Render secrets referenced within a parameter version

Parameter versions can contain references to secrets created in Secret Manager. This reference doesn't reveal the actual secret value. When your application needs the secret, it retrieves the parameter. Instead of getting the plain-text secret, it gets the reference. The application then uses the reference to dynamically fetch the secret value from Secret Manager at runtime. This ensures that the secret is only accessed and exposed in memory when needed, reducing the risk of the secret being compromised.

This page describes how to retrieve a parameter version and then render the secret that the version references.

Required roles

To get the permissions that you need to render secret within a parameter version , ask your administrator to grant you the Parameter Manager Parameter Accessor (roles/parametermanager.parameterAccessor) IAM role on the parameter, project, folder, or organization. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Render the secret referenced within a parameter version

To render the secret referenced within a parameter version, use one of the following methods:

Console

In the Google Cloud console, go to the Secret Manager page.

Go to Secret Manager
Click Parameter Manager to go to the Parameter Manager page. You'll see the list of parameters for that project.
Click the parameter name to access its versions. The parameter details page opens with the Versions tab in focus where you can see all the versions belonging to the selected parameter.
Select the parameter version with the secret reference.
Click the Actions menu associated with that version, and then click Render.

A new page is displayed with the payload and the rendered value of the parameter version.

gcloud

Render secrets referenced within global parameter versions

Before using any of the command data below, make the following replacements:

PARAMETER_VERSION_ID: the ID of the parameter version
PARAMETER_ID: the name of the parameter
LOCATION: the Google Cloud location of the parameter

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta parametermanager parameters versions render PARAMETER_VERSION_ID --parameter=PARAMETER_ID --location=global

Windows (PowerShell)

gcloud beta parametermanager parameters versions render PARAMETER_VERSION_ID --parameter=PARAMETER_ID --location=global

Windows (cmd.exe)

gcloud beta parametermanager parameters versions render PARAMETER_VERSION_ID --parameter=PARAMETER_ID --location=global

You should receive a response similar to the following:

parameterVersion: projects/production-1/locations/global/parameters/db_password_secret_ref/versions/v4
payload:
  data: ZGJfcGFzc3dvcmQ6IF9fUkVGX18oLy9zZWNyZXRtYW5hZ2VyLmdvb2dsZWFwaXMuY29tL3Byb2plY3RzL3BtLWNlcC1wcm9kL3NlY3JldHMvZHVyYWJsZS1zZWNyZXQvdmVyc2lvbnMvMSk=
renderedPayload: ZGJfcGFzc3dvcmQ6IHRlc3Qtc2VjcmV0Cg==

Render secrets referenced within regional parameter versions

Before using any of the command data below, make the following replacements:

PARAMETER_VERSION_ID: the ID of the parameter version
PARAMETER_ID: the name of the parameter
LOCATION: the Google Cloud location of the parameter

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud beta parametermanager parameters versions render PARAMETER_VERSION_ID --parameter=PARAMETER_ID --location=LOCATION

Windows (PowerShell)

gcloud beta parametermanager parameters versions render PARAMETER_VERSION_ID --parameter=PARAMETER_ID --location=LOCATION

Windows (cmd.exe)

gcloud beta parametermanager parameters versions render PARAMETER_VERSION_ID --parameter=PARAMETER_ID --location=LOCATION

You should receive a response similar to the following:

parameterVersion: projects/production-1/locations/us-central1/parameters/db_password_secret_ref/versions/v4
payload:
  data: ZGJfcGFzc3dvcmQ6IF9fUkVGX18oLy9zZWNyZXRtYW5hZ2VyLmdvb2dsZWFwaXMuY29tL3Byb2plY3RzL3BtLWNlcC1wcm9kL2xvY2F0aW9ucy91cy1jZW50cmFsMS9zZWNyZXRzL2R1cmFibGUtc2VjcmV0L3ZlcnNpb25zLzEpCg==
renderedPayload: ZGJfcGFzc3dvcmQ6IHRlc3Qtc2VjcmV0Cgo=

REST

Render secrets referenced within global parameter versions

Before using any of the request data, make the following replacements:

PROJECT_ID: the Google Cloud project ID
PARAMETER_ID: the name of the parameter
PARAMETER_VERSION_ID: the ID of the parameter version

HTTP method and URL:

GET https://parametermanager.googleapis.com/v1/projects/PROJECT_ID/locations/global/parameters/PARAMETER_ID/versions/PARAMETER_VERSION_ID:render

Request JSON body:

{}

To send your request, choose one of these options:

curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://parametermanager.googleapis.com/v1/projects/PROJECT_ID/locations/global/parameters/PARAMETER_ID/versions/PARAMETER_VERSION_ID:render"

PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://parametermanager.googleapis.com/v1/projects/PROJECT_ID/locations/global/parameters/PARAMETER_ID/versions/PARAMETER_VERSION_ID:render" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "name": "projects/production-1/locations/global/parameters/db_password_secret_ref/versions/v2",
    "createTime": "2024-10-15T08:39:05.191747694Z",
    "updateTime": "2024-10-15T08:39:05.530311092Z",
    "payload": {
      "data": "ZGJfcGFzc3dvcmQ6IF9fUkVGX18oLy9zZWNyZXRtYW5hZ2VyLmdvb2dsZWFwaXMuY29tL3Byb2plY3RzL3BtLWNlcC1wcm9kL3NlY3JldHMvZHVyYWJsZS1zZWNyZXQvdmVyc2lvbnMvMSkK"
    },
    "renderedPayload": "ZGJfcGFzc3dvcmQ6IHRlc3Qtc2VjcmV0Cgo="
}

Render secrets referenced within regional parameter versions

Before using any of the request data, make the following replacements:

LOCATION: the Google Cloud location of the parameter
PROJECT_ID: the Google Cloud project ID
PARAMETER_ID: the name of the parameter
PARAMETER_VERSION_ID: the ID of the parameter version

HTTP method and URL:

GET https://parametermanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/parameters/PARAMETER_ID/versions/PARAMETER_VERSION_ID:render

Request JSON body:

{}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://parametermanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/parameters/PARAMETER_ID/versions/PARAMETER_VERSION_ID:render"

PowerShell

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://parametermanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/parameters/PARAMETER_ID/versions/PARAMETER_VERSION_ID:render" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "parameterVersion": "pprojects/production-1/locations/us-central1/parameters/db_password_secret_ref/versions/v3",
  "payload": {
    "data": "ZGJfcGFzc3dvcmQ6IF9fUkVGX18oLy9zZWNyZXRtYW5hZ2VyLmdvb2dsZWFwaXMuY29tL3Byb2plY3RzL3BtLWNlcC1wcm9kL2xvY2F0aW9ucy91cy1jZW50cmFsMS9zZWNyZXRzL2R1cmFibGUtc2VjcmV0L3ZlcnNpb25zLzEpCg=="
  },
  "renderedPayload": "ZGJfcGFzc3dvcmQ6IHRlc3Qtc2VjcmV0Cgo="
}

This method returns the parameter version metadata as well as the following two values:

Payload: the raw, unprocessed parameter payload. This payload can have many key-value pairs, some of which might contain secrets. The data field within it holds a Base64-encoded string. If you decode this string, you'll find that the raw payload contains references (REF(...)) to locations where the secrets are stored. Note that each parameter version can contain up to 15 secret references.
Rendered Payload: the key-value pairs with actual secret values as a Base64-encoded string. Decode this string to fetch the parameter payload with rendered secret values.

Render secrets referenced within a parameter version

Required roles

Render the secret referenced within a parameter version

Console

gcloud

Render secrets referenced within global parameter versions

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

Render secrets referenced within regional parameter versions

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

Render secrets referenced within global parameter versions

curl

PowerShell

Render secrets referenced within regional parameter versions

curl

PowerShell

What's next