This page describes how to manage access to a regional secret, including the secret material. To learn more about access controls and permissions, see Access control with IAM.
Required roles
To get the permissions that you need to manage access to secrets,
ask your administrator to grant you the
Secret Manager Admin (roles/secretmanager.admin
) IAM role on the secret, project, folder, or
organization.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Grant access
To grant access to a secret, use one of the following methods:
Console
-
Go to the Secret Manager page in the Google Cloud console.
-
Go to the Regional secrets tab. To select a secret, click the checkbox next to the name of the secret.
-
If it is not already open, click Show Info Panel to open the panel.
-
In the info panel, click Add Principal.
-
In the New principals field, enter the email address(es) of the members to add.
-
In the Select a role list, choose Secret Manager, and then select Secret Manager Secret Accessor.
gcloud
Before using any of the command data below, make the following replacements:
- SECRET_ID: the ID of the secret or fully qualified identifier for the secret
- LOCATION: the Google Cloud location of the secret
- MEMBER: the IAM member, such as a user, group, or service account
Execute the following command:
Linux, macOS, or Cloud Shell
ggcloud secrets add-iam-policy-binding SECRET_ID --location=LOCATION \ --member="MEMBER" \ --role="roles/secretmanager.secretAccessor"
Windows (PowerShell)
ggcloud secrets add-iam-policy-binding SECRET_ID --location=LOCATION ` --member="MEMBER" ` --role="roles/secretmanager.secretAccessor"
Windows (cmd.exe)
ggcloud secrets add-iam-policy-binding SECRET_ID --location=LOCATION ^ --member="MEMBER" ^ --role="roles/secretmanager.secretAccessor"
REST
Note: Unlike the other examples, this replaces the entire IAM policy.
Before using any of the request data, make the following replacements:
- LOCATION: the Google Cloud location of the secret
- PROJECT_ID: the Google Cloud project that contains the secret
- SECRET_ID: the ID of the secret or fully qualified identifier for the secret
- MEMBER: the IAM member, such as a user, group, or service account
HTTP method and URL:
POST https://secretmanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/secrets/SECRET_ID:setIamPolicy
Request JSON body:
{"policy": {"bindings": [{"members": ["MEMBER"], "role": "roles/secretmanager.secretAccessor"}]}}
To send your request, choose one of these options:
curl
Save the request body in a file named request.json
,
and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://secretmanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/secrets/SECRET_ID:setIamPolicy"
PowerShell
Save the request body in a file named request.json
,
and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://secretmanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/secrets/SECRET_ID:setIamPolicy" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "version": 1, "etag": "BwYhOrAmWFQ=", "bindings": [ { "role": "roles/secretmanager.secretAccessor", "members": [ "user:username@google.com" ] } ] }
Go
To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Java
To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Node.js
To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Python
To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Revoke access
To revoke access from a secret, use one of the following methods:
Console
-
Go to the Secret Manager page in the Google Cloud console.
-
Go to the Regional secrets tab. To select a secret, click the checkbox next to the name of the secret.
-
If it is not already open, click Show Info Panel to open the panel.
-
In the info panel, click the expander arrow next to the user role to see a list of the users or service accounts with access to that role.
-
To remove the user or service account, click
Delete next to service account or user ID. -
In the confirmation dialog that appears, click Remove.
gcloud
Before using any of the command data below, make the following replacements:
- SECRET_ID: the ID of the secret or fully qualified identifier for the secret
- LOCATION: the Google Cloud location of the secret
- MEMBER: the IAM member, such as a user, group, or service account
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud secrets remove-iam-policy-binding SECRET_ID --location=LOCATION \ --member="MEMBER" \ --role="roles/secretmanager.secretAccessor"
Windows (PowerShell)
gcloud secrets remove-iam-policy-binding SECRET_ID --location=LOCATION ` --member="MEMBER" ` --role="roles/secretmanager.secretAccessor"
Windows (cmd.exe)
gcloud secrets remove-iam-policy-binding SECRET_ID --location=LOCATION ^ --member="MEMBER" ^ --role="roles/secretmanager.secretAccessor"
REST
Note: Unlike the other examples, this replaces the entire IAM policy.
Before using any of the request data, make the following replacements:
- LOCATION: the Google Cloud location of the secret
- PROJECT_ID: the Google Cloud project ID
- SECRET_ID: the ID of the secret or fully qualified identifier for the secret
HTTP method and URL:
POST https://secretmanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/secrets/SECRET_ID:setIamPolicy
Request JSON body:
{"policy": {"bindings": []}}
To send your request, choose one of these options:
curl
Save the request body in a file named request.json
,
and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://secretmanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/secrets/SECRET_ID:setIamPolicy"
PowerShell
Save the request body in a file named request.json
,
and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://secretmanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/secrets/SECRET_ID:setIamPolicy" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "version": 1, "etag": "BwYhOtzsOBk=" }
Go
To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Java
To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Node.js
To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
Python
To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.
What's next
- Set expiration date for a regional secret
- Create rotation schedules
- Set up notifications on a regional secret