This page describes secret replication policies in Secret Manager. A replication policy lets you choose the locations where you store your secret payload data. You can configure each secret with either automatic replication or user-managed replication when you create a secret. The locations in the replication policy can't be updated.
Automatic secret replication policy
A secret with an automatic replication policy has its payload data replicated without restriction. This is the simplest configuration and is recommended for most users. When creating a secret using the Google Cloud CLI or the web UI, this is the default replication policy.
For billing purposes, a secret with an automatic replication policy is considered to be stored in a single location.
For purposes of
resource location organization policy
evaluation, a secret with an automatic replication policy can only be created
if resource creation in global is allowed.
User-managed secret replication policy
A secret with a user-managed replication policy has its payload data replicated to a user configured set of locations. The secret can be replicated to any number of supported locations. This may be useful if there are requirements around where the secret payload data can be stored.
For billing purposes, each location in the user-managed replication policy is considered a separate location.
For purposes of resource location organization policy evaluation, a secret with a user-managed replication policy can only be created if resource creation is allowed in all the selected locations.
What's next
- Learn more about editing a secret.
- Learn more about managing access to secrets.
- Learn more about setting up rotation policies.