This topic describes how to access a secret version. Accessing a secret version
returns the secret contents and additional metadata about the secret
version. When you access a secret version, you specify its version-id
or alias if assigned. You can also access the latest version of a
secret by specifying "latest"
as the version.
Required roles
To get the permissions that you need to access a secret version,
ask your administrator to grant you the
Secret Manager Secret Accessor (roles/secretmanager.secretAccessor
) IAM role on a secret.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Access a secret version
Console
-
Go to the Secret Manager page in the Google Cloud console.
-
On the Secret Manager page, click on the Name of a secret.
-
On the Secret details page, in the Versions table, locate a secret version to access.
-
In the Actions column, click View more
. -
Click View secret value from the menu.
-
You will see dialog that shows the secret version value. Click Done to finish.
gcloud
To use Secret Manager on the command line, first Install or upgrade to version 378.0.0 or higher of the Google Cloud CLI. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Access a secret version:
$ gcloud secrets versions access version-id --secret="secret-id"
Accessing a binary secret version:
To write raw bytes to a file use --out-file flag:
$ gcloud secrets versions access version-id --secret="secret-id" --out-file="path/to/secret"
To get the raw bytes, have Cloud SDK print the response as base64-encoded and decode:
$ gcloud secrets versions access version-id --secret="secret-id" --format='get(payload.data)' | tr '_-' '/+' | base64 -d
C#
To run this code, first set up a C# development environment and install the Secret Manager C# SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Go
To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Java
To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Node.js
To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Python
To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Ruby
To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
API
These examples use curl to demonstrate using the API. You can generate access tokens with gcloud auth print-access-token. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets/secret-id/versions/version-id:access" \
--request "GET" \
--header "authorization: Bearer $(gcloud auth print-access-token)" \
--header "content-type: application/json"
The response payload.data
is the base64-encoded contents of the secret version. Here is an example of extracting the secret using the jq
tool:
$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets/secret-id/versions/version-id:access" \
--request "GET" \
--header "authorization: Bearer $(gcloud auth print-access-token)" \
--header "content-type: application/json" \
| jq -r ".payload.data" | base64 --decode
Resource consistency
In Secret Manager, adding a secret version and then immediately accessing that secret version by version number is a strongly consistent operation.
Other operations within Secret Manager are eventually consistent. Eventually consistent operations typically converge within minutes, but may take a few hours.
Propagating IAM permissions is eventually consistent. This means granting or revoking access to secrets may not take effect immediately. For more information, see Access change propagation.
What's next
- Learn how to assign an alias to a secret version.
- Learn how to disable a secret version.
- Learn how to destroy a secret version.