In Secret Manager, a secret is a wrapper around a collection of secret versions. The secret stores metadata such as labels and replication, but it does not contain the actual secret. This topic describes how to manage secrets. You can also manage a secret's versions.
Before you begin
Configure Secret Manager and your local environment, once per project.
Listing secrets
These examples show how to list all secrets you have permission to view in the project.
Listing secrets requires the Secret Viewer role
(roles/secretmanager.viewer
) on the secret, project, folder, or organization.
IAM roles can't be granted on a secret version.
Console
-
Go to the Secret Manager page in the console.
-
This page displays the list of secrets in the project.
gcloud
To use Secret Manager on the command line, first Install or upgrade to version 338.0.0 or higher of the Google Cloud CLI. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
$ gcloud secrets list
C#
To run this code, first set up a C# development environment and install the Secret Manager C# SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Go
To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Java
To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Node.js
To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Python
To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Ruby
To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
API
These examples use curl to demonstrate using the API. You can generate access tokens with gcloud auth print-access-token. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets" \
--request "GET" \
--header "authorization: Bearer $(gcloud auth print-access-token)" \
--header "content-type: application/json"
Getting details about a secret
These examples show how to get details about a secret by viewing its metadata.
Viewing a secret's metadata requires the Secret Viewer role
(roles/secretmanager.viewer
) on the secret, project, folder, or organization.
IAM roles can't be granted on a secret version.
Console
-
Go to the Secret Manager page in the console.
-
On the Secret Manager page, click on the name of a secret to describe.
-
The Secret detail page lists information about the secret.
gcloud
To use Secret Manager on the command line, first Install or upgrade to version 338.0.0 or higher of the Google Cloud CLI. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
$ gcloud secrets describe secret-id
C#
To run this code, first set up a C# development environment and install the Secret Manager C# SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Go
To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Java
To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Node.js
To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Python
To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Ruby
To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
API
These examples use curl to demonstrate using the API. You can generate access tokens with gcloud auth print-access-token. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets/secret-id" \
--request "GET" \
--header "authorization: Bearer $(gcloud auth print-access-token)" \
--header "content-type: application/json"
Managing access to secrets
These examples show how to manage access to a secret version, including the secret material itself. To learn more about access controls and permissions, see the Secret Manager IAM documentation.
Managing access to a secret requires the Secret Admin role
(roles/secretmanager.admin
) on the secret, project, folder, or organization.
IAM roles can't be granted on a secret version.
To grant access:
Console
-
Go to the Secret Manager page in the console.
-
On the Secret Manager page, click the checkbox next to the name of the secret.
-
If it is not already open, click Show Info Panel to open the panel.
-
In the info panel, click Add Principal.
-
In the New principals text area, enter the email address(es) of the members to add.
-
In the Select a role dropdown, choose Secret Manager and then Secret Manager Secret Accessor.
gcloud
To use Secret Manager on the command line, first Install or upgrade to version 338.0.0 or higher of the Google Cloud CLI. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
$ gcloud secrets add-iam-policy-binding secret-id \
--member="member" \
--role="roles/secretmanager.secretAccessor"
Where member is an IAM member, such as a user, group, or service account.
C#
To run this code, first set up a C# development environment and install the Secret Manager C# SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Go
To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Java
To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Node.js
To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Python
To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Ruby
To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
API
These examples use curl to demonstrate using the API. You can generate access tokens with gcloud auth print-access-token. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Note: Unlike the other examples, this replaces the entire IAM policy.
$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets/secret-id:setIamPolicy" \
--request "POST" \
--header "authorization: Bearer $(gcloud auth print-access-token)" \
--header "content-type: application/json" \
--data "{\"policy\": {\"bindings\": [{\"members\": [\"member\"], \"role\": \"roles/secretmanager.secretAccessor\"}]}}"
To revoke access:
Console
-
Go to the Secret Manager page in the console.
-
On the Secret Manager page, click the checkbox next to the name of the secret.
-
If it is not already open, click Show Info Panel to open the panel.
-
In the info panel, expand Secret Manager Secret Accessor.
-
Click the trash icon next to the for which you want to revoke access.
-
In the popup, confirm and click Remove.
gcloud
To use Secret Manager on the command line, first Install or upgrade to version 338.0.0 or higher of the Google Cloud CLI. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
$ gcloud secrets remove-iam-policy-binding secret-id \
--member="member" \
--role="roles/secretmanager.secretAccessor"
Where member is an IAM member, such as a user, group, or service account.
C#
To run this code, first set up a C# development environment and install the Secret Manager C# SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Go
To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Java
To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Node.js
To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Python
To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Ruby
To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
API
These examples use curl to demonstrate using the API. You can generate access tokens with gcloud auth print-access-token. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Note: Unlike the other examples, this replaces the entire IAM policy.
$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets/secret-id:setIamPolicy" \
--request "POST" \
--header "authorization: Bearer $(gcloud auth print-access-token)" \
--header "content-type: application/json" \
--data "{\"policy\": {\"bindings\": []}}"
Updating a secret
These examples show how to update a secret's metadata.
Updating a secret's metadata requires the Secret Admin role
(roles/secretmanager.admin
) on the secret or the project. IAM roles can't be
granted on a secret version.
Console
-
Go to the Secret Manager page in the console.
-
On the Secret Manager page, click the checkbox next to the name of the secret.
-
If the Info Panel is closed, click Show Info Panel to display it.
-
In the Info Panel, select the Labels tab.
-
Click Add label and enter the key
secretmanager
with a value (for example,rocks
). -
Click Save.
gcloud
To use Secret Manager on the command line, first Install or upgrade to version 338.0.0 or higher of the Google Cloud CLI. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
$ gcloud secrets update secret-id \
--update-labels=key=value
C#
To run this code, first set up a C# development environment and install the Secret Manager C# SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Go
To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Java
To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Node.js
To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Python
To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Ruby
To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
API
These examples use curl to demonstrate using the API. You can generate access tokens with gcloud auth print-access-token. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets/secret-id?updateMask=labels" \
--request "PATCH" \
--header "authorization: Bearer $(gcloud auth print-access-token)" \
--header "content-type: application/json" \
--data "{'labels': {'key': 'value'}}"
Deleting a secret
These examples show how to delete a secret and all of its versions.
This is an irreversible operation. Any service or workload that attempts to
access a deleted secret receives a Not Found
error.
Deleting a secret requires the Secret Admin role
(roles/secretmanager.admin
) on the secret, project, folder, or organization.
IAM roles can't be granted on a secret version.
Console
-
Go to the Secret Manager page in the console.
-
On the Secret Manager page, in the Actions column for the secret, click View more
. -
In the menu, select Delete.
-
In the Delete secret dialog, enter the name of the secret.
-
Click the Delete secret button.
gcloud
To use Secret Manager on the command line, first Install or upgrade to version 338.0.0 or higher of the Google Cloud CLI. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
$ gcloud secrets delete secret-id
C#
To run this code, first set up a C# development environment and install the Secret Manager C# SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Go
To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Java
To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Node.js
To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
PHP
To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Python
To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Ruby
To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
API
These examples use curl to demonstrate using the API. You can generate access tokens with gcloud auth print-access-token. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets/secret-id" \
--request "DELETE" \
--header "authorization: Bearer $(gcloud auth print-access-token)" \
--header "content-type: application/json"
What's next?
- Learn more about managing secret versions.
- Learn more about managing access to secrets.
- Learn more about creating and accessing secrets.
- Learn more about using customer-managed keys to encrypt secrets.