This topic describes how to configure your Google Cloud project to use Secret Manager for the first time. These steps are prerequisites for most tasks in Secret Manager, including the quickstart.
When you are becoming familiar with Secret Manager, we recommend using a separate Google Cloud project. Deleting the project also deletes all resources creating during testing, including billable resources.
Enable the Secret Manager API and Cloud SDK
Sign in to your Google Account.
If you don't already have one, sign up for a new account.
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
- Enable the required API.
- Install and initialize the Cloud SDK.
Assign IAM roles
Before a user can create, manage, list, or access a secret, that user must have
the appropriate IAM permissions. You can grant one or more
pre-defined roles or create and grant custom roles. For example, a member with
the Secret Manager Secret Accessor role (
can access (but not modify) the value of a secret version, including the actual
For more information, including a list of pre-defined roles for Secret Manager, see Managing access to secrets.
To add a role:
Go to the IAM page in the Cloud Console.
Click the Project selector drop-down list at the top of the page.
On the Select from dialog that appears, select the organization for which you want to enable Secret Manager.
On the IAM page, next to your username, click Edit.
On the Edit permissions panel that appears, add the necessary roles.
Click Add another role. Select a role to add, such as Secret Manager Secret Accessor.
To add more roles, repeat the previous step. Click Save.
- Learn more about managing secret versions.
- Learn more about managing access to secrets.
- Learn more about creating and accessing secrets.