This page describes how you can destroy a secret version. In the destroyed state, the secret version's contents are discarded. Destroying a secret version is a permanent action. After a version is destroyed, you can't access the secret data or restore the version to another state.
Before destroying a secret version, try disabling it first and observe your application's behavior. You can re-enable the secret version if you encounter unexpected issues.
When you disable or destroy a secret or secret version, the change takes time to propagate through the system. If necessary, you can revoke access to the secret. Changes to IAM permissions are consistent within seconds.
Required roles
To get the permissions that you need to destroy a secret version,
ask your administrator to grant you the
Secret Manager Secret Version Manager (roles/secretmanager.secretVersionManager
) IAM role on a secret.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Destroy a secret version
To destroy a secret version, use one of the following methods:
Console
-
Go to the Secret Manager page in the Google Cloud console.
-
On the Secret Manager page, click the Regional secrets tab, and then click a secret to access its versions.
-
On the secret details page, in the Versions tab, select the secret version that you want to destroy.
-
Click
Actions, and then click Destroy. -
In the confirmation dialog that appears, enter the secret ID to confirm, and then click Destroy selected versions.
gcloud
Before using any of the command data below, make the following replacements:
- VERSION_ID: the resource name of the secret version
- SECRET_ID: the ID of the secret or fully qualified identifier for the secret
- LOCATION: the Google Cloud location of the secret
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud secrets versions destroy VERSION_ID --secret=SECRET_ID --location=LOCATION
Windows (PowerShell)
gcloud secrets versions destroy VERSION_ID --secret=SECRET_ID --location=LOCATION
Windows (cmd.exe)
gcloud secrets versions destroy VERSION_ID --secret=SECRET_ID --location=LOCATION
REST
Before using any of the request data, make the following replacements:
- LOCATION: the Google Cloud location of the secret
- PROJECT_ID: the Google Cloud project ID
- SECRET_ID: the ID of the secret or fully qualified identifier for the secret
- VERSION_ID: the ID of the secret version
HTTP method and URL:
POST https://secretmanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/secrets/SECRET_ID/versions/VERSION_ID:destroy
Request JSON body:
{}
To send your request, choose one of these options:
curl
Save the request body in a file named request.json
,
and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://secretmanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/secrets/SECRET_ID/versions/VERSION_ID:destroy"
PowerShell
Save the request body in a file named request.json
,
and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://secretmanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/secrets/SECRET_ID/versions/VERSION_ID:destroy" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "name": "projects/PROJECT_ID/locations/LOCATION/secrets/SECRET_ID/versions/VERSION_ID", "createTime": "2024-09-02T07:16:34.566706Z", "destroyTime": "2024-09-04T06:29:01.893743728Z", "state": "DESTROYED", "etag": "\"1621454a37ce7f\"" }
Go
To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Java
To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Node.js
To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Python
To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Delayed destruction of secret versions
Users with the Secret Manager Admin role can set up delayed destruction of secret versions by configuring the Delay secret version destroy feature on the secret. If this feature is enabled, the secret version isn't immediately destroyed upon request. Instead, the secret version is disabled and scheduled for destruction at a later date. During this time, the Secret Manager Admin can restore the secret version.