This page describes how to delete a secret and all of its versions.
To delete only a secret version, see Destroy a regional secret version.
Required roles
To get the permissions that you need to delete a secret,
ask your administrator to grant you the
Secret Manager Admin (roles/secretmanager.admin
) IAM role on the secret, project, folder, or organization.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Delete a secret
To delete a secret, use one of the following methods:
Console
-
Go to the Secret Manager page in the Google Cloud console.
-
On the Secret Manager page, click the Regional secrets tab.
-
Select the secret that you want to delete.
-
Click
Actions, and then click Delete. -
In the confirmation dialog that appears, enter the name of the secret, and then click Delete secret.
gcloud
Before using any of the command data below, make the following replacements:
- SECRET_ID: the ID of the secret or fully qualified identifier for the secret
- LOCATION: the Google Cloud location of the secret
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud secrets delete SECRET_ID \ --location=LOCATION
Windows (PowerShell)
gcloud secrets delete SECRET_ID ` --location=LOCATION
Windows (cmd.exe)
gcloud secrets delete SECRET_ID ^ --location=LOCATION
The response returns the secret.
REST
Before using any of the request data, make the following replacements:
- LOCATION: the Google Cloud location of the secret
- PROJECT_ID: the Google Cloud project ID
- SECRET_ID: the ID of the secret or fully qualified identifier for the secret
HTTP method and URL:
DELETE https://secretmanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/secrets/SECRET_ID
Request JSON body:
{}
To send your request, choose one of these options:
curl
Save the request body in a file named request.json
,
and execute the following command:
curl -X DELETE \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://secretmanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/secrets/SECRET_ID"
PowerShell
Save the request body in a file named request.json
,
and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method DELETE `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://secretmanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/secrets/SECRET_ID" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{}
Go
To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Java
To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Node.js
To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Python
To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.