Add labels to secrets

Secret Manager provides the option to add labels to your Secret Manager secrets. Labels are key-value pairs that you can use to group related Secret Manager secrets and store metadata about a Secret Manager secret.

Labels are included in your bill, so you can see the distribution of costs across your labels.

You can add, update, and remove key labels using the Google Cloud CLI and the Secret Manager REST API.

You can use labels with other Google Cloud resources, such as virtual machine resources and storage buckets. For more information about using labels in Google Cloud, see Creating and Managing Labels.

What are labels?

A label is a key-value pair that you can assign to Google Cloud Secret Manager secrets. They help you organize these resources and manage your costs at scale, with the granularity you need. You can attach a label to each resource, then filter the resources based on their labels. Information about labels is forwarded to the billing system that lets you break down your billed charges by label. With built-in billing reports, you can filter and group costs by resource labels. You can also use labels to query billing data exports.

Requirements for labels

The labels applied to a resource must meet the following requirements:

• Each resource can have up to 64 labels.
• Each label must be a key-value pair.
• Keys have a minimum length of 1 character and a maximum length of 63 characters, and cannot be empty. Values can be empty, and have a maximum length of 63 characters.
• Keys and values can contain only lowercase letters, numeric characters, underscores, and dashes. All characters must use UTF-8 encoding, and international characters are allowed. Keys must start with a lowercase letter or international character.
• The key portion of a label must be unique within a single resource. However, you can use the same key with multiple resources.

These limits apply to the key and value for each label, and to the individual Google Cloud resources that have labels. There is no limit on how many labels you can apply across all resources within a project.

Common uses of labels

Here are some common use cases for labels:

• Team or cost center labels: Add labels based on team or cost center to distinguish Secret Manager secrets owned by different teams (for example, team:research and team:analytics). You can use this type of label for cost accounting or budgeting.

• Component labels: For example, component:redis, component:frontend, component:ingest, and component:dashboard.

• Environment or stage labels: For example, environment:production and environment:test.

• State labels: For example, state:active, state:readytodelete, and state:archive.

• Ownership labels: Used to identify the teams that are responsible for operations, for example: team:shopping-cart.

We don't recommend creating large numbers of unique labels, such as for timestamps or individual values for every API call. The problem with this approach is that when the values change frequently or with keys that clutter the catalog, this makes it difficult to effectively filter and report on resources.

Labels and tags

Labels can be used as queryable annotations for resources, but can't be used to set conditions on policies. Tags provide a way to conditionally allow or deny policies based on whether a resource has a specific tag, by providing fine-grained control over policies. For more information, see the Tags overview.

Create a secret with labels

To add a label when creating the secret, follow these steps:

View labels on a secret

Add or update labels

Remove labels