Accessing the API

Secret Manager exposes a REST API and a gRPC API for using and managing secrets directly or in your applications. This topic shows how to enable the Secret Manager API.

When the Secret Manager API is enabled, you can use the following tools to help integrate Secret Manager into your applications and processes.

  • The Cloud SDK, which provides a command-line interface for managing secrets from clients.

  • Convenient, idiomatic Secret Manager client libraries, which allow you to access and manage secrets from within your application source code. Client libraries are available in many languages including C# (.NET), Go, Java, Node.js, PHP, Python, and Ruby.

Enabling API access

Before you begin using Secret Manager, you must enable API access.

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  4. Enable the required API.

    Enable the API

  5. Install and initialize the Cloud SDK.


Requests to the Secret Manager API require authentication. When using the Cloud SDK or a client libraries, authentication information is usually injected into the request automatically. For example, if you authenticate using gcloud command-line tool, future requests will automatically inject the authentication.


gcloud auth login --update-adc

When using the API directly, you must pass authentication information with the request as a header. This example demonstrates using curl to authenticate to the Secret Manager API:


curl "" \
    --header "Authorization: Bearer ACCESS_TOKEN"
  • PROJECT_ID is the Google Cloud project ID in which you want to use Secret Manager.

  • ACCESS_TOKEN is an OAuth Access Token. It is specified as the Authorization header with a prefixed value of Bearer.

If you have the Cloud SDK installed, you can generate a temporary OAuth access token by running:


gcloud auth print-access-token

To learn about other ways to generate temporary OAuth access tokens, see creating short-lived credentials. To learn about authenticating to Google Cloud, see Google Cloud authentication overview.

OAuth scopes

To use Secret Manager with workloads running on Compute Engine or GKE, the underlying instance or node must have the cloud-platform OAuth scope. If you receive an error with the following message, it means the instance or node was not provisioned with the correct OAuth scopes.

Request had insufficient authentication scopes

The required OAuth scope to use Secret Manager is:

When creating a new instance, instance group, or node pool, specify the cloud-platform scope:


gcloud compute instances create "INSTANCE_ID" \
    --scopes ""

For an existing instance, instance group, or node pool, update the access scopes:


gcloud compute instances set-service-account "INSTANCE_ID" \
    --service-account "SERVICE_ACCOUNT_EMAIL" \
    --scopes ""

See the Compute Engine service account permissions for more information.

App Engine

To use Secret Manager with workloads running on App Engine, you must grant any required permissions to the App Engine service.

What's next