Configuring Secret Manager

This topic describes how to configure your Google Cloud project to use Secret Manager for the first time. These steps are prerequisites for most tasks in Secret Manager, including the quickstart.

When you are becoming familiar with Secret Manager, we recommend using a separate Google Cloud project. Deleting the project also deletes all resources creating during testing, including billable resources.

Enable the Secret Manager API and Cloud SDK

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to the project selector page

  3. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  4. Enable the required API.

    Enable the API

  5. Install and initialize the Cloud SDK.

Assign IAM roles

Before a user can create, manage, list, or access a secret, that user must have the appropriate IAM permissions. You can grant one or more pre-defined roles or create and grant custom roles. For example, a member with the Secret Manager Secret Accessor role (roles/secretmanager.secretAccessor) can access (but not modify) the value of a secret version, including the actual secret data.

For more information, including a list of pre-defined roles for Secret Manager, see Managing access to secrets.

To add a role:

  1. Go to the IAM page in the Cloud Console.

    Go to the IAM page

  2. Click the Project selector drop-down list at the top of the page.

  3. On the Select from dialog that appears, select the organization for which you want to enable Secret Manager.

  4. On the IAM page, next to your username, click Edit.

  5. On the Edit permissions panel that appears, add the necessary roles.

    1. Click Add another role. Select a role to add, such as Secret Manager Secret Accessor.

    2. To add more roles, repeat the previous step. Click Save.

What's next?