This topic discusses support for filtering in the following resource-listing calls in Secret Manager:
Filtering intent in a
list operation is indicated by the presence of the
string field in the list request body. The API uses a simple language for
referring to the fields in the object that is being filtered.
In the following examples, let us assume that a subset of secrets contains either "asecret" or "bsecret" substring. Specify a filter matching these secrets. The results are sorted by name in the ascending order.
Filters are specified using the
--filter flag. If your filter contains a
space or other special character, you must surround it in quotes.
gcloud secrets list --filter="name:asecret OR name:bsecret"
These examples use curl to demonstrate using the API. You can generate access tokens with gcloud auth print-access-token. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Filters are specified as the
filter querystring parameter and must be
URL-encoded. For example, the filter
name:asecret OR name:bsecret would
be URL-encoded as
curl "https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets?filter=FILTER" \ --request "GET" \ --header "Authorization: Bearer ACCESS_TOKEN"
|Secrets whose name contains the
|Secrets whose name contains a pattern
|Secrets with a specific label||
|Secrets created within date/time range||
|Secrets with automatic replication||
|Secrets with user-managed replication but not stored in either of the given regions||
|Secrets encrypted with CMEK keys||
|Secrets encrypted with a specific CMEK key||
|Secrets without a rotation period||
|Secrets with a rotation period > 30d||
|Secrets with expiration set||
|Secrets expiring before a date||
|Versions that are enabled or disabled||
|Destroyed versions, destroyed after date||
The filter syntax consists of an expression on one or more fields of the objects being filtered.
You can use the following expression operators.
||Greater than or equal to.|
||Less than or equal to.|
Inequality. The following are equivalent:
Containment. This is a case-insensitive substring match.
As an example,
A space is equivalent to
Can be used as a standalone where
Consistently with Cloud Search API,
OR takes precedence over
AND by default.
Parentheses can be used to indicate the desired operation priority.
When filtering on
time values, encode the time as a string in the
format, such as
When accessing a subfield, use dot syntax. For example, the
Secret resource may include the
labels field whose value is a key-value
color label is use, you can filter
Secret results on the subfield
labels.color as follows:
If you want to list only secrets with
color label set, use a wildcard:
A quoted string is interpreted as a single value rather than a sequence of values.
You can filter on any field of
|List method||Link to filterable fields|
Total result count
filter is set in a list request, the response does not indicate the total
result count (
total_size=0 in the response).