Secrets have global names and globally replicated metadata, but the location where the secret payload data is stored can be controlled using the replication policy. Each secret has its own replication policy which is set at creation. The locations in the replication policy cannot be updated.
There are two replication policy types: Automatic and User Managed.
Automatic
A secret with an automatic replication policy has its payload data replicated without restriction. This is the simplest configuration and is recommended for most users. When creating a secret using the Google Cloud CLI or the web UI, this is the default replication policy.
For billing purposes, a secret with an automatic replication policy is considered to be stored in a single location.
For purposes of
resource location organization policy
evaluation, a secret with an automatic replication policy can only be created
if resource creation in global is allowed.
User Managed
A secret with a user managed replication policy has its payload data replicated to a user configured set of locations. The secret can be replicated to any number of supported locations. This may be useful if there are requirements around where the secret payload data can be stored.
For billing purposes, each location in the user managed replication policy is considered a separate location.
For purposes of resource location organization policy evaluation, a secret with a user managed replication policy can only be created if resource creation is allowed in all the selected locations.
What's next
- Learn more about editing a secret.
- Learn more about managing access to secrets.
- Learn more about setting up rotation policies.