We recommend that you access Secret Manager API using the following tools:
The Google Cloud CLI, which provides a command-line interface for managing secrets.
Convenient, idiomatic Secret Manager client libraries, which lets you access and manage secrets from within your application source code. Client libraries are available in many languages including C#(.NET), Go, Java, Node.js, PHP, Python, and Ruby.
Before you begin
Requests to the Secret Manager API require authentication. For information, see Authenticate to Secret Manager.
Use Secret Manager with Compute Engine and Google Kubernetes Engine
To use Secret Manager with workloads running on Compute Engine
or GKE, the underlying instance or node must have the
cloud-platform OAuth scope. If you receive an error with the following
message, it means the instance or node was not provisioned with the correct
Request had insufficient authentication scopes
The required OAuth scope to use Secret Manager is:
When creating a new instance, instance group, or node pool,
gcloud compute instances create "INSTANCE_ID" \ --scopes "https://www.googleapis.com/auth/cloud-platform"
For an existing instance, instance group, or node pool, update the access scopes:
gcloud compute instances set-service-account "INSTANCE_ID" \ --service-account "SERVICE_ACCOUNT_EMAIL" \ --scopes "https://www.googleapis.com/auth/cloud-platform"
See the Compute Engine service account permissions for more information.
Use Secret Manager with App Engine
To use Secret Manager with workloads running on App Engine, you must grant any required permissions to the App Engine service.
- Learn more about managing access to Secret Manager resources with IAM.
- Learn how to create a secret and access a secret version.