In Secret Manager, a secret is a wrapper around a collection of secret versions. The secret stores metadata such as labels and replication, but it does not contain the actual secret. This topic describes how to manage secrets. You can also manage a secret's versions.
Before you begin
Configure Secret Manager and your local environment, once per project.
Listing secrets
These examples show how to list all secrets you have permission to view in the project.
Listing secrets requires the Secret Viewer role
(roles/secretmanager.viewer
) on the secret, project, folder, or organization.
IAM roles can't be granted on a secret version.
Web UI
-
Go to the Secret Manager page in the Cloud Console.
-
This page displays the list of Secrets in the project.
Command-line
To use Secret Manager on the command line, first Install or upgrade to version 306.0.0 or higher of the Cloud SDK.
$ gcloud secrets list
C#
To run this code, first set up a C# development environment and install the Secret Manager C# SDK.
Go
To run this code, first set up a Go development environment and install the Secret Manager Go SDK.
Java
To run this code, first set up a Java development environment and install the Secret Manager Java SDK.
Node.js
To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK.
Python
To run this code, first set up a Python development environment and install the Secret Manager Python SDK.
Ruby
To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK.
API
These examples use curl to demonstrate using the API.
$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets" \
--request "GET" \
--header "authorization: Bearer $(gcloud auth print-access-token)" \
--header "content-type: application/json" \
--header "x-goog-user-project: project-id"
Getting details about a secret
These examples show how to get details about a secret by viewing its metadata.
Viewing a secret's metadata requires the Secret Viewer role
(roles/secretmanager.viewer
) on the secret, project, folder, or organization.
IAM roles can't be granted on a secret version.
Web UI
-
Go to the Secret Manager page in the Cloud Console.
-
On the Secret Manager page, click on the name of a Secret to describe.
-
The Secret detail page lists information about the Secret.
Command-line
To use Secret Manager on the command line, first Install or upgrade to version 306.0.0 or higher of the Cloud SDK.
$ gcloud secrets describe secret-id
C#
To run this code, first set up a C# development environment and install the Secret Manager C# SDK.
Go
To run this code, first set up a Go development environment and install the Secret Manager Go SDK.
Java
To run this code, first set up a Java development environment and install the Secret Manager Java SDK.
Node.js
To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK.
Python
To run this code, first set up a Python development environment and install the Secret Manager Python SDK.
Ruby
To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK.
API
These examples use curl to demonstrate using the API.
$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets/secret-id" \
--request "GET" \
--header "authorization: Bearer $(gcloud auth print-access-token)" \
--header "content-type: application/json" \
--header "x-goog-user-project: project-id"
Managing access to secrets
These examples show how to manage access to a secret version, including the secret material itself. To learn more about access controls and permissions, see the Secret Manager IAM documentation.
Managing access to a secret requires the Secret Admin role
(roles/secretmanager.admin
) on the secret, project, folder, or organization.
IAM roles can't be granted on a secret version.
To grant access:
Web UI
-
Go to the Secret Manager page in the Cloud Console.
-
On the Secret Manager page, click on the name of a Secret.
-
If it is not already open, click Show Info Panel to open the panel.
-
In the info panel, click Add Member.
-
In the New members text area, enter the email address(es) of the members to add.
-
In the Select a role dropdown, choose Secret Manager and then Secret Manager Secret Accessor.
Command-line
To use Secret Manager on the command line, first Install or upgrade to version 306.0.0 or higher of the Cloud SDK.
$ gcloud secrets add-iam-policy-binding secret-id \
--member="member" \
--role="roles/secretmanager.secretAccessor"
Where member is an IAM member, such as a user, group, or service account.
C#
To run this code, first set up a C# development environment and install the Secret Manager C# SDK.
Go
To run this code, first set up a Go development environment and install the Secret Manager Go SDK.
Java
To run this code, first set up a Java development environment and install the Secret Manager Java SDK.
Node.js
To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK.
Python
To run this code, first set up a Python development environment and install the Secret Manager Python SDK.
Ruby
To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK.
API
These examples use curl to demonstrate using the API.
Note: Unlike the other examples, this replaces the entire IAM policy.
$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets/secret-id:setIamPolicy" \
--request "POST" \
--header "authorization: Bearer $(gcloud auth print-access-token)" \
--header "content-type: application/json" \
--header "x-goog-user-project: project-id" \
--data "{\"policy\": {\"bindings\": [{\"members\": [\"member\"], \"role\": \"roles/secretmanager.secretAccessor\"}]}}"
To revoke access:
Web UI
-
Go to the Secret Manager page in the Cloud Console.
-
On the Secret Manager page, click on the name of a Secret.
-
If it is not already open, click Show Info Panel to open the panel.
-
In the info panel, expand Secret Manager Secret Accessor.
-
Click the trash icon next to the for which you want to revoke access.
-
In the popup, confirm and click Remove.
Command-line
To use Secret Manager on the command line, first Install or upgrade to version 306.0.0 or higher of the Cloud SDK.
$ gcloud secrets remove-iam-policy-binding secret-id \
--member="member" \
--role="roles/secretmanager.secretAccessor"
Where member is an IAM member, such as a user, group, or service account.
C#
To run this code, first set up a C# development environment and install the Secret Manager C# SDK.
Go
To run this code, first set up a Go development environment and install the Secret Manager Go SDK.
Java
To run this code, first set up a Java development environment and install the Secret Manager Java SDK.
Node.js
To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK.
Python
To run this code, first set up a Python development environment and install the Secret Manager Python SDK.
Ruby
To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK.
API
These examples use curl to demonstrate using the API.
Note: Unlike the other examples, this replaces the entire IAM policy.
$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets/secret-id:setIamPolicy" \
--request "POST" \
--header "authorization: Bearer $(gcloud auth print-access-token)" \
--header "content-type: application/json" \
--header "x-goog-user-project: project-id" \
--data "{\"policy\": {\"bindings\": []}}"
Updating a secret
These examples show how to update a secret's metadata.
Updating a secret's metadata requires the Secret Admin role
(roles/secretmanager.admin
) on the secret or the project. IAM roles can't be
granted on a secret version.
Web UI
-
Go to the Secret Manager page in the Cloud Console.
-
On the Secret Manager page, click on the name of a Secret to update.
-
If the Info Panel is closed, click Show Info Panel to display it.
-
In the Info Panel, select the Labels tab.
-
Click Add label and enter the key
secretmanager
with the valuerocks
. -
Click Save.
Command-line
To use Secret Manager on the command line, first Install or upgrade to version 306.0.0 or higher of the Cloud SDK.
$ gcloud secrets update secret-id \
--update-labels=key=value
C#
To run this code, first set up a C# development environment and install the Secret Manager C# SDK.
Go
To run this code, first set up a Go development environment and install the Secret Manager Go SDK.
Java
To run this code, first set up a Java development environment and install the Secret Manager Java SDK.
Node.js
To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK.
Python
To run this code, first set up a Python development environment and install the Secret Manager Python SDK.
Ruby
To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK.
API
These examples use curl to demonstrate using the API.
$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets/secret-id?updateMask=labels" \
--request "PATCH" \
--header "authorization: Bearer $(gcloud auth print-access-token)" \
--header "content-type: application/json" \
--header "x-goog-user-project: project-id" \
--data "{"labels": {"key": "value"}}"
Deleting a secret
These examples show how to delete a secret and all of its versions.
This is an irreversible operation. Any service or workload that attempts to
access a deleted secret receives a Not Found
error.
Deleting a secret requires the Secret Admin role
(roles/secretmanager.admin
) on the secret, project, folder, or organization.
IAM roles can't be granted on a secret version.
Web UI
-
Go to the Secret Manager page in the Cloud Console.
-
On the Secret Manager page, in the Actions column for the secret, click View more
. -
In the menu, select Delete.
-
In the Delete secret dialog, enter the name of the secret.
-
Click the Delete secret button.
Command-line
To use Secret Manager on the command line, first Install or upgrade to version 306.0.0 or higher of the Cloud SDK.
$ gcloud secrets delete secret-id
C#
To run this code, first set up a C# development environment and install the Secret Manager C# SDK.
Go
To run this code, first set up a Go development environment and install the Secret Manager Go SDK.
Java
To run this code, first set up a Java development environment and install the Secret Manager Java SDK.
Node.js
To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK.
Python
To run this code, first set up a Python development environment and install the Secret Manager Python SDK.
Ruby
To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK.
API
These examples use curl to demonstrate using the API.
$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets/secret-id" \
--request "DELETE" \
--header "authorization: Bearer $(gcloud auth print-access-token)" \
--header "content-type: application/json" \
--header "x-goog-user-project: project-id"
What's next?
- Learn more about managing secret versions.
- Learn more about managing access to secrets.
- Learn more about creating and accessing secrets.
- Learn more about using customer-managed keys to encrypt secrets.