REST Resource: projects.secrets

Resource: Secret

A Secret is a logical secret whose value and versions can be accessed.

A Secret is made up of zero or more SecretVersions that represent the secret data.

JSON representation
{
  "name": string,
  "replication": {
    object (Replication)
  },
  "createTime": string,
  "labels": {
    string: string,
    ...
  },
  "topics": [
    {
      object (Topic)
    }
  ],
  "rotation": {
    object (Rotation)
  },

  // Union field expiration can be only one of the following:
  "expireTime": string,
  "ttl": string
  // End of list of possible types for union field expiration.
}
Fields
name

string

Output only. The resource name of the Secret in the format projects/*/secrets/*.

replication

object (Replication)

Required. Immutable. The replication policy of the secret data attached to the Secret.

The replication policy cannot be changed after the Secret has been created.

createTime

string (Timestamp format)

Output only. The time at which the Secret was created.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

labels

map (key: string, value: string)

The labels assigned to this Secret.

Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62}

Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}\p{N}_-]{0,63}

No more than 64 labels can be assigned to a given resource.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

topics[]

object (Topic)

Optional. A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions.

rotation

object (Rotation)

Optional. Rotation policy attached to the Secret. May be excluded if there is no rotation policy.

Union field expiration. Expiration policy attached to the Secret. If specified the Secret and all SecretVersions will be automatically deleted at expiration. Expired secrets are irreversibly deleted.

Expiration is not the recommended way to set time-based permissions. IAM Conditions is recommended for granting time-based permissions because the operation can be reversed. expiration can be only one of the following:

expireTime

string (Timestamp format)

Optional. Timestamp in UTC when the Secret is scheduled to expire. This is always provided on output, regardless of what was sent on input.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

ttl

string (Duration format)

Input only. The TTL for the Secret.

A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

Replication

A policy that defines the replication and encryption configuration of data.

JSON representation
{

  // Union field replication can be only one of the following:
  "automatic": {
    object (Automatic)
  },
  "userManaged": {
    object (UserManaged)
  }
  // End of list of possible types for union field replication.
}
Fields
Union field replication. The replication policy for this secret. replication can be only one of the following:
automatic

object (Automatic)

The Secret will automatically be replicated without any restrictions.

userManaged

object (UserManaged)

The Secret will only be replicated into the locations specified.

Automatic

A replication policy that replicates the Secret payload without any restrictions.

JSON representation
{
  "customerManagedEncryption": {
    object (CustomerManagedEncryption)
  }
}
Fields
customerManagedEncryption

object (CustomerManagedEncryption)

Optional. The customer-managed encryption configuration of the Secret. If no configuration is provided, Google-managed default encryption is used.

Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions.

CustomerManagedEncryption

Configuration for encrypting secret payloads using customer-managed encryption keys (CMEK).

JSON representation
{
  "kmsKeyName": string
}
Fields
kmsKeyName

string

Required. The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads.

For secrets using the UserManaged replication policy type, Cloud KMS CryptoKeys must reside in the same location as the [replica location][Secret.UserManaged.Replica.location].

For secrets using the Automatic replication policy type, Cloud KMS CryptoKeys must reside in global.

The expected format is projects/*/locations/*/keyRings/*/cryptoKeys/*.

UserManaged

A replication policy that replicates the Secret payload into the locations specified in [Secret.replication.user_managed.replicas][]

JSON representation
{
  "replicas": [
    {
      object (Replica)
    }
  ]
}
Fields
replicas[]

object (Replica)

Required. The list of Replicas for this Secret.

Cannot be empty.

Replica

Represents a Replica for this Secret.

JSON representation
{
  "location": string,
  "customerManagedEncryption": {
    object (CustomerManagedEncryption)
  }
}
Fields
location

string

The canonical IDs of the location to replicate data. For example: "us-east1".

customerManagedEncryption

object (CustomerManagedEncryption)

Optional. The customer-managed encryption configuration of the [User-Managed Replica][Replication.UserManaged.Replica]. If no configuration is provided, Google-managed default encryption is used.

Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions.

Topic

A Pub/Sub topic which Secret Manager will publish to when control plane events occur on this secret.

JSON representation
{
  "name": string
}
Fields
name

string

Required. The resource name of the Pub/Sub topic that will be published to, in the following format: projects/*/topics/*. For publication to succeed, the Secret Manager P4SA must have pubsub.publisher permissions on the topic.

Rotation

The rotation time and period for a Secret. At nextRotationTime, Secret Manager will send a Pub/Sub notification to the topics configured on the Secret. Secret.topics must be set to configure rotation.

JSON representation
{
  "nextRotationTime": string,
  "rotationPeriod": string
}
Fields
nextRotationTime

string (Timestamp format)

Optional. Timestamp in UTC at which the Secret is scheduled to rotate.

nextRotationTime MUST be set if rotationPeriod is set.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

rotationPeriod

string (Duration format)

Input only. The Duration between rotation notifications. Must be in seconds and at least 3600s (1h) and at most 3153600000s (100 years).

If rotationPeriod is set, nextRotationTime must be set. nextRotationTime will be advanced by this period when the service automatically sends rotation notifications.

A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

Methods

addVersion

Creates a new SecretVersion containing secret data and attaches it to an existing Secret.

create

Creates a new Secret containing no SecretVersions.

delete

Deletes a Secret.

get

Gets metadata for a given Secret.

getIamPolicy

Gets the access control policy for a secret.

list

Lists Secrets.

patch

Updates metadata of an existing Secret.

setIamPolicy

Sets the access control policy on the specified secret.

testIamPermissions

Returns permissions that a caller has for the specified secret.