Secret Manager API Connector Overview

The Workflows connector defines the built-in functions that can be used to access other Google Cloud products within a workflow.

This page provides an overview of the individual connector. There is no need to import or load connector libraries in a workflow—connectors work out of the box when used in a call step.

Secret Manager API

Stores sensitive data such as API keys, passwords, and certificates. Provides convenience while improving security. To learn more, see the Secret Manager API documentation.

Helper methods

You can use the helper method accessString to retrieve the secret data as a string. This is simpler than using the access API as the secret data is automatically decoded to a string format. To learn more, see the accessString documentation.

You can use the helper method addVersionString to add a new secret value to an existing secret. This is simpler than using the addVersion API as the secret data is automatically encoded to a base-64 string, which is required by addVersion. To learn more, see the addVersionString documentation.

In addition to using a call step, you can call the helper methods in an expression like this:

${googleapis.secretmanager.v1.projects.secrets.versions.accessString(secret_id, version, project_id)}

Secret Manager connector sample

YAML

# This workflow demonstrates how to use the Secret Manager connector:
# Retrieve a secret using three different methods
# Expected output: the secret data (thrice)
- init:
    assign:
      - project_id: ${sys.get_env("GOOGLE_CLOUD_PROJECT_ID")}
      - secret_id: "test-secret"  # Make sure you have this secret and it has a version of 1.
      - version: "1"
# Add data to an existing secret without base-64 encoding
- add_version_string:
    call: googleapis.secretmanager.v1.projects.secrets.addVersionString
    args:
      secret_id: ${secret_id}
      project_id: ${project_id}
      data: "a new secret"
# Retrieve the secret in string format without base-64 decoding and assume
# that the secret data is a valid UTF-8 string; if not, raise an error
- access_string_secret:
    call: googleapis.secretmanager.v1.projects.secrets.versions.accessString
    args:
      secret_id: ${secret_id}
      version: ${version}  # if not set, "latest" is used
      project_id: ${project_id}
    result: str_secret
# Retrieve the secret in string format without base-64 decoding
- access_secret:
    call: googleapis.secretmanager.v1.projects.secrets.versions.access
    args:
      name: ${"projects/" + project_id + "/secrets/" + secret_id + "/versions/" + version}
    result: base64_encoded_secret
# Retrieve the secret using positional arguments in an expression
- expression:
    assign:
      - secret_str_from_exp: ${googleapis.secretmanager.v1.projects.secrets.versions.accessString(secret_id, version, project_id)}
- the_end:
    return:
      - ${str_secret}
      - ${text.decode(base64.decode(base64_encoded_secret.payload.data))}
      - ${secret_str_from_exp}

JSON

[
  {
    "init": {
      "assign": [
        {
          "project_id": "${sys.get_env(\"GOOGLE_CLOUD_PROJECT_ID\")}"
        },
        {
          "secret_id": "test-secret"
        },
        {
          "version": "1"
        }
      ]
    }
  },
  {
    "add_version_string": {
      "call": "googleapis.secretmanager.v1.projects.secrets.addVersionString",
      "args": {
        "secret_id": "${secret_id}",
        "project_id": "${project_id}",
        "data": "a new secret"
      }
    }
  },
  {
    "access_string_secret": {
      "call": "googleapis.secretmanager.v1.projects.secrets.versions.accessString",
      "args": {
        "secret_id": "${secret_id}",
        "version": "${version}",
        "project_id": "${project_id}"
      },
      "result": "str_secret"
    }
  },
  {
    "access_secret": {
      "call": "googleapis.secretmanager.v1.projects.secrets.versions.access",
      "args": {
        "name": "${\"projects/\" + project_id + \"/secrets/\" + secret_id + \"/versions/\" + version}"
      },
      "result": "base64_encoded_secret"
    }
  },
  {
    "expression": {
      "assign": [
        {
          "secret_str_from_exp": "${googleapis.secretmanager.v1.projects.secrets.versions.accessString(secret_id, version, project_id)}"
        }
      ]
    }
  },
  {
    "the_end": {
      "return": [
        "${str_secret}",
        "${text.decode(base64.decode(base64_encoded_secret.payload.data))}",
        "${secret_str_from_exp}"
      ]
    }
  }
]

Module: googleapis.secretmanager.v1.projects.locations

Functions
get Gets information about a location.
list Lists information about the supported locations for this service.

Module: googleapis.secretmanager.v1.projects.secrets

Functions
addVersion Creates a new SecretVersion containing secret data and attaches it to an existing Secret.
addVersionBytes Creates a new SecretVersion containing secret data. The secret data needs to be in bytes format.
addVersionString Creates a new SecretVersion containing secret data. The secret data needs to be in string format.
create Creates a new Secret containing no SecretVersions.
delete Deletes a Secret.
get Gets metadata for a given Secret.
getIamPolicy Gets the access control policy for a secret. Returns empty policy if the secret exists and does not have a policy set.
list Lists Secrets.
patch Updates metadata of an existing Secret.
setIamPolicy Sets the access control policy on the specified secret. Replaces any existing policy. Permissions on SecretVersions are enforced according to the policy set on the associated Secret.
testIamPermissions Returns permissions that a caller has for the specified secret. If the secret does not exist, this call returns an empty set of permissions, not a NOT_FOUND error. Note: This operation is designed to be used for building permission-aware UIs and command-line tools, not for authorization checking. This operation may "fail open" without warning.

Module: googleapis.secretmanager.v1.projects.secrets.versions

Functions
access Accesses a SecretVersion. This call returns the secret data. projects/*/secrets/*/versions/latest is an alias to the most recently created SecretVersion.
accessBytes Accesses the secret value in bytes.
accessRaw Should be removed and not recommended to use as it enforces UTF-8 conversion that could corrupt user's secret.
accessString Accesses the secret value in string format. If the secret contains characters not in UTF-8 format, an error is raised.
destroy Destroys a SecretVersion. Sets the state of the SecretVersion to DESTROYED and irrevocably destroys the secret data.
disable Disables a SecretVersion. Sets the state of the SecretVersion to DISABLED.
enable Enables a SecretVersion. Sets the state of the SecretVersion to ENABLED.
get Gets metadata for a SecretVersion. projects/*/secrets/*/versions/latest is an alias to the most recently created SecretVersion.
list Lists SecretVersions. This call does not return secret data.