Secret Manager API Connector Overview

The Workflows connector defines the built-in functions that can be used to access other Google Cloud products within a workflow.

This page provides an overview of the individual connector. There is no need to import or load connector libraries in a workflow—connectors work out of the box when used in a call step.

Secret Manager API

Stores sensitive data such as API keys, passwords, and certificates. Provides convenience while improving security. To learn more, see the Secret Manager API documentation.

Helper methods

You can use the helper method accessString to retrieve the secret data as a string. This is simpler than using the access API as the secret data is automatically decoded to a string format. To learn more, see the accessString documentation.

You can use the helper method addVersionString to add a new secret value to an existing secret. This is simpler than using the addVersion API as the secret data is automatically encoded to a base-64 string, which is required by addVersion. To learn more, see the addVersionString documentation.

In addition to using a call step, you can call the helper methods in an expression like this:

${googleapis.secretmanager.v1.projects.secrets.versions.accessString(secret_id, version, project_id)}

Secret Manager connector sample

YAML

# This workflow demonstrates how to use the Secret Manager connector:
# Retrieve a secret using three different methods
# Expected output: the secret data (thrice)
- init:
    assign:
      - project_id: ${sys.get_env("GOOGLE_CLOUD_PROJECT_ID")}
      - secret_id: "test-secret"  # Make sure you have this secret and it has a version of 1.
      - version: "1"
# Add data to an existing secret without base-64 encoding
- add_version_string:
    call: googleapis.secretmanager.v1.projects.secrets.addVersionString
    args:
      secret_id: ${secret_id}
      project_id: ${project_id}
      data: "a new secret"
# Retrieve the secret in string format without base-64 decoding and assume
# that the secret data is a valid UTF-8 string; if not, raise an error
- access_string_secret:
    call: googleapis.secretmanager.v1.projects.secrets.versions.accessString
    args:
      secret_id: ${secret_id}
      version: ${version}  # if not set, "latest" is used
      project_id: ${project_id}
    result: str_secret
# Retrieve the secret in string format without base-64 decoding
- access_secret:
    call: googleapis.secretmanager.v1.projects.secrets.versions.access
    args:
      name: ${"projects/" + project_id + "/secrets/" + secret_id + "/versions/" + version}
    result: base64_encoded_secret
# Retrieve the secret using positional arguments in an expression
- expression:
    assign:
      - secret_str_from_exp: ${googleapis.secretmanager.v1.projects.secrets.versions.accessString(secret_id, version, project_id)}
- the_end:
    return:
      - ${str_secret}
      - ${text.decode(base64.decode(base64_encoded_secret.payload.data))}
      - ${secret_str_from_exp}

JSON

[
  {
    "init": {
      "assign": [
        {
          "project_id": "${sys.get_env(\"GOOGLE_CLOUD_PROJECT_ID\")}"
        },
        {
          "secret_id": "test-secret"
        },
        {
          "version": "1"
        }
      ]
    }
  },
  {
    "add_version_string": {
      "call": "googleapis.secretmanager.v1.projects.secrets.addVersionString",
      "args": {
        "secret_id": "${secret_id}",
        "project_id": "${project_id}",
        "data": "a new secret"
      }
    }
  },
  {
    "access_string_secret": {
      "call": "googleapis.secretmanager.v1.projects.secrets.versions.accessString",
      "args": {
        "secret_id": "${secret_id}",
        "version": "${version}",
        "project_id": "${project_id}"
      },
      "result": "str_secret"
    }
  },
  {
    "access_secret": {
      "call": "googleapis.secretmanager.v1.projects.secrets.versions.access",
      "args": {
        "name": "${\"projects/\" + project_id + \"/secrets/\" + secret_id + \"/versions/\" + version}"
      },
      "result": "base64_encoded_secret"
    }
  },
  {
    "expression": {
      "assign": [
        {
          "secret_str_from_exp": "${googleapis.secretmanager.v1.projects.secrets.versions.accessString(secret_id, version, project_id)}"
        }
      ]
    }
  },
  {
    "the_end": {
      "return": [
        "${str_secret}",
        "${text.decode(base64.decode(base64_encoded_secret.payload.data))}",
        "${secret_str_from_exp}"
      ]
    }
  }
]

Module: googleapis.secretmanager.v1.projects.locations

Functions
`get`	Gets information about a location.
`list`	Lists information about the supported locations for this service.

Module: googleapis.secretmanager.v1.projects.secrets

Functions
`addVersion`	Creates a new SecretVersion containing secret data and attaches it to an existing Secret.
`addVersionBytes`	Creates a new SecretVersion containing secret data. The secret data needs to be in bytes format.
`addVersionString`	Creates a new SecretVersion containing secret data. The secret data needs to be in string format.
`create`	Creates a new Secret containing no SecretVersions.
`delete`	Deletes a Secret.
`get`	Gets metadata for a given Secret.
`getIamPolicy`	Gets the access control policy for a secret. Returns empty policy if the secret exists and does not have a policy set.
`list`	Lists Secrets.
`patch`	Updates metadata of an existing Secret.
`setIamPolicy`	Sets the access control policy on the specified secret. Replaces any existing policy. Permissions on SecretVersions are enforced according to the policy set on the associated Secret.
`testIamPermissions`	Returns permissions that a caller has for the specified secret. If the secret does not exist, this call returns an empty set of permissions, not a NOT_FOUND error. Note: This operation is designed to be used for building permission-aware UIs and command-line tools, not for authorization checking. This operation may "fail open" without warning.

Module: googleapis.secretmanager.v1.projects.secrets.versions

Functions
`access`	Accesses a SecretVersion. This call returns the secret data. `projects//secrets//versions/latest` is an alias to the most recently created SecretVersion.
`accessBytes`	Accesses the secret value in bytes.
`accessRaw`	Should be removed and not recommended to use as it enforces UTF-8 conversion that could corrupt user's secret.
`accessString`	Accesses the secret value in string format. If the secret contains characters not in UTF-8 format, an error is raised.
`destroy`	Destroys a SecretVersion. Sets the state of the SecretVersion to DESTROYED and irrevocably destroys the secret data.
`disable`	Disables a SecretVersion. Sets the state of the SecretVersion to DISABLED.
`enable`	Enables a SecretVersion. Sets the state of the SecretVersion to ENABLED.
`get`	Gets metadata for a SecretVersion. `projects//secrets//versions/latest` is an alias to the most recently created SecretVersion.
`list`	Lists SecretVersions. This call does not return secret data.