This topic describes how to create a secret. A secret contains one or more secret versions, along with metadata such as labels and replication information. The actual contents of a secret are stored in a secret version.
Before you begin
- Enable the Secret Manager API, once per project.
- Assign the Secret Manager Admin role (
roles/secretmanager.admin
) on the project, folder, or organization. Authenticate to the Secret Manager API using one of the following ways:
- If you use client libraries to access the Secret Manager API, set up Application Default Credentials.
- If you use the Google Cloud CLI to access the Secret Manager API, use your Google Cloud CLI credentials to authenticate.
- To authenticate a REST call, use either Google Cloud CLI credentials or Application Default Credentials.
Create a secret
Console
-
Go to the Secret Manager page in the Google Cloud console.
-
On the Secret Manager page, click Create Secret.
-
On the Create secret page, under Name, enter a name for the secret (for example,
my-secret
). A secret name can contain uppercase and lowercase letters, numerals, hyphens, and underscores. The maximum allowed length for a name is 255 characters. -
Optional: To also add a secret version when creating the initial secret, in the Secret value field, enter a value for the secret (for example,
abcd1234
). The secret value can be in any format but must not be larger than 64 KiB. You can also upload a text file containing the secret value using the Upload file option. -
Click the Create secret button.
gcloud
To use Secret Manager on the command line, first Install or upgrade to version 378.0.0 or higher of the Google Cloud CLI. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
$ gcloud secrets create secret-id \
--replication-policy="automatic"
C#
To run this code, first set up a C# development environment and install the Secret Manager C# SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Go
To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Java
To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Node.js
To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Python
To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Ruby
To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
API
These examples use curl to demonstrate using the API. You can generate access tokens with gcloud auth print-access-token. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets?secretId=secret-id" \
--request "POST" \
--header "authorization: Bearer $(gcloud auth print-access-token)" \
--header "content-type: application/json" \
--data "{\"replication\": {\"automatic\": {}}}"
To select the right replication policy for your secret, see Choose a replication policy.
Add a secret version
Secret Manager automatically versions secret data using secret versions, and most
operations like access, destroy, disable, and enable take place on a secret version.
With Secret Manager, you can pin a secret to specific versions like 42
or floating
aliases like latest
. Learn how to Add a secret version.
Access a secret version
To access the secret data from a particular secret version for successful authentication, see Access a secret version.
What's next
- Learn how to choose a replication policy.
- Learn how to manage access to secrets.
- Learn how to set up notifications on a secret.