Render secrets referenced within a parameter version

Parameter versions can contain references to secrets created in Secret Manager. This reference doesn't reveal the actual secret value. When your application needs the secret, it retrieves the parameter. Instead of getting the plain-text secret, it gets the reference. The application then uses the reference to dynamically fetch the secret value from Secret Manager at runtime. This ensures that the secret is only accessed and exposed in memory when needed, reducing the risk of the secret being compromised.

This page describes how to retrieve a parameter version and then render the secret that the version references.

Required roles

To get the permissions that you need to render secret within a parameter version , ask your administrator to grant you the Parameter Manager Parameter Accessor (roles/parametermanager.parameterAccessor) IAM role on the parameter, project, folder, or organization. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Render the secret referenced within a parameter version

To render the secret referenced within a parameter version, use one of the following methods:

Global parameters

Console

  1. In the Google Cloud console, go to the Secret Manager page.

    Go to Secret Manager

  2. Click Parameter Manager to go to the Parameter Manager page. You'll see the list of parameters for that project.

  3. Click the parameter name to access its versions. The parameter details page opens with the Versions tab in focus where you can see all the versions belonging to the selected parameter.

  4. Select the parameter version with the secret reference.

  5. Click the Actions menu associated with that version, and then click Render.

    A new page is displayed with the payload and the rendered value of the parameter version.

gcloud

Before using any of the command data below, make the following replacements:

  • PARAMETER_VERSION_ID: the ID of the parameter version
  • PARAMETER_ID: the name of the parameter
  • LOCATION: the Google Cloud location of the parameter

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud parametermanager parameters versions render PARAMETER_VERSION_ID --parameter=PARAMETER_ID --location=global

Windows (PowerShell)

gcloud parametermanager parameters versions render PARAMETER_VERSION_ID --parameter=PARAMETER_ID --location=global

Windows (cmd.exe)

gcloud parametermanager parameters versions render PARAMETER_VERSION_ID --parameter=PARAMETER_ID --location=global

You should receive a response similar to the following:

parameterVersion: projects/production-1/locations/global/parameters/db_password_secret_ref/versions/v4
payload:
  data: ZGJfcGFzc3dvcmQ6IF9fUkVGX18oLy9zZWNyZXRtYW5hZ2VyLmdvb2dsZWFwaXMuY29tL3Byb2plY3RzL3BtLWNlcC1wcm9kL3NlY3JldHMvZHVyYWJsZS1zZWNyZXQvdmVyc2lvbnMvMSk=
renderedPayload: ZGJfcGFzc3dvcmQ6IHRlc3Qtc2VjcmV0Cg==

REST

Before using any of the request data, make the following replacements:

  • PROJECT_ID: the Google Cloud project ID
  • PARAMETER_ID: the name of the parameter
  • PARAMETER_VERSION_ID: the ID of the parameter version

HTTP method and URL: 

GET https://parametermanager.googleapis.com/v1/projects/PROJECT_ID/locations/global/parameters/PARAMETER_ID/versions/PARAMETER_VERSION_ID:render

Request JSON body: 

{}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command: 

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://parametermanager.googleapis.com/v1/projects/PROJECT_ID/locations/global/parameters/PARAMETER_ID/versions/PARAMETER_VERSION_ID:render"

PowerShell

Save the request body in a file named request.json, and execute the following command: 

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://parametermanager.googleapis.com/v1/projects/PROJECT_ID/locations/global/parameters/PARAMETER_ID/versions/PARAMETER_VERSION_ID:render" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "name": "projects/production-1/locations/global/parameters/db_password_secret_ref/versions/v2",
    "createTime": "2024-10-15T08:39:05.191747694Z",
    "updateTime": "2024-10-15T08:39:05.530311092Z",
    "payload": {
      "data": "ZGJfcGFzc3dvcmQ6IF9fUkVGX18oLy9zZWNyZXRtYW5hZ2VyLmdvb2dsZWFwaXMuY29tL3Byb2plY3RzL3BtLWNlcC1wcm9kL3NlY3JldHMvZHVyYWJsZS1zZWNyZXQvdmVyc2lvbnMvMSkK"
    },
    "renderedPayload": "ZGJfcGFzc3dvcmQ6IHRlc3Qtc2VjcmV0Cgo="
}

C#

To run this code, first set up a C# development environment and install the Secret Manager C# SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 


using Google.Cloud.ParameterManager.V1;
using System.Text;

public class RenderParameterVersionSample
{
    /// <summary>
    /// This function renders a parameter version using the Parameter Manager SDK for GCP.
    /// </summary>
    /// <param name="projectId">The ID of the project where the parameter is located.</param>
    /// <param name="parameterId">The ID of the parameter for which the version is to be rendered.</param>
    /// <param name="versionId">The ID of the version to be rendered.</param>
    /// <returns>The rendered parameter version data as a string.</returns>
    public string RenderParameterVersion(
        string projectId,
        string parameterId,
        string versionId)
    {
        // Create the client.
        ParameterManagerClient client = ParameterManagerClient.Create();

        // Build the resource name for the parameter version.
        ParameterVersionName parameterVersionName = new ParameterVersionName(projectId, "global", parameterId, versionId);

        // Call the API to render the parameter version.
        RenderParameterVersionResponse renderParameterVersionResponse = client.RenderParameterVersion(parameterVersionName);

        // Decode the base64 encoded data.
        string decodedData = Encoding.UTF8.GetString(renderParameterVersionResponse.RenderedPayload.ToByteArray());

        // Print the rendered parameter version data.
        Console.WriteLine($"Rendered parameter version payload: {decodedData}");

        // Return the rendered parameter version data.
        return decodedData;
    }
}

Go

To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 

import (
	"context"
	"fmt"
	"io"

	parametermanager "cloud.google.com/go/parametermanager/apiv1"
	parametermanagerpb "cloud.google.com/go/parametermanager/apiv1/parametermanagerpb"
)

// renderParamVersion renders a parameter version using the Parameter Manager SDK for GCP.
//
// w: The io.Writer object used to write the output.
// projectID: The ID of the project where the parameter is located.
// parameterID: The ID of the parameter for which the version details is to be rendered.
// versionID: The ID of the version to be rendered.
//
// The function returns an error if the parameter version rendering fails.
func renderParamVersion(w io.Writer, projectID, parameterID, versionID string) error {
	// Create a context and a Parameter Manager client.
	ctx := context.Background()
	client, err := parametermanager.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create Parameter Manager client: %w", err)
	}
	defer client.Close()

	// Construct the name of the parameter version to get render data.
	name := fmt.Sprintf("projects/%s/locations/global/parameters/%s/versions/%s", projectID, parameterID, versionID)

	// Build the request to render a parameter version.
	req := &parametermanagerpb.RenderParameterVersionRequest{
		Name: name,
	}

	// Call the API to render a parameter version.
	rendered, err := client.RenderParameterVersion(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to render parameter version: %w", err)
	}

	fmt.Fprintf(w, "Rendered parameter version: %s\n", rendered.ParameterVersion)

	// If the parameter contains secret references, they will be resolved
	// and the actual secret values will be included in the rendered output.
	// Be cautious with logging or displaying this information.
	fmt.Fprintf(w, "Rendered payload: %s\n", rendered.RenderedPayload)
	return nil
}

Java

To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 

import com.google.cloud.parametermanager.v1.ParameterManagerClient;
import com.google.cloud.parametermanager.v1.ParameterVersionName;
import com.google.cloud.parametermanager.v1.RenderParameterVersionResponse;
import java.io.IOException;

/**
 * This class demonstrates how to render a parameter version using the Parameter Manager SDK for
 * GCP.
 */
public class RenderParamVersion {

  public static void main(String[] args) throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String parameterId = "your-parameter-id";
    String versionId = "your-version-id";

    // Call the method to render a parameter version.
    renderParamVersion(projectId, parameterId, versionId);
  }

  // This is an example snippet to render a parameter version.
  public static RenderParameterVersionResponse renderParamVersion(
      String projectId, String parameterId, String versionId) throws IOException {
    // Initialize the client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests.
    try (ParameterManagerClient client = ParameterManagerClient.create()) {
      String locationId = "global";

      // Build the parameter version name.
      ParameterVersionName parameterVersionName =
          ParameterVersionName.of(projectId, locationId, parameterId, versionId);

      // Render the parameter version.
      RenderParameterVersionResponse response =
          client.renderParameterVersion(parameterVersionName.toString());
      System.out.printf(
          "Rendered parameter version payload: %s\n",
          response.getRenderedPayload().toStringUtf8());

      return response;
    }
  }
}

Node.js

To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 

/**
 * TODO(developer): Uncomment these variables before running the sample.
 */
// const projectId = 'YOUR_PROJECT_ID';
// const parameterId = 'YOUR_PARAMETER_ID';
// const parameterVersionId = 'YOUR_PARAMETER_VERSION_ID';

// Imports the Parameter Manager library
const {ParameterManagerClient} = require('@google-cloud/parametermanager');

// Instantiates a client
const client = new ParameterManagerClient();

async function renderParamVersion() {
  // Construct the parameter version name
  const name = client.parameterVersionPath(
    projectId,
    'global',
    parameterId,
    parameterVersionId
  );

  // Construct the request
  const request = {
    name: name,
  };

  // Render the parameter version
  const [parameterVersion] = await client.renderParameterVersion(request);
  console.log(
    `Rendered parameter version: ${parameterVersion.parameterVersion}`
  );

  // If the parameter contains secret references, they will be resolved
  // and the actual secret values will be included in the rendered output.
  // Be cautious with logging or displaying this information.
  console.log(
    'Rendered payload: ',
    parameterVersion.renderedPayload.toString('utf-8')
  );
  return parameterVersion;
}

return await renderParamVersion();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 

// Import necessary classes for render a parameter version.
use Google\Cloud\ParameterManager\V1\Client\ParameterManagerClient;
use Google\Cloud\ParameterManager\V1\RenderParameterVersionRequest;

/**
 * Renders a parameter version using the Parameter Manager SDK for GCP.
 *
 * @param string $projectId The Google Cloud Project ID (e.g. 'my-project')
 * @param string $parameterId The Parameter ID (e.g. 'my-param')
 * @param string $versionId The Version ID (e.g. 'my-param-version')
 */
function render_param_version(string $projectId, string $parameterId, string $versionId): void
{
    // Create a client for the Parameter Manager service.
    $client = new ParameterManagerClient();

    // Build the resource name of the parameter version.
    $parameterVersionName = $client->parameterVersionName($projectId, 'global', $parameterId, $versionId);

    // Prepare the request to render the parameter version.
    $request = (new RenderParameterVersionRequest())->setName($parameterVersionName);

    // Retrieve the render parameter version using the client.
    $parameterVersion = $client->renderParameterVersion($request);

    // Print the retrieved parameter version details.
    printf('Rendered parameter version payload: %s' . PHP_EOL, $parameterVersion->getRenderedPayload());
}

Python

To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 

def render_param_version(
    project_id: str, parameter_id: str, version_id: str
) -> parametermanager_v1.RenderParameterVersionResponse:
    """
    Retrieves and renders the details of a specific version of an
    existing parameter in the global location of the specified project
    using the Google Cloud Parameter Manager SDK.

    Args:
        project_id (str): The ID of the project where the parameter is located.
        parameter_id (str): The ID of the parameter for
        which version details are to be rendered.
        version_id (str): The ID of the version to be rendered.

    Returns:
        parametermanager_v1.RenderParameterVersionResponse: An object
        representing the rendered parameter version.

    Example:
        render_param_version(
            "my-project",
            "my-global-parameter",
            "v1"
        )
    """
    # Import the necessary library for Google Cloud Parameter Manager.
    from google.cloud import parametermanager_v1

    # Create the Parameter Manager client.
    client = parametermanager_v1.ParameterManagerClient()

    # Build the resource name of the parameter version.
    name = client.parameter_version_path(project_id, "global", parameter_id, version_id)

    # Define the request to render the parameter version.
    request = parametermanager_v1.RenderParameterVersionRequest(name=name)

    # Get the rendered parameter version details.
    response = client.render_parameter_version(request=request)

    # Print the rendered parameter version payload.
    print(
        f"Rendered parameter version payload: "
        f"{response.rendered_payload.decode('utf-8')}"
    )

Ruby

To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 

require "google/cloud/parameter_manager"

##
# Render a parameter version
#
# @param project_id [String] The Google Cloud project (e.g. "my-project")
# @param parameter_id [String] The parameter name (e.g. "my-parameter")
# @param version_id [String] The version name (e.g. "my-version")
#
def render_param_version project_id:, parameter_id:, version_id:
  # Create a Parameter Manager client.
  client = Google::Cloud::ParameterManager.parameter_manager

  # Build the resource name of the parent project.
  name = client.parameter_version_path project: project_id, location: "global", parameter: parameter_id,
                                       parameter_version: version_id

  # Retrieve the parameter version.
  param_version = client.render_parameter_version name: name

  # Print the retrieved render parameter version name.
  puts "Rendered parameter version payload: #{param_version.rendered_payload}"
end

Regional parameters

Console

  1. In the Google Cloud console, go to the Secret Manager page.

    Go to Secret Manager

  2. Click Parameter Manager to go to the Parameter Manager page. You'll see the list of parameters for that project.

  3. Click the parameter name to access its versions. The parameter details page opens with the Versions tab in focus where you can see all the versions belonging to the selected parameter.

  4. Select the parameter version with the secret reference.

  5. Click the Actions menu associated with that version, and then click Render.

    A new page is displayed with the payload and the rendered value of the parameter version.

gcloud

Before using any of the command data below, make the following replacements:

  • PARAMETER_VERSION_ID: the ID of the parameter version
  • PARAMETER_ID: the name of the parameter
  • LOCATION: the Google Cloud location of the parameter

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud parametermanager parameters versions render PARAMETER_VERSION_ID --parameter=PARAMETER_ID --location=LOCATION

Windows (PowerShell)

gcloud parametermanager parameters versions render PARAMETER_VERSION_ID --parameter=PARAMETER_ID --location=LOCATION

Windows (cmd.exe)

gcloud parametermanager parameters versions render PARAMETER_VERSION_ID --parameter=PARAMETER_ID --location=LOCATION

You should receive a response similar to the following:

parameterVersion: projects/production-1/locations/us-central1/parameters/db_password_secret_ref/versions/v4
payload:
  data: ZGJfcGFzc3dvcmQ6IF9fUkVGX18oLy9zZWNyZXRtYW5hZ2VyLmdvb2dsZWFwaXMuY29tL3Byb2plY3RzL3BtLWNlcC1wcm9kL2xvY2F0aW9ucy91cy1jZW50cmFsMS9zZWNyZXRzL2R1cmFibGUtc2VjcmV0L3ZlcnNpb25zLzEpCg==
renderedPayload: ZGJfcGFzc3dvcmQ6IHRlc3Qtc2VjcmV0Cgo=

REST

Before using any of the request data, make the following replacements:

  • LOCATION: the Google Cloud location of the parameter
  • PROJECT_ID: the Google Cloud project ID
  • PARAMETER_ID: the name of the parameter
  • PARAMETER_VERSION_ID: the ID of the parameter version

HTTP method and URL: 

GET https://parametermanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/parameters/PARAMETER_ID/versions/PARAMETER_VERSION_ID:render

Request JSON body: 

{}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command: 

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://parametermanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/parameters/PARAMETER_ID/versions/PARAMETER_VERSION_ID:render"

PowerShell

Save the request body in a file named request.json, and execute the following command: 

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://parametermanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/parameters/PARAMETER_ID/versions/PARAMETER_VERSION_ID:render" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "parameterVersion": "pprojects/production-1/locations/us-central1/parameters/db_password_secret_ref/versions/v3",
  "payload": {
    "data": "ZGJfcGFzc3dvcmQ6IF9fUkVGX18oLy9zZWNyZXRtYW5hZ2VyLmdvb2dsZWFwaXMuY29tL3Byb2plY3RzL3BtLWNlcC1wcm9kL2xvY2F0aW9ucy91cy1jZW50cmFsMS9zZWNyZXRzL2R1cmFibGUtc2VjcmV0L3ZlcnNpb25zLzEpCg=="
  },
  "renderedPayload": "ZGJfcGFzc3dvcmQ6IHRlc3Qtc2VjcmV0Cgo="
}

C#

To run this code, first set up a C# development environment and install the Secret Manager C# SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 


using Google.Cloud.ParameterManager.V1;
using System.Text;

public class RenderRegionalParameterVersionSample
{
    /// <summary>
    /// This function renders a regional parameter version using the Parameter Manager SDK for GCP.
    /// </summary>
    /// <param name="projectId">The ID of the project where the parameter is located.</param>
    /// <param name="locationId">The ID of the region where the parameter is located.</param>
    /// <param name="parameterId">The ID of the parameter for which the version is to be rendered.</param>
    /// <param name="versionId">The ID of the version to be rendered.</param>
    /// <returns>The rendered parameter version data as a string.</returns>
    public string RenderRegionalParameterVersion(
        string projectId,
        string locationId,
        string parameterId,
        string versionId)
    {
        // Define the regional endpoint
        string regionalEndpoint = $"parametermanager.{locationId}.rep.googleapis.com";

        // Create the client with the regional endpoint
        ParameterManagerClient client = new ParameterManagerClientBuilder
        {
            Endpoint = regionalEndpoint
        }.Build();

        // Build the resource name for the parameter version in the specified regional locationId
        ParameterVersionName parameterVersionName = new ParameterVersionName(projectId, locationId, parameterId, versionId);

        // Call the API to render the parameter version
        RenderParameterVersionResponse renderParameterVersionResponse = client.RenderParameterVersion(parameterVersionName);

        // Decode the base64 encoded data
        string decodedData = Encoding.UTF8.GetString(renderParameterVersionResponse.RenderedPayload.ToByteArray());

        // Print the rendered parameter version data
        Console.WriteLine($"Rendered regional parameter version payload: {decodedData}");

        // Return the rendered parameter version data
        return decodedData;
    }
}

Go

To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 

import (
	"context"
	"fmt"
	"io"

	parametermanager "cloud.google.com/go/parametermanager/apiv1"
	parametermanagerpb "cloud.google.com/go/parametermanager/apiv1/parametermanagerpb"
	"google.golang.org/api/option"
)

// renderRegionalParamVersion renders a regional parameter version using the Parameter Manager SDK for GCP.
//
// w: The io.Writer object used to write the output.
// projectID: The ID of the project where the parameter is located.
// locationID: The ID of the region where the parameter is located.
// parameterID: The ID of the parameter for which the version is to be rendered.
// versionID: The ID of the version to be rendered.
//
// The function returns an error if the parameter version render retrieval fails.
func renderRegionalParamVersion(w io.Writer, projectID, locationID, parameterID, versionID string) error {
	// Create a new context.
	ctx := context.Background()

	// Create a Parameter Manager client.
	endpoint := fmt.Sprintf("parametermanager.%s.rep.googleapis.com:443", locationID)
	client, err := parametermanager.NewClient(ctx, option.WithEndpoint(endpoint))
	if err != nil {
		return fmt.Errorf("failed to create Parameter Manager client: %w", err)
	}
	defer client.Close()

	// Construct the name of the parameter version to render.
	name := fmt.Sprintf("projects/%s/locations/%s/parameters/%s/versions/%s", projectID, locationID, parameterID, versionID)

	// Build the request to render the parameter version.
	req := &parametermanagerpb.RenderParameterVersionRequest{
		Name: name,
	}

	// Call the API to render the parameter version.
	rendered, err := client.RenderParameterVersion(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to render parameter version: %w", err)
	}

	fmt.Fprintf(w, "Rendered regional parameter version: %s\n", rendered.ParameterVersion)

	// If the parameter contains secret references, they will be resolved
	// and the actual secret values will be included in the rendered output.
	// Be cautious with logging or displaying this information.
	fmt.Fprintf(w, "Rendered payload: %s\n", rendered.RenderedPayload)
	return nil
}

Java

To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 


import com.google.cloud.parametermanager.v1.ParameterManagerClient;
import com.google.cloud.parametermanager.v1.ParameterManagerSettings;
import com.google.cloud.parametermanager.v1.ParameterVersionName;
import com.google.cloud.parametermanager.v1.RenderParameterVersionResponse;
import java.io.IOException;

/**
 * This class demonstrates how to render a regional parameter version using the Parameter Manager
 * SDK for GCP.
 */
public class RenderRegionalParamVersion {

  public static void main(String[] args) throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "your-location-id";
    String parameterId = "your-parameter-id";
    String versionId = "your-version-id";

    // Call the method to render a regional parameter version.
    renderRegionalParamVersion(projectId, locationId, parameterId, versionId);
  }

  // This is an example snippet to render a regional parameter version.
  public static RenderParameterVersionResponse renderRegionalParamVersion(
      String projectId, String locationId, String parameterId, String versionId)
      throws IOException {
    // Endpoint to call the regional parameter manager server
    String apiEndpoint = String.format("parametermanager.%s.rep.googleapis.com:443", locationId);
    ParameterManagerSettings parameterManagerSettings =
        ParameterManagerSettings.newBuilder().setEndpoint(apiEndpoint).build();

    // Initialize the client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests.
    try (ParameterManagerClient client = ParameterManagerClient.create(parameterManagerSettings)) {
      // Build the parameter version name.
      ParameterVersionName parameterVersionName =
          ParameterVersionName.of(projectId, locationId, parameterId, versionId);

      // Render the parameter version.
      RenderParameterVersionResponse response =
          client.renderParameterVersion(parameterVersionName.toString());
      System.out.printf(
          "Rendered regional parameter version payload: %s\n",
          response.getRenderedPayload().toStringUtf8());

      return response;
    }
  }
}

Node.js

To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 

/**
 * TODO(developer): Uncomment these variables before running the sample.
 */
// const projectId = 'YOUR_PROJECT_ID';
// const locationId = 'us-central1';
// const parameterId = 'YOUR_PARAMETER_ID';
// const parameterVersionId = 'YOUR_PARAMETER_VERSION_ID';

// Imports the Parameter Manager library
const {ParameterManagerClient} = require('@google-cloud/parametermanager');

// Adding the endpoint to call the regional parameter manager server
const options = {
  apiEndpoint: `parametermanager.${locationId}.rep.googleapis.com`,
};

// Instantiates a client with regional endpoint
const client = new ParameterManagerClient(options);

async function renderRegionalParamVersion() {
  // Construct the parameter version name
  const name = client.parameterVersionPath(
    projectId,
    locationId,
    parameterId,
    parameterVersionId
  );

  // Construct the request
  const request = {
    name: name,
  };

  // Render the parameter version
  const [paramVersions] = await client.renderParameterVersion(request);

  console.log(
    `Rendered regional parameter version: ${paramVersions.parameterVersion}`
  );

  // If the parameter contains secret references, they will be resolved
  // and the actual secret values will be included in the rendered output.
  // Be cautious with logging or displaying this information.
  console.log(
    'Rendered payload: ',
    paramVersions.renderedPayload.toString('utf-8')
  );
  return paramVersions;
}

return await renderRegionalParamVersion();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 

// Import necessary classes for render a parameter version.
use Google\Cloud\ParameterManager\V1\Client\ParameterManagerClient;
use Google\Cloud\ParameterManager\V1\RenderParameterVersionRequest;

/**
 * Renders a regional parameter version using the Parameter Manager SDK for GCP.
 *
 * @param string $projectId The Google Cloud Project ID (e.g. 'my-project')
 * @param string $locationId The Parameter Location (e.g. 'us-central1')
 * @param string $parameterId The Parameter ID (e.g. 'my-param')
 * @param string $versionId The Version ID (e.g. 'my-param-version')
 */
function render_regional_param_version(string $projectId, string $locationId, string $parameterId, string $versionId): void
{
    // Specify regional endpoint.
    $options = ['apiEndpoint' => "parametermanager.$locationId.rep.googleapis.com"];

    // Create a client for the Parameter Manager service.
    $client = new ParameterManagerClient($options);

    // Build the resource name of the parameter version.
    $parameterVersionName = $client->parameterVersionName($projectId, $locationId, $parameterId, $versionId);

    // Prepare the request to render the parameter version.
    $request = (new RenderParameterVersionRequest())->setName($parameterVersionName);

    // Retrieve the render parameter version using the client.
    $parameterVersion = $client->renderParameterVersion($request);

    // Print the retrieved parameter version details.
    printf('Rendered regional parameter version payload: %s' . PHP_EOL, $parameterVersion->getRenderedPayload());
}

Python

To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 

def render_regional_param_version(
    project_id: str, location_id: str, parameter_id: str, version_id: str
) -> parametermanager_v1.RenderParameterVersionResponse:
    """
    Retrieves and renders the details of a specific version of an
    existing parameter in the specified region of the specified project
    using the Google Cloud Parameter Manager SDK.

    Args:
        project_id (str): The ID of the project where the parameter is located.
        location_id (str): The ID of the region where the parameter is located.
        parameter_id (str): The ID of the parameter for
        which version details are to be rendered.
        version_id (str): The ID of the version to be rendered.

    Returns:
        parametermanager_v1.RenderParameterVersionResponse: An object
        representing the rendered parameter version.

    Example:
        render_regional_param_version(
            "my-project",
            "us-central1",
            "my-regional-parameter",
            "v1"
        )
    """
    # Import the necessary library for Google Cloud Parameter Manager.
    from google.cloud import parametermanager_v1

    # Create the Parameter Manager client with the regional endpoint.
    api_endpoint = f"parametermanager.{location_id}.rep.googleapis.com"
    client = parametermanager_v1.ParameterManagerClient(
        client_options={"api_endpoint": api_endpoint}
    )

    # Build the resource name of the parameter version.
    name = client.parameter_version_path(
        project_id, location_id, parameter_id, version_id
    )

    # Define the request to render the parameter version.
    request = parametermanager_v1.RenderParameterVersionRequest(name=name)

    # Get the rendered parameter version details.
    response = client.render_parameter_version(request=request)

    # Print the response payload.
    print(
        f"Rendered regional parameter version payload: "
        f"{response.rendered_payload.decode('utf-8')}"
    )

Ruby

To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 

require "google/cloud/parameter_manager"

##
# Render a regional parameter version
#
# @param project_id [String] The Google Cloud project (e.g. "my-project")
# @param location_id [String] The location name (e.g. "us-central1")
# @param parameter_id [String] The parameter name (e.g. "my-parameter")
# @param version_id [String] The version name (e.g. "my-version")
#
def render_regional_param_version project_id:, location_id:, parameter_id:, version_id:
  # Endpoint for the regional parameter manager service.
  api_endpoint = "parametermanager.#{location_id}.rep.googleapis.com"

  # Create the Parameter Manager client.
  client = Google::Cloud::ParameterManager.parameter_manager do |config|
    config.endpoint = api_endpoint
  end

  # Build the resource name of the parent project.
  name = client.parameter_version_path project: project_id, location: location_id, parameter: parameter_id,
                                       parameter_version: version_id

  # Retrieve the parameter version.
  param_version = client.render_parameter_version name: name

  # Print the retrieved render parameter version name.
  puts "Rendered regional parameter version payload: #{param_version.rendered_payload}"
end

This method returns the parameter version metadata as well as the following two values:

  • Payload: the raw, unprocessed parameter payload. This payload can have many key-value pairs, some of which might contain secrets. The data field within it holds a Base64-encoded string. If you decode this string, you'll find that the raw payload contains references (REF(...)) to locations where the secrets are stored. Note that each parameter version can contain up to 15 secret references.
  • Rendered Payload: the key-value pairs with actual secret values as a Base64-encoded string. Decode this string to fetch the parameter payload with rendered secret values.

What's next