Secret names are project-global resources, but secret data is stored in regions. You can choose specific regions in which to store your secrets, or you can let us decide. Either way, we automatically handle the replication of secret data.
Secret data is immutable and most operations take place on secret versions. With Secret Manager, you can pin a secret to specific versions like "42" or floating aliases like "latest."
Cloud IAM integration
Control access to secrets the same way you control access to other Google Cloud resources. Only project owners have permission to access Secret Manager secrets; other roles must explicitly be granted permissions through Cloud IAM.
With Cloud Audit Logs enabled, every interaction with Secret Manager generates an audit entry. You can ingest these logs into anomaly detection systems to spot abnormal access patterns and alert on possible security breaches.
Encrypted by default
Data is encrypted in transit with TLS and at rest with AES-256-bit encryption keys.
VPC Service Controls support
Enable context-aware access to Secret Manager from hybrid environments with VPC Service Controls.
Powerful and extensible
Secret Manager's API-first design makes it easy to extend and integrate into existing systems. It is also integrated into popular third-party technologies like HashiCorp Terraform and GitHub Actions.
When you use Secret Manager, you are charged for operations and active secret versions. A version is active if it is in the ENABLED or DISABLED state.