Secret Manager provides the option to add labels to your Secret Manager secrets. Labels are key-value pairs that you can use to group related Secret Manager secrets and store metadata about a Secret Manager secret.
Labels are included in your bill, so you can see the distribution of costs across your labels.
You can add, update, and remove key labels using the Google Cloud CLI and the Secret Manager REST API.
You can use labels with other Google Cloud resources, such as virtual machine resources and storage buckets. For more information about using labels in Google Cloud, see Creating and Managing Labels.
What are labels?
A label is a key-value pair that you can assign to Google Cloud Secret Manager secrets. They help you organize these resources and manage your costs at scale, with the granularity you need. You can attach a label to each resource, then filter the resources based on their labels. Information about labels is forwarded to the billing system that lets you break down your billed charges by label. With built-in billing reports, you can filter and group costs by resource labels. You can also use labels to query billing data exports.
Requirements for labels
The labels applied to a resource must meet the following requirements:
- Each resource can have up to 64 labels.
- Each label must be a key-value pair.
- Keys have a minimum length of 1 character and a maximum length of 63 characters, and cannot be empty. Values can be empty, and have a maximum length of 63 characters.
- Keys and values can contain only lowercase letters, numeric characters, underscores, and dashes. All characters must use UTF-8 encoding, and international characters are allowed. Keys must start with a lowercase letter or international character.
- The key portion of a label must be unique within a single resource. However, you can use the same key with multiple resources.
These limits apply to the key and value for each label, and to the individual Google Cloud resources that have labels. There is no limit on how many labels you can apply across all resources within a project.
Common uses of labels
Here are some common use cases for labels:
Team or cost center labels: Add labels based on team or cost center to distinguish Secret Manager secrets owned by different teams (for example,
team:research
andteam:analytics
). You can use this type of label for cost accounting or budgeting.Component labels: For example,
component:redis
,component:frontend
,component:ingest
, andcomponent:dashboard
.Environment or stage labels: For example,
environment:production
andenvironment:test
.State labels: For example,
state:active
,state:readytodelete
, andstate:archive
.Ownership labels: Used to identify the teams that are responsible for operations, for example:
team:shopping-cart
.
We don't recommend creating large numbers of unique labels, such as for timestamps or individual values for every API call. The problem with this approach is that when the values change frequently or with keys that clutter the catalog, this makes it difficult to effectively filter and report on resources.
Labels and tags
Labels can be used as queryable annotations for resources, but can't be used to set conditions on policies. Tags provide a way to conditionally allow or deny policies based on whether a resource has a specific tag, by providing fine-grained control over policies. For more information, see the Tags overview.
Create a secret with labels
To add a label when creating the secret, follow these steps:
Console
In the Google Cloud console, go to the Secret Manager page.
On the Secret Manager page, click Create Secret.
In the Name field, enter a name for the secret (for example,
my-secret
).Optional: To also add a secret version when creating the initial secret, in the Secret value field, enter a value for the secret (for example,
abcd1234
).Go to Labels, and then click Add label.
Enter a key and its corresponding value to create a label.
Click Create secret.
View labels on a secret
Console
In the Google Cloud console, go to the Secret Manager page.
Click the checkbox next to the name of the secret that you want to inspect.
If the Info Panel is closed, click Show Info Panel to display it.
In the panel, choose the Labels tab.
Add or update labels
Console
In the Google Cloud console, go to the Secret Manager page.
Click the checkbox next to the name of the secret that you want to inspect.
In the header, click Show info panel.
In the panel, choose the Labels tab.
Edit the value of a label directly in the corresponding text field.
To edit the key of a label, add a new label with the chosen key name, and then delete the old label.
Click Save.
Remove labels
Console
In the Google Cloud console, go to the Secret Manager page.
Click the checkbox next to the name of the secret that you want to inspect.
In the header, click Show info panel.
In the panel, choose the Labels tab.
Click
Delete next to the labels that you want to delete.Click Save.