewing secrets

To view secrets, in the Secret Manager section, select a secret from the list. Details of the secret such as name, replication policy, creation timestamp, and resource ID are listed below the secret name.

Managing secret versions

To enable, disable, or destroy a version of a secret, right-click the secret and then choose the command for the action you want to perform. For enabled versions of secrets, you can also view the version's value.

Managing secrets in Google Cloud console

To view and manage a secret in your browser, you can also right-click the secret and then click Open in Cloud console.

Right-click secret in Secret Manager to view Open in Google Cloud console option. Properties dropdown also visible in the secret manager view.

Accessing secrets from your application

After your secret is created, you can include it in your code and set up authentication.

To access a secret from your application:

  1. Install the Secret Manager client library.

    1. Click Cloud Code and then expand the Cloud APIs section.

    2. Expand Secret Manager > Secret Manager API and then follow the instructions in the Install Client Library section for the language you're using.

  2. Customize and include the relevant code snippet in your application's code.

    To obtain your secret's version name to use in your code, select the secret in the Secret Manager panel, right-click, and then choose Copy Resource ID.

  3. To complete your authentication setup, follow the Client libraries authentication guide:

    • Local development: If you're developing on a local cluster (like minikube or Docker Desktop) or a local emulator, you should complete the steps illustrated in the Local development section relevant to your workflow.
    • Remote development: If you're using a GKE cluster or a Cloud Run service in your application, you should complete the steps illustrated in the Remote development section relevant to your workflow, including the Secret Manager-specific instructions for setting up the required roles on your service account.

Adding a secret as an environment variable

To add an existing Kubernetes secret to the deployment as an environment variable:

  1. Click Cloud Code and then expand the Kubernetes section.
  2. Expand your minikube cluster and then expand Secrets.
  3. Right-click a secret that represents a deployment object and then click Add Secret as Environment Variable.

Mounting a secret as a volume

To mount an existing Kubernetes secret as a volume in the deployment's container:

  1. Click Cloud Code and then expand the Kubernetes section.
  2. Expand your minikube cluster and then expand Secrets.
  3. Right-click a secret that represents a deployment object and then click Mount Secret as Volume.

Getting Support

To send feedback, report issues on GitHub, or ask a question on Stack Overflow.