Parameter Manager integrates with Pub/Sub to provide event
notifications for changes to both parameters and parameter versions. You can use
these notifications to initiate workflows, such as restarting an application when
a new parameter version is added, or notifying security engineers when a
parameter is deleted. For more information on how to use these notifications to
start workflows, see the Pub/Sub documentation.
Before you begin
To set up Parameter Manager, complete the following:
Create or use an existing project to hold your Parameter Manager resources.
Authenticate to Google Cloud using the following command:
$gcloudauthlogin--update-adc
Create Pub/Sub topics
Follow the Pub/Sub quickstart
to create topics in your Pub/Sub project in the Google Cloud console.
Alternatively, create topics in the Google Cloud CLI using the following command:
gcloud
Before using any of the command data below,
make the following replacements:
PUBSUB_PROJECT_ID: the ID of the project in which to create subscriptions
Retain the option to add a default subscription. Don't select any other option.
Create a sink to route log entries
Configure Cloud Logging to route log entries to your Pub/Sub topic in
the project where the log entries originate. To do this, follow these steps:
In the Google Cloud console, go to the Log Router page.
If you use the search bar, select the result with the subheading Logging.
Click Create Sink, enter a name and description, and then click Next.
In the Sink Service menu, select Cloud Pub/Sub topic. Select your
Pub/Sub topic, and then click Next.
Select the log entries to include in the sink, and click Next.
Optional: Select log entries to exclude.
Click Create Sink. A dialog appears with the message Sink created confirming
the successful creation and permissions for routing matching log entries.
Grant the Pub/Sub Publisher role (roles/pubsub.publisher) to the sink's writer
identity. Refer to Set destination permissions
for details on obtaining the writer identity and granting roles.
Cloud Logging now sends log entries to your Pub/Sub topic.
Check logs published to Pub/Sub topic
Log entries are generated whenever you perform the following operations:
Create a new parameter or parameter version within Parameter Manager.
Retrieve the details of a specific parameter or parameter version using its
identifier.
List all parameters or parameter versions within a specified project.
Modify an existing parameter or parameter version.
Remove a parameter or parameter version.
To view log entries published to your Pub/Sub topic:
Open the subscriber for your topic.
Click Pull messages.
The resulting list shows the log entries that match the filter criteria defined
in your log sink.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Set up Pub/Sub notifications\n\nThis document describes how to set up notifications for updates to\n[parameters](/secret-manager/parameter-manager/docs/create-parameter) and\n[parameter versions](/secret-manager/parameter-manager/docs/add-parameter-version).\n\nParameter Manager integrates with Pub/Sub to provide event\nnotifications for changes to both parameters and parameter versions. You can use\nthese notifications to initiate workflows, such as restarting an application when\na new parameter version is added, or notifying security engineers when a\nparameter is deleted. For more information on how to use these notifications to\nstart workflows, see the [Pub/Sub](/pubsub/docs) documentation.\n\nBefore you begin\n----------------\n\n1. To set up Parameter Manager, complete the following:\n\n - Create or use an existing project to hold your Parameter Manager resources.\n\n - If necessary, complete the steps mentioned in the\n [Prepare your environment](/secret-manager/parameter-manager/docs/prepare-environment) page.\n\n2. To set up Pub/Sub, complete the following:\n\n - Create or use an existing project to hold your Pub/Sub resources.\n\n - If necessary, [enable the Pub/Sub API](/pubsub/docs/create-topic-console#before-you-begin).\n\n3. Authenticate to Google Cloud using the following command:\n\n ```bash\n $ gcloud auth login --update-adc\n \n ```\n\nCreate Pub/Sub topics\n---------------------\n\nFollow the [Pub/Sub quickstart](/pubsub/docs/create-topic-console)\nto create topics in your Pub/Sub project in the Google Cloud console.\nAlternatively, create topics in the Google Cloud CLI using the following command: \n\n### gcloud\n\n\nBefore using any of the command data below,\nmake the following replacements:\n\n- \u003cvar translate=\"no\"\u003ePUBSUB_PROJECT_ID\u003c/var\u003e: the ID of the project in which to create subscriptions\n- \u003cvar translate=\"no\"\u003ePUBSUB_TOPIC_NAME\u003c/var\u003e: the name of the topic\n\n\nExecute the\n\nfollowing\n\ncommand:\n\n#### Linux, macOS, or Cloud Shell\n\n**Note:** Ensure you have initialized the Google Cloud CLI with authentication and a project by running either [gcloud init](/sdk/gcloud/reference/init); or [gcloud auth login](/sdk/gcloud/reference/auth/login) and [gcloud config set project](/sdk/gcloud/reference/config/set). \n\n```bash\ngcloud pubsub topics create \"projects/\u003cvar translate=\"no\"\u003ePUBSUB_PROJECT_ID\u003c/var\u003e/topics/\u003cvar translate=\"no\"\u003ePUBSUB_TOPIC_NAME\u003c/var\u003e\"\n```\n\n#### Windows (PowerShell)\n\n**Note:** Ensure you have initialized the Google Cloud CLI with authentication and a project by running either [gcloud init](/sdk/gcloud/reference/init); or [gcloud auth login](/sdk/gcloud/reference/auth/login) and [gcloud config set project](/sdk/gcloud/reference/config/set). \n\n```bash\ngcloud pubsub topics create \"projects/\u003cvar translate=\"no\"\u003ePUBSUB_PROJECT_ID\u003c/var\u003e/topics/\u003cvar translate=\"no\"\u003ePUBSUB_TOPIC_NAME\u003c/var\u003e\"\n```\n\n#### Windows (cmd.exe)\n\n**Note:** Ensure you have initialized the Google Cloud CLI with authentication and a project by running either [gcloud init](/sdk/gcloud/reference/init); or [gcloud auth login](/sdk/gcloud/reference/auth/login) and [gcloud config set project](/sdk/gcloud/reference/config/set). \n\n```bash\ngcloud pubsub topics create \"projects/\u003cvar translate=\"no\"\u003ePUBSUB_PROJECT_ID\u003c/var\u003e/topics/\u003cvar translate=\"no\"\u003ePUBSUB_TOPIC_NAME\u003c/var\u003e\"\n```\n\n\u003cbr /\u003e\n\nRetain the option to add a default subscription. Don't select any other option.\n\nCreate a sink to route log entries\n----------------------------------\n\nConfigure Cloud Logging to route log entries to your Pub/Sub topic in\nthe project where the log entries originate. To do this, follow these steps:\n\n1. In the Google Cloud console, go to the [Log Router](https://console.cloud.google.com/logs/router) page.\n2. If you use the search bar, select the result with the subheading **Logging**.\n3. Click **Create Sink** , enter a name and description, and then click **Next**.\n4. In the **Sink Service** menu, select **Cloud Pub/Sub topic** . Select your Pub/Sub topic, and then click **Next**.\n5. Select the log entries to include in the sink, and click **Next**.\n6. Optional: Select log entries to exclude.\n7. Click **Create Sink** . A dialog appears with the message `Sink created` confirming the successful creation and permissions for routing matching log entries.\n8. Grant the Pub/Sub Publisher role (`roles/pubsub.publisher`) to the sink's writer identity. Refer to [Set destination permissions](/logging/docs/routing/permissions#grant_roles) for details on obtaining the writer identity and granting roles.\n\nCloud Logging now sends log entries to your Pub/Sub topic.\n\nCheck logs published to Pub/Sub topic\n-------------------------------------\n\nLog entries are generated whenever you perform the following operations:\n\n- Create a new parameter or parameter version within Parameter Manager.\n- Retrieve the details of a specific parameter or parameter version using its identifier.\n- List all parameters or parameter versions within a specified project.\n- Modify an existing parameter or parameter version.\n- Remove a parameter or parameter version.\n\nTo view log entries published to your Pub/Sub topic:\n\n1. Open the subscriber for your topic.\n2. Click **Pull messages**. The resulting list shows the log entries that match the filter criteria defined in your log sink."]]
