This page describes secret replication policies in Secret Manager. A replication policy lets you choose the locations where you store your secret payload data. You can configure each secret with either automatic replication or user-managed replication when you create a secret. The locations in the replication policy can't be updated.
Automatic secret replication policy
A secret with an automatic replication policy has its payload data replicated without restriction. This is the simplest configuration and is recommended for most users. When creating a secret using the Google Cloud CLI or the web UI, this is the default replication policy.
For billing purposes , a secret with an automatic replication policy is considered to be stored in a single location.
For purposes of resource location organization policy
evaluation, a secret with an automatic replication policy can only be created
if resource creation in global
is allowed.
User-managed secret replication policy
A secret with a user-managed replication policy has its payload data replicated to a user configured set of locations. The secret can be replicated to any number of supported locations . This may be useful if there are requirements around where the secret payload data can be stored.
For billing purposes , each location in the user-managed replication policy is considered a separate location.
For purposes of resource location organization policy evaluation, a secret with a user-managed replication policy can only be created if resource creation is allowed in all the selected locations.
What's next
- Learn more about editing a secret .
- Learn more about managing access to secrets .
- Learn more about setting up rotation policies .
