This page explains the key differences between the global and regional service of Secret Manager.
The global service is the default configuration for Secret Manager. You can start using the service with default settings and the standard API endpoint. The secret data is replicated across multiple regions and secrets can be accessed from any region where Google Cloud platform operates.
For organizations with stringent data sovereignty and compliance requirements, Secret Manager offers a regional service where you can choose to store your data solely within specific geographical locations or data residency zones (DRZs). Secrets can only be accessed from within that specific region. To access the regional service, you'll require a regional endpoint associated with the data residency zone.
The following table explains the key differences between the global and regional service.
Feature | Global service | Regional service |
---|---|---|
Data residency | User managed replication to specific regions or automatic replication without any restriction. | Data is stored in a single location. Complete data residency zone (DRZ) compliance with data at-rest, in-use, and in-transit. |
Endpoints | Single, global endpoint | Regional endpoints |
Cross-region access | Possible with both user managed replication and automatic replication. | Not possible. Secret data is tightly restricted to your region of choice and doesn't flow outside its boundaries. |
Use cases |
General secret management
|
Strict data residency requirements
|
Not all organizations are subject to stringent DRZ regulations on where data is stored or accessed, and not all data might fall into the sensitive category to be subject to the DRZ regulations. So depending upon the sensitivity of the data being handled, you can choose either between the regional or global service.
If your organization must adhere to specific data residency regulations, choose the regional service as it ensures that your secret data doesn't leave the designated region. If your application requires high availability and the ability to access secrets from anywhere, the global service might be more suitable due to its multi-region replication.
For information about the global Secret Manager service, see the global service documentation.