This topic describes how to edit a secret's metadata. You can update many properties of a secret such as encryption type, rotation policy, expiration date, labels, and event notifications. You can also add annotations and set up aliases for secret versions. You can't edit the secret name or value and the replication policy. To add a new value to your secret, you must create a new secret version.
Required roles
Updating a secret's metadata requires the Secret Manager Admin
role (roles/secretmanager.admin
) on the secret or the project.
Edit a secret
Console
-
Go to the Secret Manager page in the Google Cloud console.
-
To edit a secret, use one of the following methods:
-
Click
More actions associated with the secret that you want to edit, and then select Edit from the menu. -
Click the secret name to go to the Secret details page.
-
On the Secret details page, click
Edit secret.
-
-
On the Edit secret page, update the properties as needed, and then click Update secret.
gcloud
To use Secret Manager on the command line, first Install or upgrade to version 378.0.0 or higher of the Google Cloud CLI. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
$ gcloud secrets update secret-id \
--update-labels=key=value
C#
To run this code, first set up a C# development environment and install the Secret Manager C# SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Go
To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Java
To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Node.js
To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Python
To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Ruby
To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
API
These examples use curl to demonstrate using the API. You can generate access tokens with gcloud auth print-access-token. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets/secret-id?updateMask=labels" \
--request "PATCH" \
--header "authorization: Bearer $(gcloud auth print-access-token)" \
--header "content-type: application/json" \
--data "{'labels': {'key': 'value'}}"
Edit permissions and labels for multiple secrets
-
Go to the Secret Manager page in the Google Cloud console.
-
On the Secret Manager page, click the checkbox next to the name of the secret.
-
If the Info Panel is closed, click Show Info Panel to display it.
-
In the Info Panel, select the Labels tab.
-
Click Add label and enter a key and value for the label.
-
Click Save.
What's next
- Learn how to manage access to secrets.
- Learn how to set up rotation schedules for secrets.
- Learn how to set up notifications on a secret.
- Learn how to enable Customer-Managed Encryption Keys (CMEK) for Secret Manager.