Manage access to secrets

This page describes how to manage access to a secret, including the secret material. To learn more about access controls and permissions, see Access control with IAM .

Important: To use Secret Manager with workloads running on Compute Engine or Google Kubernetes Engine, the underlying instance or node must have the cloud-platform OAuth scope. See accessing the Secret Manager API for more information.

Required roles

To get the permissions that you need to manage access to secrets, ask your administrator to grant you the Secret Manager Admin ( roles/secretmanager.admin ) IAM role on the secret, project, folder, or organization. For more information about granting roles, see Manage access to projects, folders, and organizations .

You might also be able to get the required permissions through custom roles or other predefined roles .

Grant access

To grant access to a secret, use one of the following methods:

Console

In the Google Cloud console, go to the Secret Manager page.

Go to Secret Manager
To select a secret, click the checkbox next to the name of the secret on the Secret Manager page.
If it is not already open, click Show Info Panel to open the panel.
In the info panel, click Add Principal .
In the New principals field, enter the email address(es) of the members to add.
In the Select a role list, choose Secret Manager , and then select Secret Manager Secret Accessor .

gcloud

Before using any of the command data below, make the following replacements:

SECRET_ID : the ID of the secret
MEMBER : the IAM member , such as a user, group, or service account

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud  
secrets  
add-iam-policy-binding  
 SECRET_ID 
  
 \ 
  
--member = 
 " MEMBER 
" 
  
 \ 
  
--role = 
 "roles/secretmanager.secretAccessor"

Windows (PowerShell)

gcloud  
secrets  
add-iam-policy-binding  
 SECRET_ID 
  
 ` 
  
--member = 
 " MEMBER 
" 
  
 ` 
  
--role = 
 "roles/secretmanager.secretAccessor"

Windows (cmd.exe)

gcloud  
secrets  
add-iam-policy-binding  
 SECRET_ID 
  
^  
--member = 
 " MEMBER 
" 
  
^  
--role = 
 "roles/secretmanager.secretAccessor"

REST

Note: Unlike the other examples, this replaces the entire IAM policy.

Before using any of the request data, make the following replacements:

PROJECT_ID : the Google Cloud project that contains the secret
SECRET_ID : the ID of the secret
MEMBER : the IAM member , such as a user, group, or service account

HTTP method and URL:

POST https://secretmanager.googleapis.com/v1/projects/ PROJECT_ID 
/secrets/ SECRET_ID 
:setIamPolicy

Request JSON body:

{"policy": {"bindings": [{"members": [" MEMBER 
"], "role": "roles/secretmanager.secretAccessor"}]}}

To send your request, choose one of these options:

curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell , which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list .

Save the request body in a file named request.json , and execute the following command:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://secretmanager.googleapis.com/v1/projects/ PROJECT_ID 
/secrets/ SECRET_ID 
:setIamPolicy"

PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list .

Save the request body in a file named request.json , and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://secretmanager.googleapis.com/v1/projects/ PROJECT_ID 
/secrets/ SECRET_ID 
:setIamPolicy" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "version": 1,
  "etag": "BwYhOrAmWFQ=",
  "bindings": [
    {
      "role": "roles/secretmanager.secretAccessor",
      "members": [
        "user:username@google.com"
      ]
    }
  ]
}

C#

To run this code, first set up a C# development environment and install the Secret Manager C# SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  using 
  
  Google.Cloud.SecretManager.V1 
 
 ; 
 using 
  
  Google.Cloud.Iam.V1 
 
 ; 
 public 
  
 class 
  
 IamGrantAccessSample 
 { 
  
 public 
  
 Policy 
  
 IamGrantAccess 
 ( 
  
 string 
  
 projectId 
  
 = 
  
 "my-project" 
 , 
  
 string 
  
 secretId 
  
 = 
  
 "my-secret" 
 , 
  
 string 
  
 member 
  
 = 
  
 "user:foo@example.com" 
 ) 
  
 { 
  
 // Create the client. 
  
  SecretManagerServiceClient 
 
  
 client 
  
 = 
  
  SecretManagerServiceClient 
 
 . 
  Create 
 
 (); 
  
 // Build the resource name. 
  
  SecretName 
 
  
 secretName 
  
 = 
  
 new 
  
  SecretName 
 
 ( 
 projectId 
 , 
  
 secretId 
 ); 
  
 // Get current policy. 
  
  Policy 
 
  
 policy 
  
 = 
  
 client 
 . 
  GetIamPolicy 
 
 ( 
 new 
  
  GetIamPolicyRequest 
 
  
 { 
  
 ResourceAsResourceName 
  
 = 
  
 secretName 
 , 
  
 }); 
  
 // Add the user to the list of bindings. 
  
 policy 
 . 
  AddRoleMember 
 
 ( 
 "roles/secretmanager.secretAccessor" 
 , 
  
 member 
 ); 
  
 // Save the updated policy. 
  
 policy 
  
 = 
  
 client 
 . 
  SetIamPolicy 
 
 ( 
 new 
  
  SetIamPolicyRequest 
 
  
 { 
  
 ResourceAsResourceName 
  
 = 
  
 secretName 
 , 
  
 Policy 
  
 = 
  
 policy 
 , 
  
 }); 
  
 return 
  
 policy 
 ; 
  
 } 
 }

Go

To run this code, first set up a Go development environment and install the Secret Manager Go SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 secretmanager 
  
 "cloud.google.com/go/secretmanager/apiv1" 
 ) 
 // iamGrantAccess grants the given member access to the secret. 
 func 
  
 iamGrantAccess 
 ( 
 w 
  
 io 
 . 
 Writer 
 , 
  
 name 
 , 
  
 member 
  
 string 
 ) 
  
 error 
  
 { 
  
 // name := "projects/my-project/secrets/my-secret" 
  
 // member := "user:foo@example.com" 
  
 // Create the client. 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 client 
 , 
  
 err 
  
 := 
  
 secretmanager 
 . 
  NewClient 
 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to create secretmanager client: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
  Close 
 
 () 
  
 // Get the current IAM policy. 
  
 handle 
  
 := 
  
 client 
 . 
  IAM 
 
 ( 
 name 
 ) 
  
 policy 
 , 
  
 err 
  
 := 
  
 handle 
 . 
 Policy 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to get policy: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 // Grant the member access permissions. 
  
 policy 
 . 
 Add 
 ( 
 member 
 , 
  
 "roles/secretmanager.secretAccessor" 
 ) 
  
 if 
  
 err 
  
 = 
  
 handle 
 . 
 SetPolicy 
 ( 
 ctx 
 , 
  
 policy 
 ); 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to save policy: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Updated IAM policy for %s\n" 
 , 
  
 name 
 ) 
  
 return 
  
 nil 
 }

Java

To run this code, first set up a Java development environment and install the Secret Manager Java SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 com.google.cloud.secretmanager.v1. SecretManagerServiceClient 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretName 
 
 ; 
 import 
  
 com.google.iam.v1. Binding 
 
 ; 
 import 
  
 com.google.iam.v1. GetIamPolicyRequest 
 
 ; 
 import 
  
 com.google.iam.v1. Policy 
 
 ; 
 import 
  
 com.google.iam.v1. SetIamPolicyRequest 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 public 
  
 class 
 IamGrantAccess 
  
 { 
  
 public 
  
 static 
  
 void 
  
 iamGrantAccess 
 () 
  
 throws 
  
 IOException 
  
 { 
  
 // TODO(developer): Replace these variables before running the sample. 
  
 String 
  
 projectId 
  
 = 
  
 "your-project-id" 
 ; 
  
 String 
  
 secretId 
  
 = 
  
 "your-secret-id" 
 ; 
  
 String 
  
 member 
  
 = 
  
 "user:foo@example.com" 
 ; 
  
 iamGrantAccess 
 ( 
 projectId 
 , 
  
 secretId 
 , 
  
 member 
 ); 
  
 } 
  
 // Grant a member access to a particular secret. 
  
 public 
  
 static 
  
 void 
  
 iamGrantAccess 
 ( 
 String 
  
 projectId 
 , 
  
 String 
  
 secretId 
 , 
  
 String 
  
 member 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // Initialize client that will be used to send requests. This client only needs to be created 
  
 // once, and can be reused for multiple requests. After completing all of your requests, call 
  
 // the "close" method on the client to safely clean up any remaining background resources. 
  
 try 
  
 ( 
  SecretManagerServiceClient 
 
  
 client 
  
 = 
  
  SecretManagerServiceClient 
 
 . 
 create 
 ()) 
  
 { 
  
 // Build the name from the version. 
  
  SecretName 
 
  
 secretName 
  
 = 
  
  SecretName 
 
 . 
 of 
 ( 
 projectId 
 , 
  
 secretId 
 ); 
  
 // Request the current IAM policy. 
  
  Policy 
 
  
 currentPolicy 
  
 = 
  
 client 
 . 
 getIamPolicy 
 ( 
  
  GetIamPolicyRequest 
 
 . 
 newBuilder 
 (). 
 setResource 
 ( 
 secretName 
 . 
  toString 
 
 ()). 
 build 
 ()); 
  
 // Build the new binding. 
  
  Binding 
 
  
 binding 
  
 = 
  
  Binding 
 
 . 
 newBuilder 
 () 
  
 . 
 setRole 
 ( 
 "roles/secretmanager.secretAccessor" 
 ) 
  
 . 
  addMembers 
 
 ( 
 member 
 ) 
  
 . 
 build 
 (); 
  
 // Create a new IAM policy from the current policy, adding the binding. 
  
  Policy 
 
  
 newPolicy 
  
 = 
  
  Policy 
 
 . 
 newBuilder 
 (). 
 mergeFrom 
 ( 
 currentPolicy 
 ). 
  addBindings 
 
 ( 
 binding 
 ). 
 build 
 (); 
  
 // Save the updated IAM policy. 
  
 client 
 . 
 setIamPolicy 
 ( 
  
  SetIamPolicyRequest 
 
 . 
 newBuilder 
 () 
  
 . 
 setResource 
 ( 
 secretName 
 . 
  toString 
 
 ()) 
  
 . 
  setPolicy 
 
 ( 
 newPolicy 
 ) 
  
 . 
 build 
 ()); 
  
 System 
 . 
 out 
 . 
 printf 
 ( 
 "Updated IAM policy for %s\n" 
 , 
  
 secretId 
 ); 
  
 } 
  
 } 
 }

Node.js

To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  /** 
 * TODO(developer): Uncomment these variables before running the sample. 
 */ 
 // const name = 'projects/my-project/secrets/my-secret'; 
 // const member = 'user:you@example.com'; 
 // 
 // NOTE: Each member must be prefixed with its type. See the IAM documentation 
 // for more information: https://cloud.google.com/iam/docs/overview. 
 // Imports the Secret Manager library 
 const 
  
 { 
 SecretManagerServiceClient 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/secret-manager 
' 
 ); 
 // Instantiates a client 
 const 
  
 client 
  
 = 
  
 new 
  
  SecretManagerServiceClient 
 
 (); 
 async 
  
 function 
  
 grantAccess 
 () 
  
 { 
  
 // Get the current IAM policy. 
  
 const 
  
 [ 
 policy 
 ] 
  
 = 
  
 await 
  
 client 
 . 
 getIamPolicy 
 ({ 
  
 resource 
 : 
  
 name 
 , 
  
 }); 
  
 // Add the user with accessor permissions to the bindings list. 
  
 policy 
 . 
 bindings 
 . 
 push 
 ({ 
  
 role 
 : 
  
 'roles/secretmanager.secretAccessor' 
 , 
  
 members 
 : 
  
 [ 
 member 
 ], 
  
 }); 
  
 // Save the updated IAM policy. 
  
 await 
  
 client 
 . 
 setIamPolicy 
 ({ 
  
 resource 
 : 
  
 name 
 , 
  
 policy 
 : 
  
 policy 
 , 
  
 }); 
  
 console 
 . 
 log 
 ( 
 `Updated IAM policy for 
 ${ 
 name 
 } 
 ` 
 ); 
 } 
 grantAccess 
 ();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  // Import the Secret Manager client library. 
 use Google\Cloud\SecretManager\V1\Client\SecretManagerServiceClient; 
 // Import the Secret Manager IAM library. 
 use Google\Cloud\Iam\V1\Binding; 
 use Google\Cloud\Iam\V1\GetIamPolicyRequest; 
 use Google\Cloud\Iam\V1\SetIamPolicyRequest; 
 /** 
 * @param string $projectId Your Google Cloud Project ID (e.g. 'my-project') 
 * @param string $secretId  Your secret ID (e.g. 'my-secret') 
 * @param string $member Your member (e.g. 'user:foo@example.com') 
 */ 
 function iam_grant_access(string $projectId, string $secretId, string $member): void 
 { 
 // Create the Secret Manager client. 
 $client = new SecretManagerServiceClient(); 
 // Build the resource name of the secret. 
 $name = $client->secretName($projectId, $secretId); 
 // Get the current IAM policy. 
 $policy = $client->getIamPolicy((new GetIamPolicyRequest)->setResource($name)); 
 // Update the bindings to include the new member. 
 $bindings = $policy->getBindings(); 
 $bindings[] = new Binding([ 
 'members' => [$member], 
 'role' => 'roles/secretmanager.secretAccessor', 
 ]); 
 $policy->setBindings($bindings); 
 // Build the request. 
 $request = (new SetIamPolicyRequest) 
 ->setResource($name) 
 ->setPolicy($policy); 
 // Save the updated policy to the server. 
 $client->setIamPolicy($request); 
 // Print out a success message. 
 printf('Updated IAM policy for %s', $secretId); 
 }

Python

To run this code, first set up a Python development environment and install the Secret Manager Python SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  def 
  
 iam_grant_access 
 ( 
 project_id 
 : 
 str 
 , 
 secret_id 
 : 
 str 
 , 
 member 
 : 
 str 
 ) 
 - 
> iam_policy_pb2 
 . 
 SetIamPolicyRequest 
 : 
  
 """ 
 Grant the given member access to a secret. 
 """ 
 # Import the Secret Manager client library. 
 from 
  
 google.cloud 
  
 import 
 secretmanager 
 # Create the Secret Manager client. 
 client 
 = 
 secretmanager 
 . 
 SecretManagerServiceClient 
 () 
 # Build the resource name of the secret. 
 name 
 = 
 client 
 . 
 secret_path 
 ( 
 project_id 
 , 
 secret_id 
 ) 
 # Get the current IAM policy. 
 policy 
 = 
 client 
 . 
 get_iam_policy 
 ( 
 request 
 = 
 { 
 "resource" 
 : 
 name 
 }) 
 # Add the given member with access permissions. 
 policy 
 . 
 bindings 
 . 
 add 
 ( 
 role 
 = 
 "roles/secretmanager.secretAccessor" 
 , 
 members 
 = 
 [ 
 member 
 ]) 
 # Update the IAM Policy. 
 new_policy 
 = 
 client 
 . 
 set_iam_policy 
 ( 
 request 
 = 
 { 
 "resource" 
 : 
 name 
 , 
 "policy" 
 : 
 policy 
 }) 
 # Print data about the secret. 
 print 
 ( 
 f 
 "Updated IAM policy on 
 { 
 secret_id 
 } 
 " 
 )

Ruby

To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  # project_id = "YOUR-GOOGLE-CLOUD-PROJECT"  # (e.g. "my-project") 
 # secret_id  = "YOUR-SECRET-ID"             # (e.g. "my-secret") 
 # member     = "USER-OR-ACCOUNT"            # (e.g. "user:foo@example.com") 
 # Require the Secret Manager client library. 
 require 
  
 "google/cloud/secret_manager" 
 # Create a Secret Manager client. 
 client 
  
 = 
  
 Google 
 :: 
 Cloud 
 :: 
  SecretManager 
 
 . 
  secret_manager_service 
 
 # Build the resource name of the secret. 
 name 
  
 = 
  
 client 
 . 
 secret_path 
  
 project 
 : 
  
 project_id 
 , 
  
 secret 
 : 
  
 secret_id 
 # Get the current IAM policy. 
 policy 
  
 = 
  
 client 
 . 
 get_iam_policy 
  
 resource 
 : 
  
 name 
 # Add new member to current bindings 
 policy 
 . 
 bindings 
 << 
 Google 
 :: 
 Iam 
 :: 
  V1 
 
 :: 
 Binding 
 . 
 new 
 ( 
  
 members 
 : 
  
 [ 
 member 
 ] 
 , 
  
 role 
 : 
  
 "roles/secretmanager.secretAccessor" 
 ) 
 # Update IAM policy 
 new_policy 
  
 = 
  
 client 
 . 
 set_iam_policy 
  
 resource 
 : 
  
 name 
 , 
  
 policy 
 : 
  
 policy 
 # Print a success message. 
 puts 
  
 "Updated IAM policy for 
 #{ 
 secret_id 
 } 
 "

Python

To run this code, first set up a Python development environment and install the Secret Manager Python SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  # Import the Secret Manager client library. 
 from 
  
 google 
  
 import 
 iam 
 from 
  
 google.cloud 
  
 import 
 secretmanager_v1 
 def 
  
 iam_grant_access_with_regional_secret 
 ( 
 project_id 
 : 
 str 
 , 
 location_id 
 : 
 str 
 , 
 secret_id 
 : 
 str 
 , 
 member 
 : 
 str 
 , 
 ) 
 - 
> iam 
 . 
 v1 
 . 
 iam_policy_pb2 
 . 
 SetIamPolicyRequest 
 : 
  
 """ 
 Grants the given member access to a secret. 
 """ 
 # Endpoint to call the regional secret manager sever. 
 api_endpoint 
 = 
 f 
 "secretmanager. 
 { 
 location_id 
 } 
 .rep.googleapis.com" 
 # Create the Secret Manager client. 
 client 
 = 
 secretmanager_v1 
 . 
 SecretManagerServiceClient 
 ( 
 client_options 
 = 
 { 
 "api_endpoint" 
 : 
 api_endpoint 
 }, 
 ) 
 # Build the resource name of the secret. 
 name 
 = 
 f 
 "projects/ 
 { 
 project_id 
 } 
 /locations/ 
 { 
 location_id 
 } 
 /secrets/ 
 { 
 secret_id 
 } 
 " 
 # Get the current IAM policy. 
 policy 
 = 
 client 
 . 
 get_iam_policy 
 ( 
 request 
 = 
 { 
 "resource" 
 : 
 name 
 }) 
 # Add the given member with access permissions. 
 policy 
 . 
 bindings 
 . 
 add 
 ( 
 role 
 = 
 "roles/secretmanager.secretAccessor" 
 , 
 members 
 = 
 [ 
 member 
 ]) 
 # Update the IAM Policy. 
 new_policy 
 = 
 client 
 . 
 set_iam_policy 
 ( 
 request 
 = 
 { 
 "resource" 
 : 
 name 
 , 
 "policy" 
 : 
 policy 
 }) 
 # Print data about the secret. 
 print 
 ( 
 f 
 "Updated IAM policy on 
 { 
 secret_id 
 } 
 " 
 ) 
 return 
 new_policy

Revoke access

To revoke access from a secret, use one of the following methods:

Console

In the Google Cloud console, go to the Secret Manager page.

Go to Secret Manager
To select a secret, click the checkbox next to the name of the secret on the Secret Manager page.
If it is not already open, click Show Info Panel to open the panel.
In the info panel, click the expander arrow next to the user role to see a list of the users or service accounts with access to that role.
To remove the user or service account, click Delete next to service account or user ID.
In the confirmation dialog that appears, click Remove .

gcloud

Before using any of the command data below, make the following replacements:

SECRET_ID : the ID of the secret
MEMBER : the IAM member , such as a user, group, or service account

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud  
secrets  
remove-iam-policy-binding  
 SECRET_ID 
  
 \ 
  
--member = 
 " MEMBER 
" 
  
 \ 
  
--role = 
 "roles/secretmanager.secretAccessor"

Windows (PowerShell)

gcloud  
secrets  
remove-iam-policy-binding  
 SECRET_ID 
  
 ` 
  
--member = 
 " MEMBER 
" 
  
 ` 
  
--role = 
 "roles/secretmanager.secretAccessor"

Windows (cmd.exe)

gcloud  
secrets  
remove-iam-policy-binding  
 SECRET_ID 
  
^  
--member = 
 " MEMBER 
" 
  
^  
--role = 
 "roles/secretmanager.secretAccessor"

REST

Note: Unlike the other examples, this replaces the entire IAM policy.

Before using any of the request data, make the following replacements:

PROJECT_ID : the Google Cloud project ID
SECRET_ID : the ID of the secret

HTTP method and URL:

POST https://secretmanager.googleapis.com/v1/projects/ PROJECT_ID 
/secrets/ SECRET_ID 
:setIamPolicy

Request JSON body:

{"policy": {"bindings": []}}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json , and execute the following command:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://secretmanager.googleapis.com/v1/projects/ PROJECT_ID 
/secrets/ SECRET_ID 
:setIamPolicy"

PowerShell

Save the request body in a file named request.json , and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://secretmanager.googleapis.com/v1/projects/ PROJECT_ID 
/secrets/ SECRET_ID 
:setIamPolicy" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "version": 1,
  "etag": "BwYhOtzsOBk="
}

C#

To run this code, first set up a C# development environment and install the Secret Manager C# SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  using 
  
  Google.Cloud.SecretManager.V1 
 
 ; 
 using 
  
  Google.Cloud.Iam.V1 
 
 ; 
 public 
  
 class 
  
 IamRevokeAccessSample 
 { 
  
 public 
  
 Policy 
  
 IamRevokeAccess 
 ( 
  
 string 
  
 projectId 
  
 = 
  
 "my-project" 
 , 
  
 string 
  
 secretId 
  
 = 
  
 "my-secret" 
 , 
  
 string 
  
 member 
  
 = 
  
 "user:foo@example.com" 
 ) 
  
 { 
  
 // Create the client. 
  
  SecretManagerServiceClient 
 
  
 client 
  
 = 
  
  SecretManagerServiceClient 
 
 . 
  Create 
 
 (); 
  
 // Build the resource name. 
  
  SecretName 
 
  
 secretName 
  
 = 
  
 new 
  
  SecretName 
 
 ( 
 projectId 
 , 
  
 secretId 
 ); 
  
 // Get current policy. 
  
  Policy 
 
  
 policy 
  
 = 
  
 client 
 . 
  GetIamPolicy 
 
 ( 
 new 
  
  GetIamPolicyRequest 
 
  
 { 
  
 ResourceAsResourceName 
  
 = 
  
 secretName 
 , 
  
 }); 
  
 // Remove the user to the list of bindings. 
  
 policy 
 . 
  RemoveRoleMember 
 
 ( 
 "roles/secretmanager.secretAccessor" 
 , 
  
 member 
 ); 
  
 // Save the updated policy. 
  
 policy 
  
 = 
  
 client 
 . 
  SetIamPolicy 
 
 ( 
 new 
  
  SetIamPolicyRequest 
 
  
 { 
  
 ResourceAsResourceName 
  
 = 
  
 secretName 
 , 
  
 Policy 
  
 = 
  
 policy 
 , 
  
 }); 
  
 return 
  
 policy 
 ; 
  
 } 
 }

Go

To run this code, first set up a Go development environment and install the Secret Manager Go SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 secretmanager 
  
 "cloud.google.com/go/secretmanager/apiv1" 
 ) 
 // iamRevokeAccess revokes the given member's access on the secret. 
 func 
  
 iamRevokeAccess 
 ( 
 w 
  
 io 
 . 
 Writer 
 , 
  
 name 
 , 
  
 member 
  
 string 
 ) 
  
 error 
  
 { 
  
 // name := "projects/my-project/secrets/my-secret" 
  
 // member := "user:foo@example.com" 
  
 // Create the client. 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 client 
 , 
  
 err 
  
 := 
  
 secretmanager 
 . 
  NewClient 
 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to create secretmanager client: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
  Close 
 
 () 
  
 // Get the current IAM policy. 
  
 handle 
  
 := 
  
 client 
 . 
  IAM 
 
 ( 
 name 
 ) 
  
 policy 
 , 
  
 err 
  
 := 
  
 handle 
 . 
 Policy 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to get policy: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 // Grant the member access permissions. 
  
 policy 
 . 
 Remove 
 ( 
 member 
 , 
  
 "roles/secretmanager.secretAccessor" 
 ) 
  
 if 
  
 err 
  
 = 
  
 handle 
 . 
 SetPolicy 
 ( 
 ctx 
 , 
  
 policy 
 ); 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to save policy: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Updated IAM policy for %s\n" 
 , 
  
 name 
 ) 
  
 return 
  
 nil 
 }

Java

To run this code, first set up a Java development environment and install the Secret Manager Java SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 com.google.cloud.secretmanager.v1. SecretManagerServiceClient 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretName 
 
 ; 
 import 
  
 com.google.iam.v1. Binding 
 
 ; 
 import 
  
 com.google.iam.v1. GetIamPolicyRequest 
 
 ; 
 import 
  
 com.google.iam.v1. Policy 
 
 ; 
 import 
  
 com.google.iam.v1. SetIamPolicyRequest 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 public 
  
 class 
 IamRevokeAccess 
  
 { 
  
 public 
  
 static 
  
 void 
  
 iamRevokeAccess 
 () 
  
 throws 
  
 IOException 
  
 { 
  
 // TODO(developer): Replace these variables before running the sample. 
  
 String 
  
 projectId 
  
 = 
  
 "your-project-id" 
 ; 
  
 String 
  
 secretId 
  
 = 
  
 "your-secret-id" 
 ; 
  
 String 
  
 member 
  
 = 
  
 "user:foo@example.com" 
 ; 
  
 iamRevokeAccess 
 ( 
 projectId 
 , 
  
 secretId 
 , 
  
 member 
 ); 
  
 } 
  
 // Revoke a member access to a particular secret. 
  
 public 
  
 static 
  
 void 
  
 iamRevokeAccess 
 ( 
 String 
  
 projectId 
 , 
  
 String 
  
 secretId 
 , 
  
 String 
  
 member 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // Initialize client that will be used to send requests. This client only needs to be created 
  
 // once, and can be reused for multiple requests. After completing all of your requests, call 
  
 // the "close" method on the client to safely clean up any remaining background resources. 
  
 try 
  
 ( 
  SecretManagerServiceClient 
 
  
 client 
  
 = 
  
  SecretManagerServiceClient 
 
 . 
 create 
 ()) 
  
 { 
  
 // Build the name from the version. 
  
  SecretName 
 
  
 secretName 
  
 = 
  
  SecretName 
 
 . 
 of 
 ( 
 projectId 
 , 
  
 secretId 
 ); 
  
 // Request the current IAM policy. 
  
  Policy 
 
  
 policy 
  
 = 
  
 client 
 . 
 getIamPolicy 
 ( 
  
  GetIamPolicyRequest 
 
 . 
 newBuilder 
 (). 
 setResource 
 ( 
 secretName 
 . 
  toString 
 
 ()). 
 build 
 ()); 
  
 // Search through bindings and remove matches. 
  
 String 
  
 roleToFind 
  
 = 
  
 "roles/secretmanager.secretAccessor" 
 ; 
  
 for 
  
 ( 
  Binding 
 
  
 binding 
  
 : 
  
 policy 
 . 
  getBindingsList 
 
 ()) 
  
 { 
  
 if 
  
 ( 
 binding 
 . 
 getRole 
 () 
  
 == 
  
 roleToFind 
 && 
 binding 
 . 
 getMembersList 
 (). 
 contains 
 ( 
 member 
 )) 
  
 { 
  
 binding 
 . 
 getMembersList 
 (). 
 remove 
 ( 
 member 
 ); 
  
 } 
  
 } 
  
 // Save the updated IAM policy. 
  
 client 
 . 
 setIamPolicy 
 ( 
  
  SetIamPolicyRequest 
 
 . 
 newBuilder 
 () 
  
 . 
 setResource 
 ( 
 secretName 
 . 
  toString 
 
 ()) 
  
 . 
  setPolicy 
 
 ( 
 policy 
 ) 
  
 . 
 build 
 ()); 
  
 System 
 . 
 out 
 . 
 printf 
 ( 
 "Updated IAM policy for %s\n" 
 , 
  
 secretId 
 ); 
  
 } 
  
 } 
 }

Node.js

To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  /** 
 * TODO(developer): Uncomment these variables before running the sample. 
 */ 
 // const name = 'projects/my-project/secrets/my-secret'; 
 // const member = 'user:you@example.com'; 
 // 
 // NOTE: Each member must be prefixed with its type. See the IAM documentation 
 // for more information: https://cloud.google.com/iam/docs/overview. 
 // Imports the Secret Manager library 
 const 
  
 { 
 SecretManagerServiceClient 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/secret-manager 
' 
 ); 
 // Instantiates a client 
 const 
  
 client 
  
 = 
  
 new 
  
  SecretManagerServiceClient 
 
 (); 
 async 
  
 function 
  
 grantAccess 
 () 
  
 { 
  
 // Get the current IAM policy. 
  
 const 
  
 [ 
 policy 
 ] 
  
 = 
  
 await 
  
 client 
 . 
 getIamPolicy 
 ({ 
  
 resource 
 : 
  
 name 
 , 
  
 }); 
  
 // Build a new list of policy bindings with the user excluded. 
  
 for 
  
 ( 
 const 
  
 i 
  
 in 
  
 policy 
 . 
 bindings 
 ) 
  
 { 
  
 const 
  
 binding 
  
 = 
  
 policy 
 . 
 bindings 
 [ 
 i 
 ]; 
  
 if 
  
 ( 
 binding 
 . 
 role 
  
 !== 
  
 'roles/secretmanager.secretAccessor' 
 ) 
  
 { 
  
 continue 
 ; 
  
 } 
  
 const 
  
 idx 
  
 = 
  
 binding 
 . 
 members 
 . 
 indexOf 
 ( 
 member 
 ); 
  
 if 
  
 ( 
 idx 
  
 !== 
  
 - 
 1 
 ) 
  
 { 
  
 binding 
 . 
 members 
 . 
 splice 
 ( 
 idx 
 , 
  
 1 
 ); 
  
 } 
  
 } 
  
 // Save the updated IAM policy. 
  
 await 
  
 client 
 . 
 setIamPolicy 
 ({ 
  
 resource 
 : 
  
 name 
 , 
  
 policy 
 : 
  
 policy 
 , 
  
 }); 
  
 console 
 . 
 log 
 ( 
 `Updated IAM policy for 
 ${ 
 name 
 } 
 ` 
 ); 
 } 
 grantAccess 
 ();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  // Import the Secret Manager client library. 
 use Google\Cloud\SecretManager\V1\Client\SecretManagerServiceClient; 
 use Google\Cloud\Iam\V1\GetIamPolicyRequest; 
 use Google\Cloud\Iam\V1\SetIamPolicyRequest; 
 /** 
 * @param string $projectId Your Google Cloud Project ID (e.g. 'my-project') 
 * @param string $secretId  Your secret ID (e.g. 'my-secret') 
 * @param string $member Your member (e.g. 'user:foo@example.com') 
 */ 
 function iam_revoke_access(string $projectId, string $secretId, string $member): void 
 { 
 // Create the Secret Manager client. 
 $client = new SecretManagerServiceClient(); 
 // Build the resource name of the secret. 
 $name = $client->secretName($projectId, $secretId); 
 // Get the current IAM policy. 
 $policy = $client->getIamPolicy((new GetIamPolicyRequest)->setResource($name)); 
 // Remove the member from the list of bindings. 
 foreach ($policy->getBindings() as $binding) { 
 if ($binding->getRole() == 'roles/secretmanager.secretAccessor') { 
 $members = $binding->getMembers(); 
 foreach ($members as $i => $existingMember) { 
 if ($member == $existingMember) { 
 unset($members[$i]); 
 $binding->setMembers($members); 
 break; 
 } 
 } 
 } 
 } 
 // Build the request. 
 $request = (new SetIamPolicyRequest) 
 ->setResource($name) 
 ->setPolicy($policy); 
 // Save the updated policy to the server. 
 $client->setIamPolicy($request); 
 // Print out a success message. 
 printf('Updated IAM policy for %s', $secretId); 
 }

Python

To run this code, first set up a Python development environment and install the Secret Manager Python SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  def 
  
 iam_revoke_access 
 ( 
 project_id 
 : 
 str 
 , 
 secret_id 
 : 
 str 
 , 
 member 
 : 
 str 
 ) 
 - 
> iam_policy_pb2 
 . 
 SetIamPolicyRequest 
 : 
  
 """ 
 Revoke the given member access to a secret. 
 """ 
 # Import the Secret Manager client library. 
 from 
  
 google.cloud 
  
 import 
 secretmanager 
 # Create the Secret Manager client. 
 client 
 = 
 secretmanager 
 . 
 SecretManagerServiceClient 
 () 
 # Build the resource name of the secret. 
 name 
 = 
 client 
 . 
 secret_path 
 ( 
 project_id 
 , 
 secret_id 
 ) 
 # Get the current IAM policy. 
 policy 
 = 
 client 
 . 
 get_iam_policy 
 ( 
 request 
 = 
 { 
 "resource" 
 : 
 name 
 }) 
 # Remove the given member's access permissions. 
 accessRole 
 = 
 "roles/secretmanager.secretAccessor" 
 for 
 b 
 in 
 list 
 ( 
 policy 
 . 
 bindings 
 ): 
 if 
 b 
 . 
 role 
 == 
 accessRole 
 and 
 member 
 in 
 b 
 . 
 members 
 : 
 b 
 . 
 members 
 . 
 remove 
 ( 
 member 
 ) 
 # Update the IAM Policy. 
 new_policy 
 = 
 client 
 . 
 set_iam_policy 
 ( 
 request 
 = 
 { 
 "resource" 
 : 
 name 
 , 
 "policy" 
 : 
 policy 
 }) 
 # Print data about the secret. 
 print 
 ( 
 f 
 "Updated IAM policy on 
 { 
 secret_id 
 } 
 " 
 )

Ruby

To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  # project_id = "YOUR-GOOGLE-CLOUD-PROJECT"  # (e.g. "my-project") 
 # secret_id  = "YOUR-SECRET-ID"             # (e.g. "my-secret") 
 # member     = "USER-OR-ACCOUNT"            # (e.g. "user:foo@example.com") 
 # Require the Secret Manager client library. 
 require 
  
 "google/cloud/secret_manager" 
 # Create a Secret Manager client. 
 client 
  
 = 
  
 Google 
 :: 
 Cloud 
 :: 
  SecretManager 
 
 . 
  secret_manager_service 
 
 # Build the resource name of the secret. 
 name 
  
 = 
  
 client 
 . 
 secret_path 
  
 project 
 : 
  
 project_id 
 , 
  
 secret 
 : 
  
 secret_id 
 # Get the current IAM policy. 
 policy 
  
 = 
  
 client 
 . 
 get_iam_policy 
  
 resource 
 : 
  
 name 
 # Remove the member from the current bindings 
 policy 
 . 
 bindings 
 . 
 each 
  
 do 
  
 | 
 bind 
 | 
  
 if 
  
 bind 
 . 
 role 
  
 == 
  
 "roles/secretmanager.secretAccessor" 
  
 bind 
 . 
 members 
 . 
 delete 
  
 member 
  
 end 
 end 
 # Update IAM policy 
 new_policy 
  
 = 
  
 client 
 . 
 set_iam_policy 
  
 resource 
 : 
  
 name 
 , 
  
 policy 
 : 
  
 policy 
 # Print a success message. 
 puts 
  
 "Updated IAM policy for 
 #{ 
 secret_id 
 } 
 "

What's next

Learn how to set an expiration date for a secret .
Learn how to set up rotation schedules for secrets .
Learn how to set up notifications on a secret .

Manage access to secrets Stay organized with collections Save and categorize content based on your preferences.

Required roles

Grant access

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

C#

Go

Java

Node.js

PHP

Python

Ruby

Python

Revoke access

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

C#

Go

Java

Node.js

PHP

Python

Ruby

What's next

Manage access to secrets