Secret Manager exposes a REST API and a gRPC API for using and managing secrets directly or in your applications. This topic shows how to enable the Secret Manager API.
When the Secret Manager API is enabled, you can use the following tools to help integrate Secret Manager into your applications and processes.
The Google Cloud CLI, which provides a command-line interface for managing secrets from clients.
Convenient, idiomatic Secret Manager client libraries, which allow you to access and manage secrets from within your application source code. Client libraries are available in many languages including C# (.NET), Go, Java, Node.js, PHP, Python, and Ruby.
Enabling API access
Before you begin using Secret Manager, you must enable API access.
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.
-
Enable the required API.
- Install and initialize the Google Cloud CLI.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.
-
Enable the required API.
- Install and initialize the Google Cloud CLI.
Authenticating
Requests to the Secret Manager API require authentication. When using the Google Cloud CLI or a client libraries, authentication information is usually injected into the request automatically. For example, if you authenticate using Google Cloud CLI, future requests will automatically inject the authentication.
gcloud
gcloud auth login --update-adc
When using the API directly, you must pass authentication information with the request as a header. This example demonstrates using curl to authenticate to the Secret Manager API:
API
curl "https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets" \
--header "Authorization: Bearer ACCESS_TOKEN"
PROJECT_ID is the Google Cloud project ID in which you want to use Secret Manager.
ACCESS_TOKEN is an OAuth Access Token. It is specified as the
Authorization
header with a prefixed value ofBearer
.
If you have the Google Cloud CLI installed, you can generate a temporary OAuth access token by running:
gcloud
gcloud auth print-access-token
To learn about other ways to generate temporary OAuth access tokens, see creating short-lived credentials. To learn about authenticating to Google Cloud, see Google Cloud authentication overview.
OAuth scopes
To use Secret Manager with workloads running on Compute Engine
or GKE, the underlying instance or node must have the
cloud-platform
OAuth scope. If you receive an error with the following
message, it means the instance or node was not provisioned with the correct
OAuth scopes.
Request had insufficient authentication scopes
The required OAuth scope to use Secret Manager is:
https://www.googleapis.com/auth/cloud-platform
When creating a new instance, instance group, or node pool,
specify the cloud-platform
scope:
gcloud
gcloud compute instances create "INSTANCE_ID" \
--scopes "https://www.googleapis.com/auth/cloud-platform"
For an existing instance, instance group, or node pool, update the access scopes:
gcloud
gcloud compute instances set-service-account "INSTANCE_ID" \
--service-account "SERVICE_ACCOUNT_EMAIL" \
--scopes "https://www.googleapis.com/auth/cloud-platform"
See the Compute Engine service account permissions for more information.
App Engine
To use Secret Manager with workloads running on App Engine, you must grant any required permissions to the App Engine service.
What's next
- Follow the quickstart.
- Learn more about managing access to Secret Manager resources.