This page describes how to delete a secret and all of its versions.
To delete only a secret version, see Destroy a secret version.
Required roles
To get the permissions that
you need to delete a secret,
ask your administrator to grant you the
Secret Manager Admin (roles/secretmanager.admin
) IAM role on the secret, project, folder, or organization.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Delete a secret
To delete a secret, use one of the following methods:
Console
-
In the Google Cloud console, go to the Secret Manager page.
-
Select the secret that you want to delete.
-
Click
Actions, and then click Delete. -
In the confirmation dialog that appears, enter the name of the secret, and then click Delete secret.
gcloud
Before using any of the command data below, make the following replacements:
- SECRET_ID: the ID of the secret or fully qualified identifier for the secret
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud secrets delete SECRET_ID
Windows (PowerShell)
gcloud secrets delete SECRET_ID
Windows (cmd.exe)
gcloud secrets delete SECRET_ID
The response returns the secret.
REST
Before using any of the request data, make the following replacements:
- PROJECT_ID: the Google Cloud project ID
- SECRET_ID: the ID of the secret or fully qualified identifier for the secret
HTTP method and URL:
DELETE https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets/SECRET_ID
Request JSON body:
{}
To send your request, choose one of these options:
curl
Save the request body in a file named request.json
,
and execute the following command:
curl -X DELETE \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets/SECRET_ID"
PowerShell
Save the request body in a file named request.json
,
and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method DELETE `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets/SECRET_ID" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{}
C#
To run this code, first set up a C# development environment and install the Secret Manager C# SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Go
To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Java
To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Node.js
To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Python
To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Ruby
To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
What's next
- Learn how to set an expiration date for a secret.
- Learn how to manage access to secrets.