When the Secret Manager API is enabled, you can use the following tools to help integrate Secret Manager into your applications and processes.
The Cloud SDK, which provides a command-line interface for managing secrets from clients.
Convenient, idiomatic Secret Manager client libraries, which allow you to access and manage secrets from within your application source code. Client libraries are available in many languages including C# (.NET), Go, Java, Node.js, PHP, Python, and Ruby.
Enabling API access
Before you begin using Secret Manager, you must enable API access.
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
- Enable the required API.
- Install and initialize the Cloud SDK.
Requests to the Secret Manager API require authentication. When using
the Cloud SDK or a client libraries,
authentication information is usually injected into the request automatically.
For example, if you authenticate using
gcloud command-line tool, future requests will
automatically inject the authentication.
gcloud auth login --update-adc
When using the API directly, you must pass authentication information with the request as a header. This example demonstrates using curl to authenticate to the Secret Manager API:
curl "https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets" \ --header "Authorization: Bearer ACCESS_TOKEN"
PROJECT_ID is the Google Cloud project ID in which you want to use Secret Manager.
ACCESS_TOKEN is an OAuth Access Token. It is specified as the
Authorizationheader with a prefixed value of
If you have the Cloud SDK installed, you can generate a temporary OAuth access token by running:
gcloud auth print-access-token
To use Secret Manager with workloads running on Compute Engine
or GKE, the underlying instance or node must have the
cloud-platform OAuth scope. If you receive an error with the following
message, it means the instance or node was not provisioned with the correct
Request had insufficient authentication scopes
The required OAuth scope to use Secret Manager is:
When creating a new instance, instance group, or node pool,
gcloud compute instances create "INSTANCE_ID" \ --scopes "https://www.googleapis.com/auth/cloud-platform"
For an existing instance, instance group, or node pool, update the access scopes:
gcloud compute instances set-service-account "INSTANCE_ID" \ --service-account "SERVICE_ACCOUNT_EMAIL" \ --scopes "https://www.googleapis.com/auth/cloud-platform"
See the Compute Engine service account permissions for more information.
To use Secret Manager with workloads running on App Engine, you must grant any required permissions to the App Engine service.