REST Resource: projects.secrets

Resource: Secret

A Secret is a logical secret whose value and versions can be accessed.

A Secret is made up of zero or more SecretVersions that represent the secret data.

JSON representation
{
  "name": string,
  "replication": {
    object (Replication)
  },
  "createTime": string,
  "labels": {
    string: string,
    ...
  },
  "topics": [
    {
      object (Topic)
    }
  ],
  "etag": string,
  "rotation": {
    object (Rotation)
  },
  "versionAliases": {
    string: string,
    ...
  },
  "annotations": {
    string: string,
    ...
  },

  // Union field expiration can be only one of the following:
  "expireTime": string,
  "ttl": string
  // End of list of possible types for union field expiration.
}
Fields
name

string

Output only. The resource name of the Secret in the format projects/*/secrets/*.

replication

object (Replication)

Required. Immutable. The replication policy of the secret data attached to the Secret.

The replication policy cannot be changed after the Secret has been created.

createTime

string (Timestamp format)

Output only. The time at which the Secret was created.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

labels

map (key: string, value: string)

The labels assigned to this Secret.

Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62}

Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}\p{N}_-]{0,63}

No more than 64 labels can be assigned to a given resource.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

topics[]

object (Topic)

Optional. A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions.

etag

string

Optional. Etag of the currently stored Secret.

rotation

object (Rotation)

Optional. Rotation policy attached to the Secret. May be excluded if there is no rotation policy.

versionAliases

map (key: string, value: string (int64 format))

Optional. Mapping from version alias to version name.

A version alias is a string with a maximum length of 63 characters and can contain uppercase and lowercase letters, numerals, and the hyphen (-) and underscore ('_') characters. An alias string must start with a letter and cannot be the string 'latest' or 'NEW'. No more than 50 aliases can be assigned to a given secret.

Version-Alias pairs will be viewable via secrets.get and modifiable via secrets.patch. At launch Access by Allias will only be supported on GetSecretVersion and AccessSecretVersion.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

annotations

map (key: string, value: string)

Optional. Custom metadata about the secret.

Annotations are distinct from various forms of labels. Annotations exist to allow client tools to store their own state information without requiring a database.

Annotation keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, begin and end with an alphanumeric character ([a-z0-9A-Z]), and may have dashes (-), underscores (_), dots (.), and alphanumerics in between these symbols.

The total size of annotation keys and values must be less than 16KiB.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Union field expiration. Expiration policy attached to the Secret. If specified the Secret and all SecretVersions will be automatically deleted at expiration. Expired secrets are irreversibly deleted.

Expiration is not the recommended way to set time-based permissions. IAM Conditions is recommended for granting time-based permissions because the operation can be reversed. expiration can be only one of the following:

expireTime

string (Timestamp format)

Optional. Timestamp in UTC when the Secret is scheduled to expire. This is always provided on output, regardless of what was sent on input.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

ttl

string (Duration format)

Input only. The TTL for the Secret.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

Replication

A policy that defines the replication and encryption configuration of data.

JSON representation
{

  // Union field replication can be only one of the following:
  "automatic": {
    object (Automatic)
  },
  "userManaged": {
    object (UserManaged)
  }
  // End of list of possible types for union field replication.
}
Fields
Union field replication. The replication policy for this secret. replication can be only one of the following:
automatic

object (Automatic)

The Secret will automatically be replicated without any restrictions.

userManaged

object (UserManaged)

The Secret will only be replicated into the locations specified.

Automatic

A replication policy that replicates the Secret payload without any restrictions.

JSON representation
{
  "customerManagedEncryption": {
    object (CustomerManagedEncryption)
  }
}
Fields
customerManagedEncryption

object (CustomerManagedEncryption)

Optional. The customer-managed encryption configuration of the Secret. If no configuration is provided, Google-managed default encryption is used.

Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions.

CustomerManagedEncryption

Configuration for encrypting secret payloads using customer-managed encryption keys (CMEK).

JSON representation
{
  "kmsKeyName": string
}
Fields
kmsKeyName

string

Required. The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads.

For secrets using the UserManaged replication policy type, Cloud KMS CryptoKeys must reside in the same location as the [replica location][Secret.UserManaged.Replica.location].

For secrets using the Automatic replication policy type, Cloud KMS CryptoKeys must reside in global.

The expected format is projects/*/locations/*/keyRings/*/cryptoKeys/*.

UserManaged

A replication policy that replicates the Secret payload into the locations specified in [Secret.replication.user_managed.replicas][]

JSON representation
{
  "replicas": [
    {
      object (Replica)
    }
  ]
}
Fields
replicas[]

object (Replica)

Required. The list of Replicas for this Secret.

Cannot be empty.

Replica

Represents a Replica for this Secret.

JSON representation
{
  "location": string,
  "customerManagedEncryption": {
    object (CustomerManagedEncryption)
  }
}
Fields
location

string

The canonical IDs of the location to replicate data. For example: "us-east1".

customerManagedEncryption

object (CustomerManagedEncryption)

Optional. The customer-managed encryption configuration of the [User-Managed Replica][Replication.UserManaged.Replica]. If no configuration is provided, Google-managed default encryption is used.

Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions.

Topic

A Pub/Sub topic which Secret Manager will publish to when control plane events occur on this secret.

JSON representation
{
  "name": string
}
Fields
name

string

Required. The resource name of the Pub/Sub topic that will be published to, in the following format: projects/*/topics/*. For publication to succeed, the Secret Manager service agent must have the pubsub.topic.publish permission on the topic. The Pub/Sub Publisher role (roles/pubsub.publisher) includes this permission.

Rotation

The rotation time and period for a Secret. At nextRotationTime, Secret Manager will send a Pub/Sub notification to the topics configured on the Secret. Secret.topics must be set to configure rotation.

JSON representation
{
  "nextRotationTime": string,
  "rotationPeriod": string
}
Fields
nextRotationTime

string (Timestamp format)

Optional. Timestamp in UTC at which the Secret is scheduled to rotate. Cannot be set to less than 300s (5 min) in the future and at most 3153600000s (100 years).

nextRotationTime MUST be set if rotationPeriod is set.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

rotationPeriod

string (Duration format)

Input only. The Duration between rotation notifications. Must be in seconds and at least 3600s (1h) and at most 3153600000s (100 years).

If rotationPeriod is set, nextRotationTime must be set. nextRotationTime will be advanced by this period when the service automatically sends rotation notifications.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

Methods

addVersion

Creates a new SecretVersion containing secret data and attaches it to an existing Secret.

create

Creates a new Secret containing no SecretVersions.

delete

Deletes a Secret.

get

Gets metadata for a given Secret.

getIamPolicy

Gets the access control policy for a secret.

list

Lists Secrets.

patch

Updates metadata of an existing Secret.

setIamPolicy

Sets the access control policy on the specified secret.

testIamPermissions

Returns permissions that a caller has for the specified secret.