Add labels to secrets

This page provides an overview of labels, describes how to add labels to a secret, and how to view and update labels attached to a secret.

What are labels?

A label is a key-value pair that you can assign to Google Cloud Secret Manager secrets. They help you organize these resources and manage your costs at scale, with the granularity you need. You can attach a label to each resource, then filter the resources based on their labels. Information about labels is forwarded to the billing system that lets you break down your billed charges by label. With built-in billing reports , you can filter and group costs by resource labels. You can also use labels to query billing data exports .

Requirements for labels

The labels applied to a resource must meet the following requirements:

Each resource can have up to 64 labels.
Each label must be a key-value pair.
Keys have a minimum length of 1 character and a maximum length of 63 characters, and cannot be empty. Values can be empty, and have a maximum length of 63 characters.
Keys and values can contain only lowercase letters, numeric characters, underscores, and dashes. All characters must use UTF-8 encoding, and international characters are allowed. Keys must start with a lowercase letter or international character.
The key portion of a label must be unique within a single resource. However, you can use the same key with multiple resources.

These limits apply to the key and value for each label, and to the individual Google Cloud resources that have labels. There is no limit on how many labels you can apply across all resources within a project.

Common uses of labels

Here are some common use cases for labels:

Team or cost center labels: Add labels based on team or cost center to distinguish Secret Manager secrets owned by different teams (for example, team:research and team:analytics ). You can use this type of label for cost accounting or budgeting.
Component labels: For example, component:redis , component:frontend , component:ingest , and component:dashboard .
Environment or stage labels: For example, environment:production and environment:test .
State labels: For example, state:active , state:readytodelete , and state:archive .
Ownership labels: Used to identify the teams that are responsible for operations, for example: team:shopping-cart .

We don't recommend creating large numbers of unique labels, such as for timestamps or individual values for every API call. The problem with this approach is that when the values change frequently or with keys that clutter the catalog, this makes it difficult to effectively filter and report on resources.

Labels and tags

Labels can be used as queryable annotations for resources, but can't be used to set conditions on policies. Tags provide a way to conditionally allow or deny policies based on whether a resource has a specific tag, by providing fine-grained control over policies. For more information, see the Tags overview .

Create a secret with labels

To add a label when creating the secret, follow these steps:

Console

In the Google Cloud console, go to the Secret Manager page.

Go to Secret Manager
On the Secret Manager page, click the Regional secrets tab, and then click Create regional secret .
On the Create regional secret page, enter a name for the secret in the Name field.
Enter a value for the secret (for example, abcd1234 ). You can also upload a text file containing the secret value using the Upload file option. This action automatically creates the secret version.
Select the location where you want your regional secret to be stored from the Region list.
Go to the Labels section, and then click Add label .
Enter the key and corresponding value to create a label.
Click Create secret .

gcloud

Before using any of the command data below, make the following replacements:

SECRET_ID : the ID of the secret.
LOCATION : the Google Cloud location of the secret.
KEY : the key of the label.
VALUE : the value of the label.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud  
secrets  
create  
 SECRET_ID 
  
 \ 
  
--location = 
 LOCATION 
  
 \ 
  
--labels = 
  KEY 
 
 = 
 VALUE

Windows (PowerShell)

gcloud  
secrets  
create  
 SECRET_ID 
  
 ` 
  
--location = 
 LOCATION 
  
 ` 
  
--labels = 
  KEY 
 
 = 
 VALUE

Windows (cmd.exe)

gcloud  
secrets  
create  
 SECRET_ID 
  
^  
--location = 
 LOCATION 
  
^  
--labels = 
  KEY 
 
 = 
 VALUE

REST

Before using any of the request data, make the following replacements:

LOCATION : the Google Cloud location of the secret.
PROJECT_ID : the Google Cloud project ID.
SECRET_ID : the ID of the secret.
KEY : the key of the label.
VALUE : the value of the label.

HTTP method and URL:

POST https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets?secretId= SECRET_ID 
?update_mask=labels

Request JSON body:

{
  "labels": {
    " KEY 
": " VALUE 
"
  }
}

To send your request, choose one of these options:

curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell , which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list .

Save the request body in a file named request.json , and execute the following command:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets?secretId= SECRET_ID 
?update_mask=labels"

PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list .

Save the request body in a file named request.json , and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets?secretId= SECRET_ID 
?update_mask=labels" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "name": "projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets/ SECRET_ID 
",
  "createTime": "2024-03-25T08:24:13.153705Z",
   "labels": {
    "key": "value"
  },
  "etag": "\"161477e6071da9\""
}

C#

To run this code, first set up a C# development environment and install the Secret Manager C# SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  using 
  
  Google.Api.Gax.ResourceNames 
 
 ; 
 using 
  
  Google.Cloud.SecretManager.V1 
 
 ; 
 using 
  
 System.Collections.Generic 
 ; 
 public 
  
 class 
  
 CreateRegionalSecretWithLabelsSample 
 { 
  
 public 
  
 Secret 
  
 CreateRegionalSecretWithLabels 
 ( 
  
 string 
  
 projectId 
  
 = 
  
 "my-project" 
 , 
  
 string 
  
 locationId 
  
 = 
  
 "my-location" 
 , 
  
 string 
  
 secretId 
  
 = 
  
 "my-secret" 
 , 
  
 string 
  
 labelKey 
  
 = 
  
 "my-label-key" 
 , 
  
 string 
  
 labelValue 
  
 = 
  
 "my-label-value" 
  
 ) 
  
 { 
  
 // Create the Regional Secret Manager Client. 
  
  SecretManagerServiceClient 
 
  
 client 
  
 = 
  
 new 
  
  SecretManagerServiceClientBuilder 
 
  
 { 
  
 Endpoint 
  
 = 
  
 $"secretmanager.{locationId}.rep.googleapis.com" 
  
 }. 
  Build 
 
 (); 
  
 // Build the parent resource name. 
  
  LocationName 
 
  
 location 
  
 = 
  
 new 
  
  LocationName 
 
 ( 
 projectId 
 , 
  
 locationId 
 ); 
  
 // Build the secret. 
  
 Secret 
  
 secret 
  
 = 
  
 new 
  
 Secret 
  
 { 
  
 Labels 
  
 = 
  
 { 
  
 { 
  
 labelKey 
 , 
  
 labelValue 
  
 } 
  
 }, 
  
 }; 
  
 // Call the API. 
  
 Secret 
  
 createdSecret 
  
 = 
  
 client 
 . 
  CreateSecret 
 
 ( 
 location 
 , 
  
 secretId 
 , 
  
 secret 
 ); 
  
 return 
  
 createdSecret 
 ; 
  
 } 
 }

Go

To run this code, first set up a Go development environment and install the Secret Manager Go SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 secretmanager 
  
 "cloud.google.com/go/secretmanager/apiv1" 
  
 "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb" 
  
 "google.golang.org/api/option" 
 ) 
 // createSecretWithLabels creates a new secret with the given name and labels. 
 func 
  
 createRegionalSecretWithLabels 
 ( 
 w 
  
 io 
 . 
 Writer 
 , 
  
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
  
 string 
 ) 
  
 error 
  
 { 
  
 parent 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "projects/%s/locations/%s" 
 , 
  
 projectId 
 , 
  
 locationId 
 ) 
  
 labelKey 
  
 := 
  
 "labelkey" 
  
 labelValue 
  
 := 
  
 "labelvalue" 
  
 // Create the client. 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 //Endpoint to send the request to regional server 
  
 endpoint 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "secretmanager.%s.rep.googleapis.com:443" 
 , 
  
 locationId 
 ) 
  
 client 
 , 
  
 err 
  
 := 
  
 secretmanager 
 . 
  NewClient 
 
 ( 
 ctx 
 , 
  
 option 
 . 
 WithEndpoint 
 ( 
 endpoint 
 )) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to create secretmanager client: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
  Close 
 
 () 
  
 // Build the request. 
  
 req 
  
 := 
  
& secretmanagerpb 
 . 
 CreateSecretRequest 
 { 
  
 Parent 
 : 
  
 parent 
 , 
  
 SecretId 
 : 
  
 secretId 
 , 
  
 Secret 
 : 
  
& secretmanagerpb 
 . 
 Secret 
 { 
  
 Labels 
 : 
  
 map 
 [ 
 string 
 ] 
 string 
 { 
  
 labelKey 
 : 
  
 labelValue 
 , 
  
 }, 
  
 }, 
  
 } 
  
 // Call the API. 
  
 result 
 , 
  
 err 
  
 := 
  
 client 
 . 
 CreateSecret 
 ( 
 ctx 
 , 
  
 req 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to create secret: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Created secret with labels: %s\n" 
 , 
  
 result 
 . 
 Name 
 ) 
  
 return 
  
 nil 
 }

Java

To run this code, first set up a Java development environment and install the Secret Manager Java SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 com.google.cloud.secretmanager.v1. LocationName 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. Secret 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretManagerServiceClient 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretManagerServiceSettings 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 public 
  
 class 
 CreateRegionalSecretWithLabels 
  
 { 
  
 public 
  
 static 
  
 void 
  
 createRegionalSecretWithLabels 
 () 
  
 throws 
  
 IOException 
  
 { 
  
 // TODO(developer): Replace these variables before running the sample. 
  
 // This is the id of the GCP project 
  
 String 
  
 projectId 
  
 = 
  
 "your-project-id" 
 ; 
  
 // Location of the secret. 
  
 String 
  
 locationId 
  
 = 
  
 "your-location-id" 
 ; 
  
 // This is the id of the secret to act on 
  
 String 
  
 secretId 
  
 = 
  
 "your-secret-id" 
 ; 
  
 // This is the key of the label to be added 
  
 String 
  
 labelKey 
  
 = 
  
 "your-label-key" 
 ; 
  
 // This is the value of the label to be added 
  
 String 
  
 labelValue 
  
 = 
  
 "your-label-value" 
 ; 
  
 createRegionalSecretWithLabels 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 , 
  
 labelKey 
 , 
  
 labelValue 
 ); 
  
 } 
  
 // Create a secret with labels. 
  
 public 
  
 static 
  
  Secret 
 
  
 createRegionalSecretWithLabels 
 ( 
  
 String 
  
 projectId 
 , 
  
 String 
  
 locationId 
 , 
  
 String 
  
 secretId 
 , 
  
 String 
  
 labelKey 
 , 
  
 String 
  
 labelValue 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // Endpoint to call the regional secret manager sever 
  
 String 
  
 apiEndpoint 
  
 = 
  
 String 
 . 
 format 
 ( 
 "secretmanager.%s.rep.googleapis.com:443" 
 , 
  
 locationId 
 ); 
  
  SecretManagerServiceSettings 
 
  
 secretManagerServiceSettings 
  
 = 
  
  SecretManagerServiceSettings 
 
 . 
 newBuilder 
 (). 
 setEndpoint 
 ( 
 apiEndpoint 
 ). 
 build 
 (); 
  
 // Initialize client that will be used to send requests. This client only needs to be created 
  
 // once, and can be reused for multiple requests. 
  
 try 
  
 ( 
  SecretManagerServiceClient 
 
  
 client 
  
 = 
  
  
  SecretManagerServiceClient 
 
 . 
 create 
 ( 
 secretManagerServiceSettings 
 )) 
  
 { 
  
 // Build the parent name from the project. 
  
  LocationName 
 
  
 location 
  
 = 
  
  LocationName 
 
 . 
 of 
 ( 
 projectId 
 , 
  
 locationId 
 ); 
  
 // Build the secret to create with labels. 
  
  Secret 
 
  
 secret 
  
 = 
  
  Secret 
 
 . 
 newBuilder 
 () 
  
 . 
  putLabels 
 
 ( 
 labelKey 
 , 
  
 labelValue 
 ) 
  
 . 
 build 
 (); 
  
 // Create the secret. 
  
  Secret 
 
  
 createdSecret 
  
 = 
  
 client 
 . 
 createSecret 
 ( 
 location 
 . 
  toString 
 
 (), 
  
 secretId 
 , 
  
 secret 
 ); 
  
 System 
 . 
 out 
 . 
 printf 
 ( 
 "Created secret %s\n" 
 , 
  
 createdSecret 
 . 
  getName 
 
 ()); 
  
 return 
  
 createdSecret 
 ; 
  
 } 
  
 } 
 }

Node.js

To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  /** 
 * TODO(developer): Uncomment these variables before running the sample. 
 */ 
 // const project = 'my-project'; 
 // const locationId = 'my-location'; 
 // const secretId = 'my-secret'; 
 // const labelKey = 'secretmanager'; 
 // const labelValue = 'rocks'; 
 const 
  
 parent 
  
 = 
  
 `projects/ 
 ${ 
 projectId 
 } 
 /locations/ 
 ${ 
 locationId 
 } 
 ` 
 ; 
 // Imports the Secret Manager library 
 const 
  
 { 
 SecretManagerServiceClient 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/secret-manager 
' 
 ); 
 // Adding the endpoint to call the regional secret manager sever 
 const 
  
 options 
  
 = 
  
 {}; 
 options 
 . 
 apiEndpoint 
  
 = 
  
 `secretmanager. 
 ${ 
 locationId 
 } 
 .rep.googleapis.com` 
 ; 
 // Instantiates a client 
 const 
  
 client 
  
 = 
  
 new 
  
  SecretManagerServiceClient 
 
 ( 
 options 
 ); 
 async 
  
 function 
  
 createRegionalSecretWithLabels 
 () 
  
 { 
  
 const 
  
 [ 
 secret 
 ] 
  
 = 
  
 await 
  
 client 
 . 
 createSecret 
 ({ 
  
 parent 
 : 
  
 parent 
 , 
  
 secretId 
 : 
  
 secretId 
 , 
  
 secret 
 : 
  
 { 
  
 labels 
 : 
  
 { 
  
 [ 
 labelKey 
 ] 
 : 
  
 labelValue 
 , 
  
 }, 
  
 }, 
  
 }); 
  
 console 
 . 
 log 
 ( 
 `Created secret 
 ${ 
 secret 
 . 
 name 
 } 
 ` 
 ); 
 } 
 createRegionalSecretWithLabels 
 ();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  // Import the Secret Manager client library. 
 use Google\Cloud\SecretManager\V1\CreateSecretRequest; 
 use Google\Cloud\SecretManager\V1\Secret; 
 use Google\Cloud\SecretManager\V1\Client\SecretManagerServiceClient; 
 /** 
 * @param string $projectId  Your Google Cloud Project ID (e.g. 'my-project') 
 * @param string $locationId Your Google Cloud Location ID (e.g. 'us-central1') 
 * @param string $secretId   Your secret ID (e.g. 'my-secret') 
 * @param string $labelKey   Your label key (e.g. 'label-key') 
 * @param string $labelValue Your label value (e.g. 'label-value') 
 */ 
 function create_regional_secret_with_labels(string $projectId, string $locationId, string $secretId, string $labelKey, string $labelValue): void 
 { 
 // Specify regional endpoint. 
 $options = ['apiEndpoint' => "secretmanager.$locationId.rep.googleapis.com"]; 
 // Create the Secret Manager client. 
 $client = new SecretManagerServiceClient($options); 
 // Build the resource name of the parent project. 
 $parent = $client->locationName($projectId, $locationId); 
 $secret = new Secret(); 
 // set the labels. 
 $labels = [$labelKey => $labelValue]; 
 $secret->setLabels($labels); 
 // Build the request. 
 $request = CreateSecretRequest::build($parent, $secretId, $secret); 
 // Create the secret. 
 $newSecret = $client->createSecret($request); 
 // Print the new secret name. 
 printf('Created secret %s with labels', $newSecret->getName()); 
 }

Python

To run this code, first set up a Python development environment and install the Secret Manager Python SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 argparse 
 import 
  
 typing 
 # Import the Secret Manager client library. 
 from 
  
 google.cloud 
  
 import 
  secretmanager_v1 
 
 def 
  
 create_regional_secret_with_labels 
 ( 
 project_id 
 : 
 str 
 , 
 location_id 
 : 
 str 
 , 
 secret_id 
 : 
 str 
 , 
 labels 
 : 
 typing 
 . 
 Dict 
 [ 
 str 
 , 
 str 
 ], 
 ttl 
 : 
 typing 
 . 
 Optional 
 [ 
 str 
 ] 
 = 
 None 
 , 
 ) 
 - 
> secretmanager_v1 
 . 
 Secret 
 : 
  
 """ 
 Create a new secret with the given name. A secret is a logical wrapper 
 around a collection of secret versions. Secret versions hold the actual 
 secret material. 
 """ 
 # Endpoint to call the regional Secret Manager API. 
 api_endpoint 
 = 
 f 
 "secretmanager. 
 { 
 location_id 
 } 
 .rep.googleapis.com" 
 # Create the Secret Manager client. 
 client 
 = 
  secretmanager_v1 
 
 . 
  SecretManagerServiceClient 
 
 ( 
 client_options 
 = 
 { 
 "api_endpoint" 
 : 
 api_endpoint 
 }, 
 ) 
 # Build the resource name of the parent secret. 
 parent 
 = 
 f 
 "projects/ 
 { 
 project_id 
 } 
 /locations/ 
 { 
 location_id 
 } 
 " 
 # Create the secret. 
 response 
 = 
 client 
 . 
  create_secret 
 
 ( 
 request 
 = 
 { 
 "parent" 
 : 
 parent 
 , 
 "secret_id" 
 : 
 secret_id 
 , 
 "secret" 
 : 
 { 
 "ttl" 
 : 
 ttl 
 , 
 "labels" 
 : 
 labels 
 }, 
 } 
 ) 
 # Print the new secret name. 
 print 
 ( 
 f 
 "Created secret: 
 { 
 response 
 . 
 name 
 } 
 " 
 ) 
 return 
 response

Ruby

To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  require 
  
 "google/cloud/secret_manager" 
 ## 
 # Create a regional secret with labels 
 # 
 # @param project_id [String] Your Google Cloud project (e.g. "my-project") 
 # @param location_id [String] Your Google Cloud location (e.g. "us-west1") 
 # @param secret_id [String] Your secret name (e.g. "my-secret") 
 # @param label_key [String] Your label key (e.g. "my-label-key") 
 # @param label_value [String] Your label value (e.g "my-label-value") 
 # 
 def 
  
 create_regional_secret_with_labels 
  
 project_id 
 :, 
  
 location_id 
 :, 
  
 secret_id 
 :, 
  
 label_key 
 :, 
  
 label_value 
 : 
  
 # Endpoint for the regional secret manager service. 
  
 api_endpoint 
  
 = 
  
 "secretmanager. 
 #{ 
 location_id 
 } 
 .rep.googleapis.com" 
  
 # Create the Secret Manager client. 
  
 client 
  
 = 
  
 Google 
 :: 
 Cloud 
 :: 
  SecretManager 
 
 . 
  secret_manager_service 
 
  
 do 
  
 | 
 config 
 | 
  
 config 
 . 
 endpoint 
  
 = 
  
 api_endpoint 
  
 end 
  
 # Build the resource name of the parent project. 
  
 parent 
  
 = 
  
 client 
 . 
 location_path 
  
 project 
 : 
  
 project_id 
 , 
  
 location 
 : 
  
 location_id 
  
 # Create the secret. 
  
 secret 
  
 = 
  
 client 
 . 
 create_secret 
 ( 
  
 parent 
 : 
  
 parent 
 , 
  
 secret_id 
 : 
  
 secret_id 
 , 
  
 secret 
 : 
  
 { 
  
 labels 
 : 
  
 { 
  
 label_key 
  
 = 
>  
 label_value 
  
 } 
  
 } 
  
 ) 
  
 # Print the new secret name. 
  
 puts 
  
 "Created regional secret with labels: 
 #{ 
 secret 
 . 
 name 
 } 
 " 
 end

View labels on a secret

To view assigned labels, follow these steps:

Console

In the Google Cloud console, go to the Secret Manager page.

Go to Secret Manager
On the Secret Manager page, click the Regional secrets tab, and then select the secret whose labels you want to view.
If the Info Panel is closed, click Show Info Panel to display it.
In the panel, click the Labels tab. All the labels added to the secret are displayed.

gcloud

Before using any of the command data below, make the following replacements:

SECRET_ID : the ID of the secret.
LOCATION : the Google Cloud location of the secret.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud  
secrets  
describe  
 SECRET_ID 
  
--location = 
 LOCATION

Windows (PowerShell)

gcloud  
secrets  
describe  
 SECRET_ID 
  
--location = 
 LOCATION

Windows (cmd.exe)

gcloud  
secrets  
describe  
 SECRET_ID 
  
--location = 
 LOCATION

REST

Before using any of the request data, make the following replacements:

LOCATION : the Google Cloud location of the secret.
PROJECT_ID : the Google Cloud project ID.
SECRET_ID : the ID of the secret.

HTTP method and URL:

GET https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets?secretId= SECRET_ID

Request JSON body:

{}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json , and execute the following command:

curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets?secretId= SECRET_ID 
"

PowerShell

Save the request body in a file named request.json , and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method GET `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets?secretId= SECRET_ID 
" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "name": "projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets/ SECRET_ID 
",
  "createTime": "2024-03-25T08:24:13.153705Z",
   "labels": {
    "key": "value"
  },
  "etag": "\"161477e6071da9\""
}

C#

To run this code, first set up a C# development environment and install the Secret Manager C# SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  using 
  
  Google.Api.Gax.ResourceNames 
 
 ; 
 using 
  
  Google.Cloud.SecretManager.V1 
 
 ; 
 using 
  
  Google.Protobuf.Collections 
 
 ; 
 using 
  
  Google.Protobuf.WellKnownTypes 
 
 ; 
 using 
  
 System 
 ; 
 public 
  
 class 
  
 ViewRegionalSecretLabelsSample 
 { 
  
 public 
  
 Secret 
  
 ViewRegionalSecretLabels 
 ( 
  
 string 
  
 projectId 
  
 = 
  
 "my-project" 
 , 
  
 string 
  
 locationId 
  
 = 
  
 "my-location" 
 , 
  
 string 
  
 secretId 
  
 = 
  
 "my-secret" 
  
 ) 
  
 { 
  
 // Create the Regional Secret Manager Client. 
  
  SecretManagerServiceClient 
 
  
 client 
  
 = 
  
 new 
  
  SecretManagerServiceClientBuilder 
 
  
 { 
  
 Endpoint 
  
 = 
  
 $"secretmanager.{locationId}.rep.googleapis.com" 
  
 }. 
  Build 
 
 (); 
  
 // Build the resource name. 
  
  SecretName 
 
  
 secretName 
  
 = 
  
  SecretName 
 
 . 
  FromProjectLocationSecret 
 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 ); 
  
 // Get the secret. 
  
 Secret 
  
 secret 
  
 = 
  
 client 
 . 
  GetSecret 
 
 ( 
 secretName 
 ); 
  
 // Get the secret's labels. 
  
 MapField<string 
 , 
  
 string 
>  
 secretLabels 
  
 = 
  
 secret 
 . 
  Labels 
 
 ; 
  
 // Print the labels. 
  
 foreach 
  
 ( 
 var 
  
 label 
  
 in 
  
 secret 
 . 
  Labels 
 
 ) 
  
 { 
  
 Console 
 . 
 WriteLine 
 ( 
 $"Label Key: {label.Key}, Label Value: {label. Value 
}" 
 ); 
  
 } 
  
 return 
  
 secret 
 ; 
  
 } 
 }

Go

To run this code, first set up a Go development environment and install the Secret Manager Go SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 secretmanager 
  
 "cloud.google.com/go/secretmanager/apiv1" 
  
 "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb" 
  
 "google.golang.org/api/option" 
 ) 
 // getSecret gets information about the given secret. This only returns metadata 
 // about the secret container, not any secret material. 
 func 
  
 viewRegionalSecretLabels 
 ( 
 w 
  
 io 
 . 
 Writer 
 , 
  
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
  
 string 
 ) 
  
 error 
  
 { 
  
 name 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "projects/%s/locations/%s/secrets/%s" 
 , 
  
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 ) 
  
 // Create the client. 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 //Endpoint to send the request to regional server 
  
 endpoint 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "secretmanager.%s.rep.googleapis.com:443" 
 , 
  
 locationId 
 ) 
  
 client 
 , 
  
 err 
  
 := 
  
 secretmanager 
 . 
  NewClient 
 
 ( 
 ctx 
 , 
  
 option 
 . 
 WithEndpoint 
 ( 
 endpoint 
 )) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to create secretmanager client: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
  Close 
 
 () 
  
 // Build the request. 
  
 req 
  
 := 
  
& secretmanagerpb 
 . 
 GetSecretRequest 
 { 
  
 Name 
 : 
  
 name 
 , 
  
 } 
  
 // Call the API. 
  
 result 
 , 
  
 err 
  
 := 
  
 client 
 . 
 GetSecret 
 ( 
 ctx 
 , 
  
 req 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to get secret: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 labels 
  
 := 
  
 result 
 . 
 Labels 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Found secret %s\n" 
 , 
  
 result 
 . 
 Name 
 ) 
  
 for 
  
 key 
 , 
  
 value 
  
 := 
  
 range 
  
 labels 
  
 { 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Label key %s : Label Value %s" 
 , 
  
 key 
 , 
  
 value 
 ) 
  
 } 
  
 return 
  
 nil 
 }

Java

To run this code, first set up a Java development environment and install the Secret Manager Java SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 com.google.cloud.secretmanager.v1. Secret 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretManagerServiceClient 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretManagerServiceSettings 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretName 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 import 
  
 java.util.Map 
 ; 
 public 
  
 class 
 ViewRegionalSecretLabels 
  
 { 
  
 public 
  
 static 
  
 void 
  
 viewRegionalSecretLabels 
 () 
  
 throws 
  
 IOException 
  
 { 
  
 // TODO(developer): Replace these variables before running the sample. 
  
 // This is the id of the GCP project 
  
 String 
  
 projectId 
  
 = 
  
 "your-project-id" 
 ; 
  
 // Location of the secret. 
  
 String 
  
 locationId 
  
 = 
  
 "your-location-id" 
 ; 
  
 // This is the id of the secret whose labels to view 
  
 String 
  
 secretId 
  
 = 
  
 "your-secret-id" 
 ; 
  
 viewRegionalSecretLabels 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 ); 
  
 } 
  
 // View the labels of an existing secret. 
  
 public 
  
 static 
  
 Map<String 
 , 
  
 String 
>  
 viewRegionalSecretLabels 
 ( 
  
 String 
  
 projectId 
 , 
  
 String 
  
 locationId 
 , 
  
 String 
  
 secretId 
  
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // Endpoint to call the regional secret manager sever 
  
 String 
  
 apiEndpoint 
  
 = 
  
 String 
 . 
 format 
 ( 
 "secretmanager.%s.rep.googleapis.com:443" 
 , 
  
 locationId 
 ); 
  
  SecretManagerServiceSettings 
 
  
 secretManagerServiceSettings 
  
 = 
  
  SecretManagerServiceSettings 
 
 . 
 newBuilder 
 (). 
 setEndpoint 
 ( 
 apiEndpoint 
 ). 
 build 
 (); 
  
 // Initialize client that will be used to send requests. This client only needs to be created 
  
 // once, and can be reused for multiple requests. 
  
 try 
  
 ( 
  SecretManagerServiceClient 
 
  
 client 
  
 = 
  
  
  SecretManagerServiceClient 
 
 . 
 create 
 ( 
 secretManagerServiceSettings 
 )) 
  
 { 
  
 // Build the name. 
  
  SecretName 
 
  
 secretName 
  
 = 
  
  
  SecretName 
 
 . 
  ofProjectLocationSecretName 
 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 ); 
  
 // Create the secret. 
  
  Secret 
 
  
 secret 
  
 = 
  
 client 
 . 
 getSecret 
 ( 
 secretName 
 ); 
  
 Map<String 
 , 
  
 String 
>  
 labels 
  
 = 
  
 secret 
 . 
  getLabels 
 
 (); 
  
 System 
 . 
 out 
 . 
 printf 
 ( 
 "Secret %s \n" 
 , 
  
 secret 
 . 
  getName 
 
 ()); 
  
 for 
  
 ( 
 Map 
 . 
 Entry<String 
 , 
  
 String 
>  
 label 
  
 : 
  
 labels 
 . 
 entrySet 
 ()) 
  
 { 
  
 System 
 . 
 out 
 . 
 printf 
 ( 
 "Label key : %s, Label Value : %s\n" 
 , 
  
 label 
 . 
 getKey 
 (), 
  
 label 
 . 
 getValue 
 ()); 
  
 } 
  
 return 
  
 secret 
 . 
 getLabels 
 (); 
  
 } 
  
 } 
 }

Node.js

To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  /** 
 * TODO(developer): Uncomment these variables before running the sample. 
 */ 
 // const projectId = 'my-project' 
 // const locationId = 'locationId'; 
 // const secretId = 'my-secret'; 
 const 
  
 name 
  
 = 
  
 `projects/ 
 ${ 
 projectId 
 } 
 /locations/ 
 ${ 
 locationId 
 } 
 /secrets/ 
 ${ 
 secretId 
 } 
 ` 
 ; 
 // Imports the Secret Manager library 
 const 
  
 { 
 SecretManagerServiceClient 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/secret-manager 
' 
 ); 
 // Adding the endpoint to call the regional secret manager sever 
 const 
  
 options 
  
 = 
  
 {}; 
 options 
 . 
 apiEndpoint 
  
 = 
  
 `secretmanager. 
 ${ 
 locationId 
 } 
 .rep.googleapis.com` 
 ; 
 // Instantiates a client 
 const 
  
 client 
  
 = 
  
 new 
  
  SecretManagerServiceClient 
 
 ( 
 options 
 ); 
 async 
  
 function 
  
 getRegionalSecretLabels 
 () 
  
 { 
  
 const 
  
 [ 
 secret 
 ] 
  
 = 
  
 await 
  
 client 
 . 
 getSecret 
 ({ 
  
 name 
 : 
  
 name 
 , 
  
 }); 
  
 for 
  
 ( 
 const 
  
 key 
  
 in 
  
 secret 
 . 
 labels 
 ) 
  
 { 
  
 console 
 . 
 log 
 ( 
 ` 
 ${ 
 key 
 } 
 : 
 ${ 
 secret 
 . 
 labels 
 [ 
 key 
 ] 
 } 
 ` 
 ); 
  
 } 
 } 
 getRegionalSecretLabels 
 ();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  // Import the Secret Manager client library. 
 use Google\Cloud\SecretManager\V1\Client\SecretManagerServiceClient; 
 use Google\Cloud\SecretManager\V1\GetSecretRequest; 
 /** 
 * @param string $projectId  Your Google Cloud Project ID (e.g. 'my-project') 
 * @param string $locationId Your secret Location (e.g. 'us-central1') 
 * @param string $secretId   Your secret ID (e.g. 'my-secret') 
 */ 
 function view_regional_secret_labels(string $projectId, string $locationId, string $secretId): void 
 { 
 // Specify regional endpoint. 
 $options = ['apiEndpoint' => "secretmanager.$locationId.rep.googleapis.com"]; 
 // Create the Secret Manager client. 
 $client = new SecretManagerServiceClient($options); 
 // Build the resource name of the secret. 
 $name = $client->projectLocationSecretName($projectId, $locationId, $secretId); 
 // Build the request. 
 $request = GetSecretRequest::build($name); 
 // get the secret. 
 $getSecret = $client->getSecret($request); 
 // get the secret labels 
 $labels = $getSecret->getLabels(); 
 // print the secret name 
 printf('Get secret %s with labels:' . PHP_EOL, $getSecret->getName()); 
 // we can even loop over all the labels 
 foreach ($labels as $key => $val) { 
 printf("\t$key: $val" . PHP_EOL); 
 } 
 }

Python

To run this code, first set up a Python development environment and install the Secret Manager Python SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 argparse 
 # Import the Secret Manager client library. 
 from 
  
 google.cloud 
  
 import 
  secretmanager_v1 
 
 def 
  
 view_regional_secret_labels 
 ( 
 project_id 
 : 
 str 
 , 
 location_id 
 : 
 str 
 , 
 secret_id 
 : 
 str 
 ) 
 - 
> None 
 : 
  
 """ 
 List all secret labels in the given secret. 
 """ 
 # Endpoint to call the regional secret manager sever. 
 api_endpoint 
 = 
 f 
 "secretmanager. 
 { 
 location_id 
 } 
 .rep.googleapis.com" 
 # Create the Secret Manager client. 
 client 
 = 
  secretmanager_v1 
 
 . 
  SecretManagerServiceClient 
 
 ( 
 client_options 
 = 
 { 
 "api_endpoint" 
 : 
 api_endpoint 
 }, 
 ) 
 # Build the resource name of the parent secret. 
 name 
 = 
 f 
 "projects/ 
 { 
 project_id 
 } 
 /locations/ 
 { 
 location_id 
 } 
 /secrets/ 
 { 
 secret_id 
 } 
 " 
 response 
 = 
 client 
 . 
  get_secret 
 
 ( 
 request 
 = 
 { 
 "name" 
 : 
 name 
 }) 
 print 
 ( 
 f 
 "Got secret 
 { 
 response 
 . 
 name 
 } 
 with labels :" 
 ) 
 for 
 key 
 in 
 response 
 . 
 labels 
 : 
 print 
 ( 
 f 
 " 
 { 
 key 
 } 
 : 
 { 
 response 
 . 
 labels 
 [ 
 key 
 ] 
 } 
 " 
 )

Ruby

To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  require 
  
 "google/cloud/secret_manager" 
 ## 
 # Edit a regional secret labels 
 # 
 # @param project_id [String] Your Google Cloud project (e.g. "my-project") 
 # @param location_id [String] Your Google Cloud location (e.g. "us-west11") 
 # @param secret_id [String] Your secret name (e.g. "my-secret") 
 # 
 def 
  
 view_regional_secret_labels 
  
 project_id 
 :, 
  
 location_id 
 :, 
  
 secret_id 
 : 
  
 # Endpoint for the regional secret manager service. 
  
 api_endpoint 
  
 = 
  
 "secretmanager. 
 #{ 
 location_id 
 } 
 .rep.googleapis.com" 
  
 # Create the Secret Manager client. 
  
 client 
  
 = 
  
 Google 
 :: 
 Cloud 
 :: 
  SecretManager 
 
 . 
  secret_manager_service 
 
  
 do 
  
 | 
 config 
 | 
  
 config 
 . 
 endpoint 
  
 = 
  
 api_endpoint 
  
 end 
  
 # Build the resource name of the secret. 
  
 name 
  
 = 
  
 client 
 . 
 secret_path 
  
 project 
 : 
  
 project_id 
 , 
  
 location 
 : 
  
 location_id 
 , 
  
 secret 
 : 
  
 secret_id 
  
 # Get the existing secret. 
  
 existing_secret 
  
 = 
  
 client 
 . 
 get_secret 
  
 name 
 : 
  
 name 
  
 # Get the existing secret's labels. 
  
 existing_secret_labels 
  
 = 
  
 existing_secret 
 . 
 labels 
 . 
 to_h 
  
 # Print the secret name and the labels. 
  
 puts 
  
 "Regional Secret: 
 #{ 
 existing_secret 
 . 
 name 
 } 
 " 
  
 existing_secret_labels 
 . 
 each 
  
 do 
  
 | 
 key 
 , 
  
 value 
 | 
  
 puts 
  
 "Label Key: 
 #{ 
 key 
 } 
 , Label Value: 
 #{ 
 value 
 } 
 " 
  
 end 
 end

Update labels

To update labels, follow these steps:

Console

In the Google Cloud console, go to the Secret Manager page.

Go to Secret Manager
On the Secret Manager page, click the Regional secrets tab.
Select the secret that you want to edit.
Open the Info Panel , and then click the Labels tab.
Update the existing value of a label and click Save .

You can also delete an existing label or add a new label. To edit the key of a label, add a new label with the same key name, and then delete the old label.

gcloud

Before using any of the command data below, make the following replacements:

SECRET_ID : the ID of the secret.
LOCATION : the Google Cloud location of the secret.
KEY : the key of the label.
VALUE : the value of the label.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud  
secrets  
update  
 SECRET_ID 
  
 \ 
  
--location = 
 LOCATION 
  
 \ 
  
--update-labels = 
  KEY 
 
 = 
 VALUE

Windows (PowerShell)

gcloud  
secrets  
update  
 SECRET_ID 
  
 ` 
  
--location = 
 LOCATION 
  
 ` 
  
--update-labels = 
  KEY 
 
 = 
 VALUE

Windows (cmd.exe)

gcloud  
secrets  
update  
 SECRET_ID 
  
^  
--location = 
 LOCATION 
  
^  
--update-labels = 
  KEY 
 
 = 
 VALUE

REST

Before using any of the request data, make the following replacements:

LOCATION : the Google Cloud location of the secret.
PROJECT_ID : the Google Cloud project ID.
SECRET_ID : the ID of the secret.
KEY : the key of the label.
VALUE : the value of the label.

HTTP method and URL:

PATCH https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets?secretId= SECRET_ID 
?update_mask=labels

Request JSON body:

{
  "labels": {
    " KEY 
": " VALUE 
"
  }
}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json , and execute the following command:

curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets?secretId= SECRET_ID 
?update_mask=labels"

PowerShell

Save the request body in a file named request.json , and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method PATCH `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets?secretId= SECRET_ID 
?update_mask=labels" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "name": "projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets/ SECRET_ID 
",
  "createTime": "2024-03-25T08:24:13.153705Z",
   "labels": {
    "key": "value"
  },
  "etag": "\"161477e6071da9\""
}

C#

To run this code, first set up a C# development environment and install the Secret Manager C# SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  using 
  
  Google.Cloud.SecretManager.V1 
 
 ; 
 using 
  
  Google.Protobuf.WellKnownTypes 
 
 ; 
 public 
  
 class 
  
 UpdateRegionalSecretSample 
 { 
  
 public 
  
 Secret 
  
 UpdateRegionalSecret 
 ( 
  
 string 
  
 projectId 
  
 = 
  
 "my-project" 
 , 
  
 string 
  
 locationId 
  
 = 
  
 "my-location" 
 , 
  
 string 
  
 secretId 
  
 = 
  
 "my-secret" 
  
 ) 
  
 { 
  
 // Create the Regional Secret Manager Client. 
  
  SecretManagerServiceClient 
 
  
 client 
  
 = 
  
 new 
  
  SecretManagerServiceClientBuilder 
 
  
 { 
  
 Endpoint 
  
 = 
  
 $"secretmanager.{locationId}.rep.googleapis.com" 
  
 }. 
  Build 
 
 (); 
  
 // Build the secret with updated fields. 
  
 Secret 
  
 secret 
  
 = 
  
 new 
  
 Secret 
  
 { 
  
 SecretName 
  
 = 
  
  SecretName 
 
 . 
  FromProjectLocationSecret 
 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 ), 
  
 }; 
  
 secret 
 . 
  Labels 
 
 [ 
 "secretmanager" 
 ] 
  
 = 
  
 "rocks" 
 ; 
  
 // Build the field mask. 
  
  FieldMask 
 
  
 fieldMask 
  
 = 
  
  FieldMask 
 
 . 
  FromString 
 
 ( 
 "labels" 
 ); 
  
 // Call the API. 
  
 Secret 
  
 updatedSecret 
  
 = 
  
 client 
 . 
  UpdateSecret 
 
 ( 
 secret 
 , 
  
 fieldMask 
 ); 
  
 return 
  
 updatedSecret 
 ; 
  
 } 
 }

Go

To run this code, first set up a Go development environment and install the Secret Manager Go SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 secretmanager 
  
 "cloud.google.com/go/secretmanager/apiv1" 
  
 "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb" 
  
 "google.golang.org/api/option" 
  
 "google.golang.org/genproto/protobuf/field_mask" 
 ) 
 // editSecretLabel updates the labels about an existing secret. 
 // If the label key exists, it updates the label, otherwise it creates a new one. 
 func 
  
 editRegionalSecretLabel 
 ( 
 w 
  
 io 
 . 
 Writer 
 , 
  
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
  
 string 
 ) 
  
 error 
  
 { 
  
 name 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "projects/%s/locations/%s/secrets/%s" 
 , 
  
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 ) 
  
 labelKey 
  
 := 
  
 "labelkey" 
  
 labelValue 
  
 := 
  
 "updatedlabelvalue" 
  
 // Create the client. 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 //Endpoint to send the request to regional server 
  
 endpoint 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "secretmanager.%s.rep.googleapis.com:443" 
 , 
  
 locationId 
 ) 
  
 client 
 , 
  
 err 
  
 := 
  
 secretmanager 
 . 
  NewClient 
 
 ( 
 ctx 
 , 
  
 option 
 . 
 WithEndpoint 
 ( 
 endpoint 
 )) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to create secretmanager client: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
  Close 
 
 () 
  
 // Build the request to get the secret. 
  
 req 
  
 := 
  
& secretmanagerpb 
 . 
 GetSecretRequest 
 { 
  
 Name 
 : 
  
 name 
 , 
  
 } 
  
 // Call the API. 
  
 result 
 , 
  
 err 
  
 := 
  
 client 
 . 
 GetSecret 
 ( 
 ctx 
 , 
  
 req 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to get secret: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 labels 
  
 := 
  
 result 
 . 
 Labels 
  
 labels 
 [ 
 labelKey 
 ] 
  
 = 
  
 labelValue 
  
 // Build the request to update the secret. 
  
 update_req 
  
 := 
  
& secretmanagerpb 
 . 
 UpdateSecretRequest 
 { 
  
 Secret 
 : 
  
& secretmanagerpb 
 . 
 Secret 
 { 
  
 Name 
 : 
  
 name 
 , 
  
 Labels 
 : 
  
 labels 
 , 
  
 }, 
  
 // To only update labels in the patch request, we add 
  
 // update mask in the request 
  
 UpdateMask 
 : 
  
& field_mask 
 . 
 FieldMask 
 { 
  
 Paths 
 : 
  
 [] 
 string 
 { 
 "labels" 
 }, 
  
 }, 
  
 } 
  
 // Call the API. 
  
 update_result 
 , 
  
 err 
  
 := 
  
 client 
 . 
 UpdateSecret 
 ( 
 ctx 
 , 
  
 update_req 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to update secret: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Updated secret: %s\n" 
 , 
  
 update_result 
 . 
 Name 
 ) 
  
 return 
  
 nil 
 }

Java

To run this code, first set up a Java development environment and install the Secret Manager Java SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 com.google.cloud.secretmanager.v1. Secret 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretManagerServiceClient 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretManagerServiceSettings 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretName 
 
 ; 
 import 
  
 com.google.protobuf. FieldMask 
 
 ; 
 import 
  
 com.google.protobuf.util. FieldMaskUtil 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 import 
  
 java.util.HashMap 
 ; 
 import 
  
 java.util.Map 
 ; 
 public 
  
 class 
 EditRegionalSecretLabel 
  
 { 
  
 public 
  
 static 
  
 void 
  
 editRegionalSecretLabel 
 () 
  
 throws 
  
 IOException 
  
 { 
  
 // TODO(developer): Replace these variables before running the sample. 
  
 // This is the id of the GCP project 
  
 String 
  
 projectId 
  
 = 
  
 "your-project-id" 
 ; 
  
 // Location of the secret. 
  
 String 
  
 locationId 
  
 = 
  
 "your-location-id" 
 ; 
  
 // This is the id of the secret to act on 
  
 String 
  
 secretId 
  
 = 
  
 "your-secret-id" 
 ; 
  
 // This is the key of the label to be added/updated 
  
 String 
  
 labelKey 
  
 = 
  
 "your-label-key" 
 ; 
  
 // This is the value of the label to be added/updated 
  
 String 
  
 labelValue 
  
 = 
  
 "your-label-value" 
 ; 
  
 editRegionalSecretLabel 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 , 
  
 labelKey 
 , 
  
 labelValue 
 ); 
  
 } 
  
 // Update an existing secret, by creating a new label or updating an existing label. 
  
 public 
  
 static 
  
  Secret 
 
  
 editRegionalSecretLabel 
 ( 
  
 String 
  
 projectId 
 , 
  
 String 
  
 locationId 
 , 
  
 String 
  
 secretId 
 , 
  
 String 
  
 labelKey 
 , 
  
 String 
  
 labelValue 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // Endpoint to call the regional secret manager sever 
  
 String 
  
 apiEndpoint 
  
 = 
  
 String 
 . 
 format 
 ( 
 "secretmanager.%s.rep.googleapis.com:443" 
 , 
  
 locationId 
 ); 
  
  SecretManagerServiceSettings 
 
  
 secretManagerServiceSettings 
  
 = 
  
  SecretManagerServiceSettings 
 
 . 
 newBuilder 
 (). 
 setEndpoint 
 ( 
 apiEndpoint 
 ). 
 build 
 (); 
  
 // Initialize client that will be used to send requests. This client only needs to be created 
  
 // once, and can be reused for multiple requests. 
  
 try 
  
 ( 
  SecretManagerServiceClient 
 
  
 client 
  
 = 
  
  
  SecretManagerServiceClient 
 
 . 
 create 
 ( 
 secretManagerServiceSettings 
 )) 
  
 { 
  
 // Build the secret name. 
  
  SecretName 
 
  
 secretName 
  
 = 
  
  
  SecretName 
 
 . 
  ofProjectLocationSecretName 
 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 ); 
  
 // Get the existing secret 
  
  Secret 
 
  
 existingSecret 
  
 = 
  
 client 
 . 
 getSecret 
 ( 
 secretName 
 ); 
  
 Map<String 
 , 
  
 String 
>  
 existingLabelsMap 
  
 = 
  
  
 new 
  
 HashMap<String 
 , 
  
 String 
> ( 
 existingSecret 
 . 
  getLabels 
 
 ()); 
  
 // Add a new label key and value. 
  
 existingLabelsMap 
 . 
 put 
 ( 
 labelKey 
 , 
  
 labelValue 
 ); 
  
 // Build the updated secret. 
  
  Secret 
 
  
 secret 
  
 = 
  
  Secret 
 
 . 
 newBuilder 
 () 
  
 . 
 setName 
 ( 
 secretName 
 . 
  toString 
 
 ()) 
  
 . 
  putAllLabels 
 
 ( 
 existingLabelsMap 
 ) 
  
 . 
 build 
 (); 
  
 // Build the field mask. 
  
  FieldMask 
 
  
 fieldMask 
  
 = 
  
  FieldMaskUtil 
 
 . 
 fromString 
 ( 
 "labels" 
 ); 
  
 // Update the secret. 
  
  Secret 
 
  
 updatedSecret 
  
 = 
  
 client 
 . 
 updateSecret 
 ( 
 secret 
 , 
  
 fieldMask 
 ); 
  
 System 
 . 
 out 
 . 
 printf 
 ( 
 "Updated secret %s\n" 
 , 
  
 updatedSecret 
 . 
  getName 
 
 ()); 
  
 return 
  
 updatedSecret 
 ; 
  
 } 
  
 } 
 }

Node.js

To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  /** 
 * TODO(developer): Uncomment these variables before running the sample. 
 */ 
 // const projectId = 'my-project' 
 // const locationId = 'locationId'; 
 // const secretId = 'my-secret'; 
 // const labelKey = 'gcp'; 
 // const labelValue = 'rocks'; 
 const 
  
 name 
  
 = 
  
 `projects/ 
 ${ 
 projectId 
 } 
 /locations/ 
 ${ 
 locationId 
 } 
 /secrets/ 
 ${ 
 secretId 
 } 
 ` 
 ; 
 // Imports the Secret Manager library 
 const 
  
 { 
 SecretManagerServiceClient 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/secret-manager 
' 
 ); 
 // Adding the endpoint to call the regional secret manager sever 
 const 
  
 options 
  
 = 
  
 {}; 
 options 
 . 
 apiEndpoint 
  
 = 
  
 `secretmanager. 
 ${ 
 locationId 
 } 
 .rep.googleapis.com` 
 ; 
 // Instantiates a client 
 const 
  
 client 
  
 = 
  
 new 
  
  SecretManagerServiceClient 
 
 ( 
 options 
 ); 
 async 
  
 function 
  
 getSecret 
 () 
  
 { 
  
 const 
  
 [ 
 secret 
 ] 
  
 = 
  
 await 
  
 client 
 . 
 getSecret 
 ({ 
  
 name 
 : 
  
 name 
 , 
  
 }); 
  
 return 
  
 secret 
 ; 
 } 
 async 
  
 function 
  
 createUpdateRegionalSecretLabel 
 () 
  
 { 
  
 const 
  
 oldSecret 
  
 = 
  
 await 
  
 getSecret 
 (); 
  
 oldSecret 
 . 
 labels 
 [ 
 labelKey 
 ] 
  
 = 
  
 labelValue 
 ; 
  
 const 
  
 [ 
 secret 
 ] 
  
 = 
  
 await 
  
 client 
 . 
 updateSecret 
 ({ 
  
 secret 
 : 
  
 { 
  
 name 
 : 
  
 name 
 , 
  
 labels 
 : 
  
 oldSecret 
 . 
 labels 
 , 
  
 }, 
  
 updateMask 
 : 
  
 { 
  
 paths 
 : 
  
 [ 
 'labels' 
 ], 
  
 }, 
  
 }); 
  
 console 
 . 
 info 
 ( 
 `Updated secret 
 ${ 
 secret 
 . 
 name 
 } 
 ` 
 ); 
 } 
 createUpdateRegionalSecretLabel 
 ();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  // Import the Secret Manager client library. 
 use Google\Cloud\SecretManager\V1\Client\SecretManagerServiceClient; 
 use Google\Cloud\SecretManager\V1\GetSecretRequest; 
 use Google\Cloud\SecretManager\V1\UpdateSecretRequest; 
 use Google\Protobuf\FieldMask; 
 /** 
 * @param string $projectId  Your Google Cloud Project ID (e.g. 'my-project') 
 * @param string $locationId Your secret Location (e.g. 'us-central1') 
 * @param string $secretId   Your secret ID (e.g. 'my-secret') 
 * @param string $labelKey   Your label key (e.g. 'label-key') 
 * @param string $labelValue Your label value (e.g. 'label-value') 
 */ 
 function edit_regional_secret_labels(string $projectId, string $locationId, string $secretId, string $labelKey, string $labelValue): void 
 { 
 // Specify regional endpoint. 
 $options = ['apiEndpoint' => "secretmanager.$locationId.rep.googleapis.com"]; 
 // Create the Secret Manager client. 
 $client = new SecretManagerServiceClient($options); 
 // Build the resource name of the secret. 
 $name = $client->projectLocationSecretName($projectId, $locationId, $secretId); 
 // Build the request. 
 $request = GetSecretRequest::build($name); 
 // get the secret. 
 $getSecret = $client->getSecret($request); 
 // get the secret labels 
 $labels = $getSecret->getLabels(); 
 // update the label - need to create a new labels map with the updated values 
 $newLabels = []; 
 foreach ($labels as $key => $value) { 
 $newLabels[$key] = $value; 
 } 
 $newLabels[$labelKey] = $labelValue; 
 $getSecret->setLabels($newLabels); 
 // set the field mask 
 $fieldMask = new FieldMask(); 
 $fieldMask->setPaths(['labels']); 
 // build the secret 
 $request = new UpdateSecretRequest(); 
 $request->setSecret($getSecret); 
 $request->setUpdateMask($fieldMask); 
 // update the secret 
 $updateSecret = $client->updateSecret($request); 
 // print the updated secret 
 printf('Updated secret %s labels' . PHP_EOL, $updateSecret->getName()); 
 }

Python

To run this code, first set up a Python development environment and install the Secret Manager Python SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 argparse 
 from 
  
 typing 
  
 import 
 Dict 
 # Import the Secret Manager client library. 
 from 
  
 google.cloud 
  
 import 
  secretmanager_v1 
 
 def 
  
 edit_regional_secret_label 
 ( 
 project_id 
 : 
 str 
 , 
 location_id 
 : 
 str 
 , 
 secret_id 
 : 
 str 
 , 
 new_labels 
 : 
 Dict 
 [ 
 str 
 , 
 str 
 ] 
 ) 
 - 
> secretmanager_v1 
 . 
 UpdateSecretRequest 
 : 
  
 """ 
 Create or update a label on an existing secret. 
 """ 
 # Endpoint to call the regional Secret Manager API. 
 api_endpoint 
 = 
 f 
 "secretmanager. 
 { 
 location_id 
 } 
 .rep.googleapis.com" 
 # Create the Secret Manager client. 
 client 
 = 
  secretmanager_v1 
 
 . 
  SecretManagerServiceClient 
 
 ( 
 client_options 
 = 
 { 
 "api_endpoint" 
 : 
 api_endpoint 
 }, 
 ) 
 # Build the resource name of the parent secret. 
 name 
 = 
 f 
 "projects/ 
 { 
 project_id 
 } 
 /locations/ 
 { 
 location_id 
 } 
 /secrets/ 
 { 
 secret_id 
 } 
 " 
 # Get the secret. 
 response 
 = 
 client 
 . 
  get_secret 
 
 ( 
 request 
 = 
 { 
 "name" 
 : 
 name 
 }) 
 labels 
 = 
 response 
 . 
 labels 
 # Update the labels 
 for 
 label_key 
 in 
 new_labels 
 : 
 labels 
 [ 
 label_key 
 ] 
 = 
 new_labels 
 [ 
 label_key 
 ] 
 # Update the secret. 
 secret 
 = 
 { 
 "name" 
 : 
 name 
 , 
 "labels" 
 : 
 labels 
 } 
 update_mask 
 = 
 { 
 "paths" 
 : 
 [ 
 "labels" 
 ]} 
 response 
 = 
 client 
 . 
  update_secret 
 
 ( 
 request 
 = 
 { 
 "secret" 
 : 
 secret 
 , 
 "update_mask" 
 : 
 update_mask 
 } 
 ) 
 # Print the new secret name. 
 print 
 ( 
 f 
 "Updated secret: 
 { 
 response 
 . 
 name 
 } 
 " 
 ) 
 return 
 response

Ruby

To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  require 
  
 "google/cloud/secret_manager" 
 ## 
 # Update a regional secret's labels 
 # 
 # @param project_id [String] Your Google Cloud project (e.g. "my-project") 
 # @param location_id [String] Your Google Cloud location (e.g. "us-west1") 
 # @param secret_id [String] Your secret name (e.g. "my-secret") 
 # 
 def 
  
 update_regional_secret 
  
 project_id 
 :, 
  
 location_id 
 :, 
  
 secret_id 
 : 
  
 # Endpoint for the regional secret manager service. 
  
 api_endpoint 
  
 = 
  
 "secretmanager. 
 #{ 
 location_id 
 } 
 .rep.googleapis.com" 
  
 # Create the Secret Manager client. 
  
 client 
  
 = 
  
 Google 
 :: 
 Cloud 
 :: 
  SecretManager 
 
 . 
  secret_manager_service 
 
  
 do 
  
 | 
 config 
 | 
  
 config 
 . 
 endpoint 
  
 = 
  
 api_endpoint 
  
 end 
  
 # Build the resource name of the secret. 
  
 name 
  
 = 
  
 client 
 . 
 secret_path 
  
 project 
 : 
  
 project_id 
 , 
  
 location 
 : 
  
 location_id 
 , 
  
 secret 
 : 
  
 secret_id 
  
 # Create the secret. 
  
 secret 
  
 = 
  
 client 
 . 
 update_secret 
 ( 
  
 secret 
 : 
  
 { 
  
 name 
 : 
  
 name 
 , 
  
 labels 
 : 
  
 { 
  
 secretmanager 
 : 
  
 "rocks" 
  
 } 
  
 }, 
  
 update_mask 
 : 
  
 { 
  
 paths 
 : 
  
 [ 
 "labels" 
 ] 
  
 } 
  
 ) 
  
 # Print the updated secret name and the new label value. 
  
 puts 
  
 "Updated regional secret: 
 #{ 
 secret 
 . 
 name 
 } 
 " 
  
 puts 
  
 "New label: 
 #{ 
 secret 
 . 
 labels 
 [ 
 'secretmanager' 
 ] 
 } 
 " 
 end

Remove labels

To remove labels, follow these steps:

Console

In the Google Cloud console, go to the Secret Manager page.

Go to Secret Manager
On the Secret Manager page, click the Regional secrets tab.
Select the secret that you want to edit.
Open the Info Panel , and then click the Labels tab.
Click Delete to remove the labels that you no longer require.
Click Save .

gcloud

Before using any of the command data below, make the following replacements:

SECRET_ID : the ID of the secret.
LOCATION : the Google Cloud location of the secret.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud  
secrets  
update  
 SECRET_ID 
  
 \ 
  
--location = 
 LOCATION 
  
 \ 
  
--clear-labels

Windows (PowerShell)

gcloud  
secrets  
update  
 SECRET_ID 
  
 ` 
  
--location = 
 LOCATION 
  
 ` 
  
--clear-labels

Windows (cmd.exe)

gcloud  
secrets  
update  
 SECRET_ID 
  
^  
--location = 
 LOCATION 
  
^  
--clear-labels

REST

Before using any of the request data, make the following replacements:

LOCATION : the Google Cloud location of the secret.
PROJECT_ID : the Google Cloud project ID.
SECRET_ID : the ID of the secret.

HTTP method and URL:

PATCH https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets?secretId= SECRET_ID 
?update_mask=labels

Request JSON body:

{
  "labels": {}
}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json , and execute the following command:

curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets?secretId= SECRET_ID 
?update_mask=labels"

PowerShell

Save the request body in a file named request.json , and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method PATCH `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets?secretId= SECRET_ID 
?update_mask=labels" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "name": "projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets/ SECRET_ID 
",
  "createTime": "2024-03-25T08:24:13.153705Z",
  "etag": "\"161477e6071da9\"",
  "labels": {}
}

Go

To run this code, first set up a Go development environment and install the Secret Manager Go SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 secretmanager 
  
 "cloud.google.com/go/secretmanager/apiv1" 
  
 "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb" 
  
 "google.golang.org/api/option" 
  
 "google.golang.org/genproto/protobuf/field_mask" 
 ) 
 // deleteSecret updates the metadata about an existing secret and remove an existing label. 
 func 
  
 deleteRegionalSecretLabel 
 ( 
 w 
  
 io 
 . 
 Writer 
 , 
  
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
  
 string 
 ) 
  
 error 
  
 { 
  
 name 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "projects/%s/locations/%s/secrets/%s" 
 , 
  
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 ) 
  
 labelKey 
  
 := 
  
 "labelkey" 
  
 // Create the client. 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 //Endpoint to send the request to regional server 
  
 endpoint 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "secretmanager.%s.rep.googleapis.com:443" 
 , 
  
 locationId 
 ) 
  
 client 
 , 
  
 err 
  
 := 
  
 secretmanager 
 . 
  NewClient 
 
 ( 
 ctx 
 , 
  
 option 
 . 
 WithEndpoint 
 ( 
 endpoint 
 )) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to create secretmanager client: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
  Close 
 
 () 
  
 // Build the request to get the secret. 
  
 req 
  
 := 
  
& secretmanagerpb 
 . 
 GetSecretRequest 
 { 
  
 Name 
 : 
  
 name 
 , 
  
 } 
  
 // Call the API. 
  
 result 
 , 
  
 err 
  
 := 
  
 client 
 . 
 GetSecret 
 ( 
 ctx 
 , 
  
 req 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to get secret: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 labels 
  
 := 
  
 result 
 . 
 Labels 
  
 // Delete the label in the map and update the secret with patch request 
  
 delete 
 ( 
 labels 
 , 
  
 labelKey 
 ) 
  
 // Build the request to update the secret. 
  
 updateReq 
  
 := 
  
& secretmanagerpb 
 . 
 UpdateSecretRequest 
 { 
  
 Secret 
 : 
  
& secretmanagerpb 
 . 
 Secret 
 { 
  
 Name 
 : 
  
 name 
 , 
  
 Labels 
 : 
  
 labels 
 , 
  
 }, 
  
 UpdateMask 
 : 
  
& field_mask 
 . 
 FieldMask 
 { 
  
 Paths 
 : 
  
 [] 
 string 
 { 
 "labels" 
 }, 
  
 }, 
  
 } 
  
 // Call the API. 
  
 updateResult 
 , 
  
 err 
  
 := 
  
 client 
 . 
 UpdateSecret 
 ( 
 ctx 
 , 
  
 updateReq 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to update secret: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Updated secret: %s\n" 
 , 
  
 updateResult 
 . 
 Name 
 ) 
  
 return 
  
 nil 
 }

Java

To run this code, first set up a Java development environment and install the Secret Manager Java SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 com.google.cloud.secretmanager.v1. Secret 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretManagerServiceClient 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretManagerServiceSettings 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretName 
 
 ; 
 import 
  
 com.google.protobuf. FieldMask 
 
 ; 
 import 
  
 com.google.protobuf.util. FieldMaskUtil 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 import 
  
 java.util.HashMap 
 ; 
 import 
  
 java.util.Map 
 ; 
 public 
  
 class 
 DeleteRegionalSecretLabel 
  
 { 
  
 public 
  
 static 
  
 void 
  
 deleteRegionalSecretLabel 
 () 
  
 throws 
  
 IOException 
  
 { 
  
 // TODO(developer): Replace these variables before running the sample. 
  
 // This is the id of the GCP project 
  
 String 
  
 projectId 
  
 = 
  
 "your-project-id" 
 ; 
  
 // Location of the secret. 
  
 String 
  
 locationId 
  
 = 
  
 "your-location-id" 
 ; 
  
 // This is the id of the secret to act on 
  
 String 
  
 secretId 
  
 = 
  
 "your-secret-id" 
 ; 
  
 // This is the key of the label to be deleted 
  
 String 
  
 labelKey 
  
 = 
  
 "your-label-key" 
 ; 
  
 deleteRegionalSecretLabel 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 , 
  
 labelKey 
 ); 
  
 } 
  
 // Update an existing secret, by deleting a label. 
  
 public 
  
 static 
  
  Secret 
 
  
 deleteRegionalSecretLabel 
 ( 
  
 String 
  
 projectId 
 , 
  
 String 
  
 locationId 
 , 
  
 String 
  
 secretId 
 , 
  
 String 
  
 labelKey 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // Endpoint to call the regional secret manager sever 
  
 String 
  
 apiEndpoint 
  
 = 
  
 String 
 . 
 format 
 ( 
 "secretmanager.%s.rep.googleapis.com:443" 
 , 
  
 locationId 
 ); 
  
  SecretManagerServiceSettings 
 
  
 secretManagerServiceSettings 
  
 = 
  
  SecretManagerServiceSettings 
 
 . 
 newBuilder 
 (). 
 setEndpoint 
 ( 
 apiEndpoint 
 ). 
 build 
 (); 
  
 // Initialize client that will be used to send requests. This client only needs to be created 
  
 // once, and can be reused for multiple requests. 
  
 try 
  
 ( 
  SecretManagerServiceClient 
 
  
 client 
  
 = 
  
  
  SecretManagerServiceClient 
 
 . 
 create 
 ( 
 secretManagerServiceSettings 
 )) 
  
 { 
  
 // Build the secret name. 
  
  SecretName 
 
  
 secretName 
  
 = 
  
  
  SecretName 
 
 . 
  ofProjectLocationSecretName 
 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 ); 
  
 // Get the existing secret 
  
  Secret 
 
  
 existingSecret 
  
 = 
  
 client 
 . 
 getSecret 
 ( 
 secretName 
 ); 
  
 Map<String 
 , 
  
 String 
>  
 existingLabelsMap 
  
 = 
  
  
 new 
  
 HashMap<String 
 , 
  
 String 
> ( 
 existingSecret 
 . 
  getLabels 
 
 ()); 
  
 existingLabelsMap 
 . 
 remove 
 ( 
 labelKey 
 ); 
  
 // Build the updated secret. 
  
  Secret 
 
  
 secret 
  
 = 
  
  Secret 
 
 . 
 newBuilder 
 () 
  
 . 
 setName 
 ( 
 secretName 
 . 
  toString 
 
 ()) 
  
 . 
  putAllLabels 
 
 ( 
 existingLabelsMap 
 ) 
  
 . 
 build 
 (); 
  
 // Build the field mask. 
  
  FieldMask 
 
  
 fieldMask 
  
 = 
  
  FieldMaskUtil 
 
 . 
 fromString 
 ( 
 "labels" 
 ); 
  
 // Update the secret. 
  
  Secret 
 
  
 updatedSecret 
  
 = 
  
 client 
 . 
 updateSecret 
 ( 
 secret 
 , 
  
 fieldMask 
 ); 
  
 System 
 . 
 out 
 . 
 printf 
 ( 
 "Updated secret %s\n" 
 , 
  
 updatedSecret 
 . 
  getName 
 
 ()); 
  
 return 
  
 updatedSecret 
 ; 
  
 } 
  
 } 
 }

Node.js

To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  /** 
 * TODO(developer): Uncomment these variables before running the sample. 
 */ 
 // const projectId = 'my-project' 
 // const locationId = 'locationId'; 
 // const secretId = 'my-secret'; 
 // const labelKey = 'secretmanager'; 
 const 
  
 name 
  
 = 
  
 `projects/ 
 ${ 
 projectId 
 } 
 /locations/ 
 ${ 
 locationId 
 } 
 /secrets/ 
 ${ 
 secretId 
 } 
 ` 
 ; 
 // Imports the Secret Manager library 
 const 
  
 { 
 SecretManagerServiceClient 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/secret-manager 
' 
 ); 
 // Adding the endpoint to call the regional secret manager sever 
 const 
  
 options 
  
 = 
  
 {}; 
 options 
 . 
 apiEndpoint 
  
 = 
  
 `secretmanager. 
 ${ 
 locationId 
 } 
 .rep.googleapis.com` 
 ; 
 // Instantiates a client 
 const 
  
 client 
  
 = 
  
 new 
  
  SecretManagerServiceClient 
 
 ( 
 options 
 ); 
 async 
  
 function 
  
 getSecret 
 () 
  
 { 
  
 const 
  
 [ 
 secret 
 ] 
  
 = 
  
 await 
  
 client 
 . 
 getSecret 
 ({ 
  
 name 
 : 
  
 name 
 , 
  
 }); 
  
 return 
  
 secret 
 ; 
 } 
 async 
  
 function 
  
 deleteRegionalSecretLabel 
 () 
  
 { 
  
 const 
  
 oldSecret 
  
 = 
  
 await 
  
 getSecret 
 (); 
  
 delete 
  
 oldSecret 
 . 
 labels 
 [ 
 labelKey 
 ]; 
  
 const 
  
 [ 
 secret 
 ] 
  
 = 
  
 await 
  
 client 
 . 
 updateSecret 
 ({ 
  
 secret 
 : 
  
 { 
  
 name 
 : 
  
 name 
 , 
  
 labels 
 : 
  
 oldSecret 
 . 
 labels 
 , 
  
 }, 
  
 updateMask 
 : 
  
 { 
  
 paths 
 : 
  
 [ 
 'labels' 
 ], 
  
 }, 
  
 }); 
  
 console 
 . 
 info 
 ( 
 `Updated secret 
 ${ 
 secret 
 . 
 name 
 } 
 ` 
 ); 
 } 
 deleteRegionalSecretLabel 
 ();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  // Import the Secret Manager client library. 
 use Google\Cloud\SecretManager\V1\Client\SecretManagerServiceClient; 
 use Google\Cloud\SecretManager\V1\GetSecretRequest; 
 use Google\Cloud\SecretManager\V1\Secret; 
 use Google\Cloud\SecretManager\V1\UpdateSecretRequest; 
 use Google\Protobuf\FieldMask; 
 /** 
 * @param string $projectId  Your Google Cloud Project ID (e.g. 'my-project') 
 * @param string $locationId Your secret Location (e.g. 'us-central1') 
 * @param string $secretId   Your secret ID (e.g. 'my-secret') 
 * @param string $labelKey   Your label key (e.g. 'label-key') 
 */ 
 function delete_regional_secret_label(string $projectId, string $locationId, string $secretId, string $labelKey): void 
 { 
 // Specify regional endpoint. 
 $options = ['apiEndpoint' => "secretmanager.$locationId.rep.googleapis.com"]; 
 // Create the Secret Manager client. 
 $client = new SecretManagerServiceClient($options); 
 // Build the resource name of the secret. 
 $name = $client->projectLocationSecretName($projectId, $locationId, $secretId); 
 // Build the request. 
 $request = GetSecretRequest::build($name); 
 // get the secret. 
 $getSecret = $client->getSecret($request); 
 // get the secret labels 
 $labels = $getSecret->getLabels(); 
 // delete the label 
 unset($labels[$labelKey]); 
 // set the field mask 
 $fieldMask = new FieldMask(); 
 $fieldMask->setPaths(['labels']); 
 // build the secret 
 $secret = new Secret(); 
 $secret->setLabels($labels); 
 $secret->setName($getSecret->getName()); 
 // build the request 
 $request = new UpdateSecretRequest(); 
 $request->setSecret($getSecret); 
 $request->setUpdateMask($fieldMask); 
 // update the secret 
 $updateSecret = $client->updateSecret($request); 
 // print the secret name 
 printf('Updated secret %s' . PHP_EOL, $updateSecret->getName()); 
 }

Python

To run this code, first set up a Python development environment and install the Secret Manager Python SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 argparse 
 # Import the Secret Manager client library. 
 from 
  
 google.cloud 
  
 import 
  secretmanager_v1 
 
 def 
  
 delete_regional_secret_label 
 ( 
 project_id 
 : 
 str 
 , 
 location_id 
 : 
 str 
 , 
 secret_id 
 : 
 str 
 , 
 label_key 
 : 
 str 
 ) 
 - 
> secretmanager_v1 
 . 
 UpdateSecretRequest 
 : 
  
 """ 
 Delete a label on an existing secret. 
 """ 
 # Endpoint to call the regional Secret Manager API. 
 api_endpoint 
 = 
 f 
 "secretmanager. 
 { 
 location_id 
 } 
 .rep.googleapis.com" 
 # Create the Secret Manager client. 
 client 
 = 
  secretmanager_v1 
 
 . 
  SecretManagerServiceClient 
 
 ( 
 client_options 
 = 
 { 
 "api_endpoint" 
 : 
 api_endpoint 
 }, 
 ) 
 # Build the resource name of the parent secret. 
 name 
 = 
 f 
 "projects/ 
 { 
 project_id 
 } 
 /locations/ 
 { 
 location_id 
 } 
 /secrets/ 
 { 
 secret_id 
 } 
 " 
 # Get the secret. 
 response 
 = 
 client 
 . 
  get_secret 
 
 ( 
 request 
 = 
 { 
 "name" 
 : 
 name 
 }) 
 labels 
 = 
 response 
 . 
 labels 
 # Delete the label 
 labels 
 . 
 pop 
 ( 
 label_key 
 , 
 None 
 ) 
 # Update the secret. 
 secret 
 = 
 { 
 "name" 
 : 
 name 
 , 
 "labels" 
 : 
 labels 
 } 
 update_mask 
 = 
 { 
 "paths" 
 : 
 [ 
 "labels" 
 ]} 
 response 
 = 
 client 
 . 
  update_secret 
 
 ( 
 request 
 = 
 { 
 "secret" 
 : 
 secret 
 , 
 "update_mask" 
 : 
 update_mask 
 } 
 ) 
 # Print the new secret name. 
 print 
 ( 
 f 
 "Updated secret: 
 { 
 response 
 . 
 name 
 } 
 " 
 ) 
 return 
 response

Add labels to secrets Stay organized with collections Save and categorize content based on your preferences.

What are labels?

Requirements for labels

Common uses of labels

Labels and tags

Create a secret with labels

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

C#

Go

Java

Node.js

PHP

Python

Ruby

View labels on a secret

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

C#

Go

Java

Node.js

PHP

Python

Ruby

Update labels

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

C#

Go

Java

Node.js

PHP

Python

Ruby

Remove labels

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

Go

Java

Node.js

PHP

Python

What's next

Add labels to secrets