# This workflow demonstrates how to use the Cloud Secret Manager connector to.
# retrieve a secret.
# Expected successful output: the secret data.
- init:
assign:
- project_id: ${sys.get_env("GOOGLE_CLOUD_PROJECT_ID")}
- secret_id: "test-secret" # Make sure you have this secret and it has a version of 1.
- version: "1"
# We provide a helper method to add a secret data to an existing secret without base-64 encoding.
- add_version_string:
call: googleapis.secretmanager.v1.projects.secrets.addVersionString
args:
secret_id: ${secret_id}
project_id: ${project_id}
data: "a new secret"
# We provide a helper method to access the secret in string format without base-64 decoding.
# To compare the usage between accessRaw() and access(), we list two demo steps to retrieve
# the same secret below.
#
# accessString assumes the secret data is a valid UTF-8 string and if it detects non-UTF-8
# bytes, an error will be raised.
- access_string_secret:
call: googleapis.secretmanager.v1.projects.secrets.versions.accessString
args:
secret_id: ${secret_id}
version: ${version} # If not set, "latest" will be used.
project_id: ${project_id}
result: str_secret
- access_secret:
call: googleapis.secretmanager.v1.projects.secrets.versions.access
args:
name: ${"projects/" + project_id + "/secrets/" + secret_id + "/versions/" + version}
result: base64_encoded_secret_data
# Secret can also be retrieved by using positional arguments in an expression.
- expression:
assign:
- secret_str_from_exp: ${googleapis.secretmanager.v1.projects.secrets.versions.accessString(secret_id, version, project_id)}
- the_end:
return: [${str_secret}, ${secret_str_from_exp}, ${text.decode(base64.decode(base64_encoded_secret.payload.data))}]
