Enable the Secret Manager API

Secret Manager exposes a REST API and a gRPC API for using and managing secrets directly or in your applications. This page describes how to enable the Secret Manager API and configure your Google Cloud project to use Secret Manager for the first time.

When you are becoming familiar with Secret Manager, we recommend using a separate Google Cloud project. Deleting the project also deletes all resources created during testing, including billable resources.

If you are developing an application in an IDE with Cloud Code installed, Secret Manager comes integrated into the extension. This means that you can create, view, update, and use secrets without having to leave your IDE. For more on using Secret Manager with Cloud Code, refer to the secret managing guide for your preferred IDE, VS Code, IntelliJ, or Cloud Shell Editor.

Before you begin

In the Google Cloud console, go to the project selector page.

Go to project selector
Select or create a Google Cloud project.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Enable the Secret Manager API

Console

In the Google Cloud console, go to the Secret Manager API page.

Go to Secret Manager API
Verify that the name of your project appears in the project selector at the top of the page.

If you don't see the name of your project, click the project selector, and then select your project.
Click Enable.

gcloud

In the Google Cloud console, activate Cloud Shell.

Activate Cloud Shell

At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To set your Google Cloud project in the gcloud session, run the gcloud config set project command. Replace PROJECT_ID with your Google Cloud project ID.
```
gcloud config set project PROJECT_ID
```
To enable the Secret Manager API, run the gcloud services enable command:
```
gcloud services enable secretmanager.googleapis.com
```
To verify that the Secret Manager API is enabled, run the gcloud services list command:
```
gcloud services list --enabled
```
Verify that the Secret Manager API is listed in the list of enabled APIs.

Configure Secret Manager to use a regional endpoint

To create regional secrets, you must configure Secret Manager to use regional endpoints. Regional endpoints are request endpoints that only allow requests to proceed if the affected resource exists in the location specified by the endpoint. Using regional endpoints lets you run your workloads in a manner that complies with data residency and data sovereignty requirements.

Regional endpoints use the following format:

SERVICE_NAME.LOCATION.rep.googleapis.com

To use regional endpoints, you must update your configuration with the regional endpoint address depending on how you access the Secret Manager service.

gcloud

To configure the Google Cloud CLI to use regional endpoints, complete the following steps:

Make sure you're using the Google Cloud CLI 402.0.0 or newer.
Set the api_endpoint_overrides/secretmanager property to the regional endpoint you want to use:
```
gcloud config set api_endpoint_overrides/secretmanager https://secretmanager.LOCATION.rep.googleapis.com/
```
Replace LOCATION with the name of the supported Google Cloud location, such as me-central2.

REST

To connect to the Secret Manager service using the API, replace the generic API endpoint URL (https://secretmanager.googleapis.com/v1/) with the specific regional endpoint that you want to use. Regional endpoints use the following format:

https://secretmanager.LOCATION.rep.googleapis.com/v1/

Replace LOCATION with the name of the supported Google Cloud location, such as me-central2.

To see which locations are supported, see Secret Manager locations.

Configure roles and permissions

To get the permissions that you need to set up Secret Manager, ask your administrator to grant you the Secret Manager Admin (roles/secretmanager.admin) IAM role on the project. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

For more information about the access control for Secret Manager, see Access control with IAM.

What's next

Learn about authentication.
Learn how to create a regional secret.
Learn how to add a regional secret version.