REST Resource: projects.secrets

Resource: Secret

A Secret is a logical secret whose value and versions can be accessed.

A Secret is made up of zero or more SecretVersions that represent the secret data.

JSON representation 
{
  "name": string,
  "replication": {
    object (Replication)
  },
  "createTime": string,
  "labels": {
    string: string,
    ...
  },
  "topics": [
    {
      object (Topic)
    }
  ],
  "etag": string,
  "rotation": {
    object (Rotation)
  },
  "versionAliases": {
    string: string,
    ...
  },
  "annotations": {
    string: string,
    ...
  },
  "versionDestroyTtl": string,
  "customerManagedEncryption": {
    object (CustomerManagedEncryption)
  },

  // Union field expiration can be only one of the following:
  "expireTime": string,
  "ttl": string
  // End of list of possible types for union field expiration.
}
Fields
name

string

Output only. The resource name of the Secret in the format projects/*/secrets/*.
replication

object (Replication)

Optional. Immutable. The replication policy of the secret data attached to the Secret.

The replication policy cannot be changed after the Secret has been created.
createTime

string (Timestamp format)

Output only. The time at which the Secret was created.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
labels

map (key: string, value: string)

The labels assigned to this Secret.

Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62}

Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}\p{N}_-]{0,63}

No more than 64 labels can be assigned to a given resource.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
topics[]

object (Topic)

Optional. A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions.
etag

string

Optional. Etag of the currently stored Secret.
rotation

object (Rotation)

Optional. Rotation policy attached to the Secret. May be excluded if there is no rotation policy.
versionAliases

map (key: string, value: string (int64 format))

Optional. Mapping from version alias to version name.

A version alias is a string with a maximum length of 63 characters and can contain uppercase and lowercase letters, numerals, and the hyphen (-) and underscore ('_') characters. An alias string must start with a letter and cannot be the string 'latest' or 'NEW'. No more than 50 aliases can be assigned to a given secret.

Version-Alias pairs will be viewable via secrets.get and modifiable via secrets.patch. Access by alias is only supported for GetSecretVersion and AccessSecretVersion.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
annotations

map (key: string, value: string)

Optional. Custom metadata about the secret.

Annotations are distinct from various forms of labels. Annotations exist to allow client tools to store their own state information without requiring a database.

Annotation keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, begin and end with an alphanumeric character ([a-z0-9A-Z]), and may have dashes (-), underscores (_), dots (.), and alphanumerics in between these symbols.

The total size of annotation keys and values must be less than 16KiB.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
versionDestroyTtl

string (Duration format)

Optional. Secret Version TTL after destruction request

This is a part of the Delayed secret version destroy feature. For secret with TTL>0, version destruction doesn't happen immediately on calling destroy instead the version goes to a disabled state and destruction happens after the TTL expires.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".
customerManagedEncryption

object (CustomerManagedEncryption)

Optional. The customer-managed encryption configuration of the Regionalised Secrets. If no configuration is provided, Google-managed default encryption is used.

Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions.

Union field expiration. Expiration policy attached to the Secret. If specified the Secret and all SecretVersions will be automatically deleted at expiration. Expired secrets are irreversibly deleted.

Expiration is not the recommended way to set time-based permissions. IAM Conditions is recommended for granting time-based permissions because the operation can be reversed. expiration can be only one of the following:
expireTime

string (Timestamp format)

Optional. Timestamp in UTC when the Secret is scheduled to expire. This is always provided on output, regardless of what was sent on input.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
ttl

string (Duration format)

Input only. The TTL for the Secret.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

Methods

addVersion

 Creates a new SecretVersion containing secret data and attaches it to an existing Secret.

create

 Creates a new Secret containing no SecretVersions.

delete

 Deletes a Secret.

get

 Gets metadata for a given Secret.

getIamPolicy

 Gets the access control policy for a secret.

list

 Lists Secrets.

patch

 Updates metadata of an existing Secret.

setIamPolicy

 Sets the access control policy on the specified secret.

testIamPermissions

 Returns permissions that a caller has for the specified secret.