Proteger y almacenar datos sensibles con el conector Secret Manager
Organízate con las colecciones
Guarda y clasifica el contenido según tus preferencias.
Secret Manager es un sistema práctico y seguro para almacenar claves de API, contraseñas, certificados y otros datos sensibles. Secret Manager ofrece una única fuente de información centralizada para acceder a los secretos, gestionarlos y auditarlos en todos los componentes de Google Cloud.
Puedes usar el conector de la API Secret Manager de Workflows para acceder a Secret Manager en un flujo de trabajo. De esta forma, se simplifica la integración, ya que el conector gestiona el formato de las solicitudes y proporciona métodos y argumentos para que no tengas que conocer los detalles de la API Secret Manager. El conector también tiene un comportamiento integrado para gestionar los reintentos y las operaciones de larga duración. Para obtener más información sobre cómo usar los conectores de Workflows, consulta Información sobre los conectores.
Concede acceso a Secret Manager a la cuenta de servicio de Workflows
Secret Manager usa Gestión de Identidades y Accesos (IAM) para el control de acceso. Para crear, gestionar, enumerar o acceder a un secreto, se deben conceder los permisos de gestión de identidades y accesos adecuados a nivel de proyecto y a nivel de recurso individual. Para obtener más información, consulta Control de acceso con IAM.
Al igual que al invocar un endpoint HTTP, una llamada de conector requiere los campos call y args. Para obtener más información, consulta Invocar una llamada de conector.
Además de usar un paso de llamada, puedes llamar a los métodos auxiliares en una expresión como esta:
Por ejemplo, puedes usar el método auxiliar accessString para recuperar los datos secretos como una cadena. Es más sencillo que usar la API access, ya que los datos secretos se decodifican automáticamente en formato de cadena.
También puedes usar el método auxiliar addVersionString para añadir un nuevo valor de secreto a un secreto que ya tengas. Es más sencillo que usar la API addVersion, ya que los datos secretos se codifican automáticamente en una cadena en base64, que es necesaria para addVersion.
Recuperar un secreto con el conector Secret Manager
El siguiente flujo de trabajo muestra cómo usar el conector de Secret Manager para recuperar un secreto.
[[["Es fácil de entender","easyToUnderstand","thumb-up"],["Me ofreció una solución al problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Es difícil de entender","hardToUnderstand","thumb-down"],["La información o el código de muestra no son correctos","incorrectInformationOrSampleCode","thumb-down"],["Me faltan las muestras o la información que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2025-08-20 (UTC)."],[],[],null,["# Secure and store sensitive data using the Secret Manager connector\n\nSecret Manager is a secure and convenient storage system for\nAPI keys, passwords, certificates, and other sensitive data. Secret Manager\nprovides a central place and single source of truth to manage, access, and audit\nsecrets across Google Cloud.\n\nYou can use Workflows'\n[connector for the Secret Manager API](https://cloud.google.com/workflows/docs/reference/googleapis/secretmanager/Overview)\nto access Secret Manager within a workflow. This simplifies the\nintegration for you, because the connector handles the formatting of\nrequests, and provides methods and arguments so that you don't need to know\nthe details of the Secret Manager API. The connector also has\nbuilt-in behavior for handling retries and long-running operations. To learn\nmore about using Workflows connectors, see\n[Understand connectors](/workflows/docs/connectors).\n\nGrant the Workflows service account access to Secret Manager\n------------------------------------------------------------\n\nSecret Manager uses Identity and Access Management (IAM) for access\ncontrol. To create, manage, list, or access a secret, the appropriate\nIAM permissions must be granted at the project level and at the\nindividual resource level. For more information, see\n[Access control with IAM](/secret-manager/docs/access-control).\n\nWorkflows uses service accounts to give workflows access to\nGoogle Cloud resources. To\n[access a secret version](/secret-manager/docs/access-secret-version), you must\ngrant the Secret Manager Secret Accessor role\n(`roles/secretmanager.secretAccessor`) on the secret, project, folder, or\norganization to the service account. Learn more about\n[deploying a workflow with a user-managed service account](/workflows/docs/authentication).\n\nEnable the APIs\n---------------\n\nBefore using the Workflows' connector for the\nSecret Manager API, ensure that you enable the\nSecret Manager and Workflows APIs. \n\n### Console\n\n[Enable the APIs](https://console.cloud.google.com/flows/enableapi?apiid=secretmanager.googleapis.com,workflows.googleapis.com)\n\n### gcloud\n\n gcloud services enable secretmanager.googleapis.com workflows.googleapis.com\n\nInvoke a connector call\n-----------------------\n\nSimilar to invoking an HTTP endpoint, a connector call requires `call` and `args`\nfields. For more information, see\n[Invoke a connector call](/workflows/docs/reference/googleapis#invoke_a_connector_call).\n\nIn addition to using a call step, you can call the helper methods in an\nexpression like this: \n\n```genshi\n${googleapis.secretmanager.v1.projects.secrets.versions.accessString(secret_id, version, project_id)}\n```\n\nFor example, you can use the helper method `accessString` to retrieve the secret\ndata as a string. This is simpler than using the `access` API as the secret data\nis automatically decoded to a string format.\n\nYou can also use the helper method `addVersionString` to add a new secret value\nto an existing secret. This is simpler than using the `addVersion` API as the\nsecret data is automatically encoded to a base-64 string, which is required by\n`addVersion`.\n\nRetrieve a secret using the Secret Manager connector\n----------------------------------------------------\n\nThe following workflow demonstrates how to use the Secret Manager\nconnector to retrieve a secret.\n\n### YAML\n\n # This workflow demonstrates how to use the Secret Manager connector:\n # Retrieve a secret using three different methods\n # Expected output: the secret data (thrice)\n - init:\n assign:\n - project_id: ${sys.get_env(\"GOOGLE_CLOUD_PROJECT_ID\")}\n - secret_id: \"test-secret\" # Make sure you have this secret and it has a version of 1.\n - version: \"1\"\n # Add data to an existing secret without base-64 encoding\n - add_version_string:\n call: googleapis.secretmanager.v1.projects.secrets.addVersionString\n args:\n secret_id: ${secret_id}\n project_id: ${project_id}\n data: \"a new secret\"\n # Retrieve the secret in string format without base-64 decoding and assume\n # that the secret data is a valid UTF-8 string; if not, raise an error\n - access_string_secret:\n call: googleapis.secretmanager.v1.projects.secrets.versions.accessString\n args:\n secret_id: ${secret_id}\n version: ${version} # if not set, \"latest\" is used\n project_id: ${project_id}\n result: str_secret\n # Retrieve the secret in string format without base-64 decoding\n - access_secret:\n call: googleapis.secretmanager.v1.projects.secrets.versions.access\n args:\n name: ${\"projects/\" + project_id + \"/secrets/\" + secret_id + \"/versions/\" + version}\n result: base64_encoded_secret\n # Retrieve the secret using positional arguments in an expression\n - expression:\n assign:\n - secret_str_from_exp: ${googleapis.secretmanager.v1.projects.secrets.versions.accessString(secret_id, version, project_id)}\n - the_end:\n return:\n - ${str_secret}\n - ${text.decode(base64.decode(base64_encoded_secret.payload.data))}\n - ${secret_str_from_exp}\n\n### JSON\n\n [\n {\n \"init\": {\n \"assign\": [\n {\n \"project_id\": \"${sys.get_env(\\\"GOOGLE_CLOUD_PROJECT_ID\\\")}\"\n },\n {\n \"secret_id\": \"test-secret\"\n },\n {\n \"version\": \"1\"\n }\n ]\n }\n },\n {\n \"add_version_string\": {\n \"call\": \"googleapis.secretmanager.v1.projects.secrets.addVersionString\",\n \"args\": {\n \"secret_id\": \"${secret_id}\",\n \"project_id\": \"${project_id}\",\n \"data\": \"a new secret\"\n }\n }\n },\n {\n \"access_string_secret\": {\n \"call\": \"googleapis.secretmanager.v1.projects.secrets.versions.accessString\",\n \"args\": {\n \"secret_id\": \"${secret_id}\",\n \"version\": \"${version}\",\n \"project_id\": \"${project_id}\"\n },\n \"result\": \"str_secret\"\n }\n },\n {\n \"access_secret\": {\n \"call\": \"googleapis.secretmanager.v1.projects.secrets.versions.access\",\n \"args\": {\n \"name\": \"${\\\"projects/\\\" + project_id + \\\"/secrets/\\\" + secret_id + \\\"/versions/\\\" + version}\"\n },\n \"result\": \"base64_encoded_secret\"\n }\n },\n {\n \"expression\": {\n \"assign\": [\n {\n \"secret_str_from_exp\": \"${googleapis.secretmanager.v1.projects.secrets.versions.accessString(secret_id, version, project_id)}\"\n }\n ]\n }\n },\n {\n \"the_end\": {\n \"return\": [\n \"${str_secret}\",\n \"${text.decode(base64.decode(base64_encoded_secret.payload.data))}\",\n \"${secret_str_from_exp}\"\n ]\n }\n }\n ]\n\nWhat's next\n-----------\n\n- [Learn more about Secret Manager](/secret-manager/docs/overview)"]]
