Secret Manager
Store API keys, passwords, certificates, and sensitive data
Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data.
The first six secret versions are free. New customers get $300 in free credits to spend on Secret Manager.
Features
Least privilege made easy
Easily follow the principle of least privilege with Secret Manager's Cloud IAM roles. You can grant individual permissions to secrets and separate the ability to manage secrets from the ability to access their data.
Simplified life cycle management
Secret Manager enables simple life cycle management with first class versioning and the ability to pin requests to the latest version of a secret. You can use Cloud Functions to automate rotation.
Powerful auditing, built in
With Cloud Audit Logs integration, every interaction with Secret Manager generates an audit log. This integration makes meeting audit and compliance requirements easy.
Replication policies
Secret names are project-global resources, but secret data is stored in regions. You can choose specific regions in which to store your secrets, or you can let us decide. Either way, we automatically handle the replication of secret data.
First-class versioning
Secret data is immutable and most operations take place on secret versions. With Secret Manager, you can pin a secret to specific versions like "42" or floating aliases like "latest."
Cloud IAM integration
Control access to secrets the same way you control access to other Google Cloud resources. Only project owners have permission to access Secret Manager secrets; other roles must explicitly be granted permissions through Cloud IAM.
Audit logging
With Cloud Audit Logs enabled, every interaction with Secret Manager generates an audit entry. You can ingest these logs into anomaly detection systems to spot abnormal access patterns and alert on possible security breaches.
Encrypted by default
Data is encrypted in transit with TLS and at rest with AES-256-bit encryption keys.
VPC Service Controls support
Enable context-aware access to Secret Manager from hybrid environments with VPC Service Controls.
Powerful and extensible
Secret Manager's API-first design makes it easy to extend and integrate into existing systems. It is also integrated into popular third-party technologies like HashiCorp Terraform and GitHub Actions.
How It Works
Secret Manager lets you store, manage, and access secrets as binary blobs or text strings. Secret Manager works well for storing configuration information such as database passwords, API keys, or TLS certificates needed by an application at runtime.
Secret Manager lets you store, manage, and access secrets as binary blobs or text strings. Secret Manager works well for storing configuration information such as database passwords, API keys, or TLS certificates needed by an application at runtime.
Common Uses
Secrets management
Create a secret
Create a secret
- Go to the Secret Manager page in the Google Cloud console.
- On the Secret Manager page, click Create secret.
- On the Create secret page, under Name, enter a name for the secret (for example, my-secret). A secret name can contain uppercase and lowercase letters, numerals, hyphens, and underscores. The maximum allowed length for a name is 255 characters.
- Optional: To also add a secret version when creating the initial secret, in the Secret value field, enter a value for the secret (for example, abcd1234). The secret value can be in any format but must not be larger than 64 KiB. You can also upload a text file containing the secret value using the Upload file option.
- Click the Create secret button.
Tutorials, quickstarts, & labs
Create a secret
Create a secret
- Go to the Secret Manager page in the Google Cloud console.
- On the Secret Manager page, click Create secret.
- On the Create secret page, under Name, enter a name for the secret (for example, my-secret). A secret name can contain uppercase and lowercase letters, numerals, hyphens, and underscores. The maximum allowed length for a name is 255 characters.
- Optional: To also add a secret version when creating the initial secret, in the Secret value field, enter a value for the secret (for example, abcd1234). The secret value can be in any format but must not be larger than 64 KiB. You can also upload a text file containing the secret value using the Upload file option.
- Click the Create secret button.
Pricing
| How Secret Manager pricing works | When you use Secret Manager, you are charged for operations and active secret versions. | |
|---|---|---|
| Service | Description | Price |
Get started free | New users get $300 in free trial credits to use within 90 days. | Free |
All customers get six secret versions for analyzing and storing sensitive data. | Free | |
Secret versions | Active | $0.06 per version per location |
Destroyed | Free | |
Operations | Access operations | $0.03 per 10,000 operations |
Management operations | Free | |
Notifications | Rotation notifications | $0.05 per rotation Secret Manager bills for every SECRET_ROTATE message sent to a Pub/Sub topic. |
Learn more about Secret Manager pricing
How Secret Manager pricing works
When you use Secret Manager, you are charged for operations and active secret versions.
All customers get six secret versions for analyzing and storing sensitive data.
Free
Secret versions
Active
$0.06 per version per location
Destroyed
Free
Operations
Access operations
$0.03 per 10,000 operations
Management operations
Free
Notifications
Rotation notifications
$0.05 per rotation
Secret Manager bills for every SECRET_ROTATE message sent to a Pub/Sub topic.
Learn more about Secret Manager pricing
Pricing Calculator
Request a custom quote
Take the next step
Start your next project, explore interactive tutorials, and manage your account.
Need help getting started?
Need help getting started?
Work with a trusted partner
