Analyze regional secrets with Cloud Asset Inventory

This page explains how to use Cloud Asset Inventory to monitor your secrets, export data for analysis, and run powerful queries to get the insights that you require.

Overview

Cloud Asset Inventory analyzes your Google Cloud environment and records any changes to your cloud resources, such as virtual machines, databases, storage buckets, and in this context, your Secret Manager secrets. The integration between Secret Manager and Cloud Asset Inventory helps you do the following:

Run queries: Search for specific secrets or identify patterns across your secrets.
Set up alerts: Configure Cloud Asset Inventory to send notifications to Pub/Sub when specific events occur, such as when secrets are created, modified, or deleted.
Export data: Export your secret inventory to BigQuery for in-depth analysis and reporting.
Manage and analyze your secrets: See all your secrets in one place (across projects and your entire organization) and identify secrets that might be misconfigured or violate your organization's security policies. For example, you can find secrets that are not rotated regularly or lack proper access controls.

This is an advanced task for Secret Manager users. Before reading this page, we recommend that you read the following:

Secret Manager overview to understand the key concepts and features of Secret Manager
Cloud Asset Inventory overview to understand Cloud Asset Inventory and to see its comprehensive asset management features

Querying Secret Manager

To analyze your secrets with SQL-like queries, we recommend that you export your secret and secret versions to BigQuery. Secret Manager isn't integrated with Asset Search or Policy Analyzer. These queries use the Google Cloud CLI and BigQuery to search your assets.

Limitations

Using Cloud Asset Inventory to analyze Secret Manager resources has the following limitation:

Cloud Asset Inventory supports exporting and listing snapshots for only the past five weeks.

Monitor asset changes

Cloud Asset Inventory tracks real-time updates and supports monitoring these changes. You can configure feeds to send notifications to a set of configured Pub/Sub topics each time there's a modification to your resources. Additionally, Cloud Asset Inventory supports configuring conditions on your feeds, so that you can monitor specific changes for certain asset types. To learn how to trigger workflows on asset changes, see the Pub/Sub documentation.

Export assets to BigQuery

Exporting your secrets and secret versions to BigQuery lets you run SQL-like queries over large amounts of data and produce meaningful insights about your assets. Before you export your assets, ensure that your dataset and service accounts are configured correctly.

To export your assets, run the following command:

gcloud

Before using any of the command data below, make the following replacements:

CONTENT_TYPE: the asset content type (RESOURCE).
PROJECT_ID: the ID of the project containing the secrets to be analyzed.
SNAPSHOT_TIME: the time at which to snapshot resources. This may be between the current time and 5 weeks in the past.
BIGQUERY_PROJECT_ID: the ID of the project that the BigQuery table is in.
DATASET_ID: the ID of the BigQuery dataset.
TABLE_NAME: the table you're exporting your metadata to. If it doesn't exist, it's created.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud asset export \
  --content-type=CONTENT_TYPE \
  --project=PROJECT_ID \
  --snapshot-time=SNAPSHOT_TIME \
  --bigquery-table=projects/BIGQUERY_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME \
  --output-bigquery-force

Windows (PowerShell)

gcloud asset export `
  --content-type=CONTENT_TYPE `
  --project=PROJECT_ID `
  --snapshot-time=SNAPSHOT_TIME `
  --bigquery-table=projects/BIGQUERY_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME `
  --output-bigquery-force

Windows (cmd.exe)

gcloud asset export ^
  --content-type=CONTENT_TYPE ^
  --project=PROJECT_ID ^
  --snapshot-time=SNAPSHOT_TIME ^
  --bigquery-table=projects/BIGQUERY_PROJECT_ID/datasets/DATASET_ID/tables/TABLE_NAME ^
  --output-bigquery-force

For more information, see Exporting to BigQuery.

Sample queries

Use these sample queries to find secrets and secret versions with specific properties.

Regional secrets created in the last two weeks

Find secrets (and their properties) that were added to your organization in the past two weeks.

BigQuery

  SELECT name, FROM BIGQUERY_TABLE
  WHERE asset_type='secretmanager.googleapis.com/Secret' AND
    resource.location <> "global" AND
    DATE(JSON_VALUE(resource.data, '$.createTime')) > DATE_SUB(CURRENT_DATE(), INTERVAL 2 WEEK);

Replace BIGQUERY_TABLE with the full path to the BigQuery table that you have exported all the assets to in the Export assets to BigQuery section of this document.

gcloud

Before using any of the command data below, make the following replacements:

PROJECT_ID: the ID of the project containing the secrets to be analyzed

Execute the following command:

Linux, macOS, or Cloud Shell

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID \
    --asset-types='secretmanager.googleapis.com/Secret' \
    --snapshot-time=$NOW \
    --content-type='resource' \
    --filter="resource.location != global AND resource.data.createTime>-P2W"

Windows (PowerShell)

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID `
    --asset-types='secretmanager.googleapis.com/Secret' `
    --snapshot-time=$NOW `
    --content-type='resource' `
    --filter="resource.location != global AND resource.data.createTime>-P2W"

Windows (cmd.exe)

Note: If this command uses ' for quoting content, replace these single quotes with double quotes. If quoting is nested, use \" to escape the inner quotes.

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID ^
    --asset-types='secretmanager.googleapis.com/Secret' ^
    --snapshot-time=$NOW ^
    --content-type='resource' ^
    --filter="resource.location != global AND resource.data.createTime>-P2W"

Regional secrets in a specific location

Find all secrets stored in a specific location, such as us-central1.

BigQuery

    SELECT * FROM BIGQUERY_TABLE
    WHERE asset_type='secretmanager.googleapis.com/Secret' AND
      resource.location = "us-central1";

Replace BIGQUERY_TABLE with the full path to the BigQuery table that you have exported all the assets to in the Export assets to BigQuery section of this document.

gcloud

Before using any of the command data below, make the following replacements:

PROJECT_ID: the ID of the project containing the secrets to be analyzed
LOCATION: the Google Cloud location of the secrets

Execute the following command:

Linux, macOS, or Cloud Shell

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID \
    --asset-types='secretmanager.googleapis.com/Secret' \
    --snapshot-time=$NOW \
    --content-type='resource' \
    --filter="resource.location = LOCATION AND resource.data.createTime>-P2W"

Windows (PowerShell)

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID `
    --asset-types='secretmanager.googleapis.com/Secret' `
    --snapshot-time=$NOW `
    --content-type='resource' `
    --filter="resource.location = LOCATION AND resource.data.createTime>-P2W"

Windows (cmd.exe)

Note: If this command uses ' for quoting content, replace these single quotes with double quotes. If quoting is nested, use \" to escape the inner quotes.

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID ^
    --asset-types='secretmanager.googleapis.com/Secret' ^
    --snapshot-time=$NOW ^
    --content-type='resource' ^
    --filter="resource.location = LOCATION AND resource.data.createTime>-P2W"

Regional secret versions created over 180 days ago

List all secret versions that were created more than 180 days ago.

BigQuery

    SELECT * FROM BIGQUERY_TABLE
    WHERE asset_type='secretmanager.googleapis.com/SecretVersion'
      resource.location <> "global" AND
      DATE(JSON_VALUE(resource.data, '$.createTime')) < DATE_SUB(CURRENT_DATE(), INTERVAL 180 DAY) AND
      JSON_VALUE(resource.data, '$.state') = "ENABLED";

Replace BIGQUERY_TABLE with the full path to the BigQuery table that you have exported all the assets to in the Export assets to BigQuery section of this document.

gcloud

Before using any of the command data below, make the following replacements:

PROJECT_ID: the ID of the project containing the secrets to be analyzed

Execute the following command:

Linux, macOS, or Cloud Shell

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID \
    --asset-types='secretmanager.googleapis.com/SecretVersion' \
    --snapshot-time=$NOW \
    --content-type='resource' \
    --filter="resource.location != global AND resource.data.createTime < P6M AND resource.data.state = ENABLED"

Windows (PowerShell)

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID `
    --asset-types='secretmanager.googleapis.com/SecretVersion' `
    --snapshot-time=$NOW `
    --content-type='resource' `
    --filter="resource.location != global AND resource.data.createTime < P6M AND resource.data.state = ENABLED"

Windows (cmd.exe)

Note: If this command uses ' for quoting content, replace these single quotes with double quotes. If quoting is nested, use \" to escape the inner quotes.

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID ^
    --asset-types='secretmanager.googleapis.com/SecretVersion' ^
    --snapshot-time=$NOW ^
    --content-type='resource' ^
    --filter="resource.location != global AND resource.data.createTime < P6M AND resource.data.state = ENABLED"

Regional secrets without CMEK configured

List all secrets that are not encrypted with customer-manager encryption keys (CMEK):

BigQuery

    SELECT * FROM BIGQUERY_TABLE
    WHERE asset_type='secretmanager.googleapis.com/Secret'
      resource.location <> "global" AND
      JSON_VALUE(resource.data, "$.customerManagedEncryption.kmsKeyName") IS NOT NULL;

Replace BIGQUERY_TABLE with the full path to the BigQuery table that you have exported all the assets to in the Export assets to BigQuery section of this document.

gcloud

Before using any of the command data below, make the following replacements:

PROJECT_ID: the ID of the project containing the secrets to be analyzed

Execute the following command:

Linux, macOS, or Cloud Shell

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID \
    --asset-types='secretmanager.googleapis.com/Secret' \
    --snapshot-time=$NOW \
    --content-type='resource' \
    --filter="resource.location != global AND resource.data.customerManagedEncryption = NULL"

Windows (PowerShell)

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID `
    --asset-types='secretmanager.googleapis.com/Secret' `
    --snapshot-time=$NOW `
    --content-type='resource' `
    --filter="resource.location != global AND resource.data.customerManagedEncryption = NULL"

Windows (cmd.exe)

Note: If this command uses ' for quoting content, replace these single quotes with double quotes. If quoting is nested, use \" to escape the inner quotes.

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID ^
    --asset-types='secretmanager.googleapis.com/Secret' ^
    --snapshot-time=$NOW ^
    --content-type='resource' ^
    --filter="resource.location != global AND resource.data.customerManagedEncryption = NULL"

Regional secrets with CMEK configured

List all secrets that are encrypted with CMEK.

BigQuery

    SELECT * FROM BIGQUERY_TABLE
    WHERE asset_type='secretmanager.googleapis.com/Secret'
      resource.location <> "global" AND
      JSON_VALUE(resource.data, "$.customerManagedEncryption.kmsKeyName") IS NOT NULL;

Replace BIGQUERY_TABLE with the full path to the BigQuery table that you have exported all the assets to in the Export assets to BigQuery section of this document.

gcloud

Before using any of the command data below, make the following replacements:

PROJECT_ID: the ID of the project containing the secrets to be analyzed

Execute the following command:

Linux, macOS, or Cloud Shell

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID \
    --asset-types='secretmanager.googleapis.com/Secret' \
    --snapshot-time=$NOW \
    --content-type='resource' \
    --filter="resource.location != global AND resource.data.customerManagedEncryption != NULL"

Windows (PowerShell)

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID `
    --asset-types='secretmanager.googleapis.com/Secret' `
    --snapshot-time=$NOW `
    --content-type='resource' `
    --filter="resource.location != global AND resource.data.customerManagedEncryption != NULL"

Windows (cmd.exe)

Note: If this command uses ' for quoting content, replace these single quotes with double quotes. If quoting is nested, use \" to escape the inner quotes.

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID ^
    --asset-types='secretmanager.googleapis.com/Secret' ^
    --snapshot-time=$NOW ^
    --content-type='resource' ^
    --filter="resource.location != global AND resource.data.customerManagedEncryption != NULL"

Regional secrets encrypted with a specific CMEK

Find secrets that are encrypted with a specific CMEK.

BigQuery

    SELECT * FROM BIGQUERY_TABLE
    WHERE asset_type='secretmanager.googleapis.com/Secret'
      resource.location <> "global" AND
      JSON_VALUE(resource.data, "$.customerManagedEncryption.kmsKeyName") = KMS_KEY_NAME;

Replace the following:

BIGQUERY_TABLE: the full path to the BigQuery table that you have exported all the assets to in the Export assets to BigQuery section of this document.
KMS_KEY_NAME: the ID of the key or fully qualified identifier for the key

gcloud

Before using any of the command data below, make the following replacements:

PROJECT_ID: the ID of the project containing the secrets to be analyzed
KMS_KEY_NAME: the ID of the key or fully qualified identifier for the key

Execute the following command:

Linux, macOS, or Cloud Shell

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud beta asset list --project=PROJECT_ID \
    --asset-types='secretmanager.googleapis.com/Secret' \
    --snapshot-time=$NOW \
    --content-type='resource' \
    --filter="resource.location != global AND resource.data.customerManagedEncryption.kmsKeyName=KMS_KEY_NAME"

Windows (PowerShell)

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud beta asset list --project=PROJECT_ID `
    --asset-types='secretmanager.googleapis.com/Secret' `
    --snapshot-time=$NOW `
    --content-type='resource' `
    --filter="resource.location != global AND resource.data.customerManagedEncryption.kmsKeyName=KMS_KEY_NAME"

Windows (cmd.exe)

Note: If this command uses ' for quoting content, replace these single quotes with double quotes. If quoting is nested, use \" to escape the inner quotes.

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud beta asset list --project=PROJECT_ID ^
    --asset-types='secretmanager.googleapis.com/Secret' ^
    --snapshot-time=$NOW ^
    --content-type='resource' ^
    --filter="resource.location != global AND resource.data.customerManagedEncryption.kmsKeyName=KMS_KEY_NAME"

Regional secret versions without CMEK configured

Find all enabled secret versions that are not encrypted with CMEK.

BigQuery

    SELECT * FROM BIGQUERY_TABLE
    WHERE asset_type='secretmanager.googleapis.com/SecretVersion'
      resource.location <> "global" AND
      JSON_VALUE(resource.data, "$.customerManagedEncryption.kmsKeyVersionName") IS NULL AND
      JSON_VALUE(resource.data, "$.state") = "ENABLED";

Replace BIGQUERY_TABLE with the full path to the BigQuery table that you have exported all the assets to in the Export assets to BigQuery section of this document.

gcloud

Before using any of the command data below, make the following replacements:

PROJECT_ID: the ID of the project containing the secrets to be analyzed

Execute the following command:

Linux, macOS, or Cloud Shell

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID \
    --asset-types='secretmanager.googleapis.com/SecretVersion' \
    --snapshot-time=$NOW \
    --content-type='resource' \
    --filter="(resource.location != global AND resource.data.customerManagedEncryption.kmsKeyVersionName = NULL) AND resource.data.state=ENABLED"

Windows (PowerShell)

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID `
    --asset-types='secretmanager.googleapis.com/SecretVersion' `
    --snapshot-time=$NOW `
    --content-type='resource' `
    --filter="(resource.location != global AND resource.data.customerManagedEncryption.kmsKeyVersionName = NULL) AND resource.data.state=ENABLED"

Windows (cmd.exe)

Note: If this command uses ' for quoting content, replace these single quotes with double quotes. If quoting is nested, use \" to escape the inner quotes.

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID ^
    --asset-types='secretmanager.googleapis.com/SecretVersion' ^
    --snapshot-time=$NOW ^
    --content-type='resource' ^
    --filter="(resource.location != global AND resource.data.customerManagedEncryption.kmsKeyVersionName = NULL) AND resource.data.state=ENABLED"

Regional secret versions encrypted with a specific CMEK

List all enabled secret versions encrypted with a specific CMEK version.

BigQuery

    SELECT * FROM BIGQUERY_TABLE
    WHERE asset_type='secretmanager.googleapis.com/SecretVersion'
      resource.location <> "global" AND
      JSON_VALUE(resource.data, "$.customerManagedEncryption.kmsKeyVersionName") = KMS_KEY_VERSION_NAME AND
      JSON_VALUE(resource.data, "$.state") = "ENABLED";

Replace the following:

BIGQUERY_TABLE: the full path to the BigQuery table that you have exported all the assets to in the Export assets to BigQuery section of this document.
KMS_KEY_VERSION_NAME: the Cloud Key Management Service key version number

gcloud

Before using any of the command data below, make the following replacements:

PROJECT_ID: the ID of the project containing the secrets to be analyzed

Execute the following command:

Linux, macOS, or Cloud Shell

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID \
    --asset-types='secretmanager.googleapis.com/SecretVersion' \
    --snapshot-time=$NOW \
    --content-type='resource' \
    --filter="(resource.location != global AND resource.data.customerManagedEncryption.kmsKeyVersionName = KMS_KEY_VERSION_NAME) AND resource.data.state=ENABLED"

Windows (PowerShell)

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID `
    --asset-types='secretmanager.googleapis.com/SecretVersion' `
    --snapshot-time=$NOW `
    --content-type='resource' `
    --filter="(resource.location != global AND resource.data.customerManagedEncryption.kmsKeyVersionName = KMS_KEY_VERSION_NAME) AND resource.data.state=ENABLED"

Windows (cmd.exe)

Note: If this command uses ' for quoting content, replace these single quotes with double quotes. If quoting is nested, use \" to escape the inner quotes.

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID ^
    --asset-types='secretmanager.googleapis.com/SecretVersion' ^
    --snapshot-time=$NOW ^
    --content-type='resource' ^
    --filter="(resource.location != global AND resource.data.customerManagedEncryption.kmsKeyVersionName = KMS_KEY_VERSION_NAME) AND resource.data.state=ENABLED"

Regional secrets without rotation configured

Find all secrets that don't have a rotation schedule.

BigQuery

    SELECT name FROM BIGQUERY_TABLE
    WHERE asset_type='secretmanager.googleapis.com/Secret' AND
      resource.location <> "global" AND
      JSON_EXTRACT(resource.data, '$.rotation') IS NULL;

Replace BIGQUERY_TABLE with the full path to the BigQuery table that you have exported all the assets to in the Export assets to BigQuery section of this document.

gcloud

Before using any of the command data below, make the following replacements:

PROJECT_ID: the ID of the project containing the secrets to be analyzed

Execute the following command:

Linux, macOS, or Cloud Shell

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID \
    --asset-types='secretmanager.googleapis.com/Secret' \
    --snapshot-time=$NOW \
    --content-type='resource' \
    --filter="resource.location != global AND resource.data.rotation = NULL"

Windows (PowerShell)

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID `
    --asset-types='secretmanager.googleapis.com/Secret' `
    --snapshot-time=$NOW `
    --content-type='resource' `
    --filter="resource.location != global AND resource.data.rotation = NULL"

Windows (cmd.exe)

Note: If this command uses ' for quoting content, replace these single quotes with double quotes. If quoting is nested, use \" to escape the inner quotes.

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID ^
    --asset-types='secretmanager.googleapis.com/Secret' ^
    --snapshot-time=$NOW ^
    --content-type='resource' ^
    --filter="resource.location != global AND resource.data.rotation = NULL"

Regional secrets with a specific rotation period

Find all secrets scheduled to be rotated less than once every 90 days:

BigQuery

    SELECT *
    FROM BIGQUERY_TABLE
    WHERE asset_type='secretmanager.googleapis.com/Secret' AND
      resource.location <> "global" AND
      CAST(
        TRIM(
          JSON_VALUE(JSON_EXTRACT(resource.data, "$.rotation.rotationPeriod")),"s")
        AS INT64)
    < 86400 * 90 #Rotation period in seconds (86400s in 1 day * 90 days)

Replace BIGQUERY_TABLE with the full path to the BigQuery table that you have exported all the assets to in the Export assets to BigQuery section of this document.

gcloud

Before using any of the command data below, make the following replacements:

PROJECT_ID: the ID of the project containing the secrets to be analyzed

Execute the following command:

Linux, macOS, or Cloud Shell

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
ROTATION_PERIOD_SECONDS=$((90 * 24 * 60 * 60))
gcloud asset list --project=PROJECT_ID \
    --asset-types='secretmanager.googleapis.com/Secret' \
    --snapshot-time=$NOW \
    --content-type='resource' \
    --filter="resource.location != global AND resource.data.rotation != null AND resource.data.rotation.rotationPeriod <= ${ROTATION_PERIOD_SECONDS}s"

Windows (PowerShell)

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
ROTATION_PERIOD_SECONDS=$((90 * 24 * 60 * 60))
gcloud asset list --project=PROJECT_ID `
    --asset-types='secretmanager.googleapis.com/Secret' `
    --snapshot-time=$NOW `
    --content-type='resource' `
    --filter="resource.location != global AND resource.data.rotation != null AND resource.data.rotation.rotationPeriod <= ${ROTATION_PERIOD_SECONDS}s"

Windows (cmd.exe)

Note: If this command uses ' for quoting content, replace these single quotes with double quotes. If quoting is nested, use \" to escape the inner quotes.

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
ROTATION_PERIOD_SECONDS=$((90 * 24 * 60 * 60))
gcloud asset list --project=PROJECT_ID ^
    --asset-types='secretmanager.googleapis.com/Secret' ^
    --snapshot-time=$NOW ^
    --content-type='resource' ^
    --filter="resource.location != global AND resource.data.rotation != null AND resource.data.rotation.rotationPeriod <= ${ROTATION_PERIOD_SECONDS}s"

Regional secrets that will expire in the next 30 days

List secrets that will expire in the next 30 days.

BigQuery

    SELECT * FROM BIGQUERY_TABLE
    WHERE asset_type='secretmanager.googleapis.com/Secret' AND
      resource.location <> "global" AND
      DATE(JSON_VALUE(resource.data, '$.expireTime')) < DATE_ADD(CURRENT_DATE(), INTERVAL 30 DAY);

Replace BIGQUERY_TABLE with the full path to the BigQuery table that you have exported all the assets to in the Export assets to BigQuery section of this document.

gcloud

Before using any of the command data below, make the following replacements:

PROJECT_ID: the ID of the project containing assets to be monitored

Execute the following command:

Linux, macOS, or Cloud Shell

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID \
    --asset-types='secretmanager.googleapis.com/Secret' \
    --snapshot-time=$NOW \
    --content-type='resource' \
    --filter="resource.location != global AND resource.data.expireTime < PD30"

Windows (PowerShell)

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID `
    --asset-types='secretmanager.googleapis.com/Secret' `
    --snapshot-time=$NOW `
    --content-type='resource' `
    --filter="resource.location != global AND resource.data.expireTime < PD30"

Windows (cmd.exe)

Note: If this command uses ' for quoting content, replace these single quotes with double quotes. If quoting is nested, use \" to escape the inner quotes.

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID ^
    --asset-types='secretmanager.googleapis.com/Secret' ^
    --snapshot-time=$NOW ^
    --content-type='resource' ^
    --filter="resource.location != global AND resource.data.expireTime < PD30"

Regional secrets with a Pub/Sub topic configured

List all secrets that have at least one Pub/Sub topic configured.

BigQuery

    SELECT name, ARRAY_LENGTH(JSON_EXTRACT_ARRAY(resource.data, '$.topics')) AS topics_count,
    FROM BIGQUERY_TABLE
    WHERE asset_type='secretmanager.googleapis.com/Secret' AND
      resource.location <> "global" AND
      ARRAY_LENGTH(JSON_EXTRACT_ARRAY(resource.data, '$.topics')) > 0

Replace BIGQUERY_TABLE with the full path to the BigQuery table that you have exported all the assets to in the Export assets to BigQuery section of this document.

gcloud

Before using any of the command data below, make the following replacements:

PROJECT_ID: the ID of the project containing assets to be monitored

Execute the following command:

Linux, macOS, or Cloud Shell

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID \
    --asset-types='secretmanager.googleapis.com/Secret' \
    --snapshot-time=$NOW \
    --content-type='resource' \
    --filter="resource.location != global AND resource.data.topics != NULL"

Windows (PowerShell)

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID `
    --asset-types='secretmanager.googleapis.com/Secret' `
    --snapshot-time=$NOW `
    --content-type='resource' `
    --filter="resource.location != global AND resource.data.topics != NULL"

Windows (cmd.exe)

Note: If this command uses ' for quoting content, replace these single quotes with double quotes. If quoting is nested, use \" to escape the inner quotes.

NOW=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
gcloud asset list --project=PROJECT_ID ^
    --asset-types='secretmanager.googleapis.com/Secret' ^
    --snapshot-time=$NOW ^
    --content-type='resource' ^
    --filter="resource.location != global AND resource.data.topics != NULL"

What's next

Learn about best practices.