List secrets and view secret details

In Secret Manager, a secret acts as a container for multiple secret versions. It holds important information like labels and rotation settings, but not the secret value itself. This page explains how to retrieve a list of all secrets within a project and view the metadata associated with each secret.

Important: To use Secret Manager with workloads running on Compute Engine or Google Kubernetes Engine, the underlying instance or node must have the cloud-platform OAuth scope. See accessing the Secret Manager API for more information.

Required roles

To get the permissions that you need to list secrets and view secret metadata, ask your administrator to grant you the Secret Manager Viewer ( roles/secretmanager.viewer ) IAM role on the project, folder, or organization. For more information about granting roles, see Manage access to projects, folders, and organizations .

You might also be able to get the required permissions through custom roles or other predefined roles .

List secrets

To retrieve a list of all secrets within a project, use one of the following methods:

Console

In the Google Cloud console, go to the Secret Manager page.

Go to Secret Manager
Check the list of secrets in the project. You can click a secret to view the secret metadata.

gcloud

Before using any of the command data below, make the following replacements:

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud  
secrets  
list

Windows (PowerShell)

gcloud  
secrets  
list

Windows (cmd.exe)

gcloud  
secrets  
list

The response returns the list of secrets and their secret versions.

REST

Before using any of the request data, make the following replacements:

PROJECT_ID : the Google Cloud project ID

HTTP method and URL:

GET https://secretmanager.googleapis.com/v1/projects/ PROJECT_ID 
/secrets

Request JSON body:

{}

To send your request, choose one of these options:

curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell , which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list .

Save the request body in a file named request.json , and execute the following command:

curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://secretmanager.googleapis.com/v1/projects/ PROJECT_ID 
/secrets"

PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list .

Save the request body in a file named request.json , and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method GET `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://secretmanager.googleapis.com/v1/projects/ PROJECT_ID 
/secrets" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "secrets": [
    {
      "name": "projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets/ SECRET_ID 
",
      "createTime": "2024-09-02T07:14:00.281541Z",
      "etag": "\"16211daf5f29c5\""
    },
  ],
  "totalSize": 1
}

C#

To run this code, first set up a C# development environment and install the Secret Manager C# SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  using 
  
  Google.Api.Gax.ResourceNames 
 
 ; 
 using 
  
  Google.Cloud.SecretManager.V1 
 
 ; 
 public 
  
 class 
  
 ListSecretsSample 
 { 
  
 public 
  
 void 
  
 ListSecrets 
 ( 
 string 
  
 projectId 
  
 = 
  
 "my-project" 
 ) 
  
 { 
  
 // Create the client. 
  
  SecretManagerServiceClient 
 
  
 client 
  
 = 
  
  SecretManagerServiceClient 
 
 . 
  Create 
 
 (); 
  
 // Build the resource name. 
  
  ProjectName 
 
  
 projectName 
  
 = 
  
 new 
  
  ProjectName 
 
 ( 
 projectId 
 ); 
  
 // Call the API. 
  
 foreach 
  
 ( 
 Secret 
  
 secret 
  
 in 
  
 client 
 . 
  ListSecrets 
 
 ( 
 projectName 
 )) 
  
 { 
  
 // ... 
  
 } 
  
 } 
 }

Go

To run this code, first set up a Go development environment and install the Secret Manager Go SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 secretmanager 
  
 "cloud.google.com/go/secretmanager/apiv1" 
  
 "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb" 
  
 "google.golang.org/api/iterator" 
 ) 
 // listSecrets lists all secrets in the given project. 
 func 
  
 listSecrets 
 ( 
 w 
  
 io 
 . 
 Writer 
 , 
  
 parent 
  
 string 
 ) 
  
 error 
  
 { 
  
 // parent := "projects/my-project" 
  
 // Create the client. 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 client 
 , 
  
 err 
  
 := 
  
 secretmanager 
 . 
  NewClient 
 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to create secretmanager client: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
  Close 
 
 () 
  
 // Build the request. 
  
 req 
  
 := 
  
& secretmanagerpb 
 . 
 ListSecretsRequest 
 { 
  
 Parent 
 : 
  
 parent 
 , 
  
 } 
  
 // Call the API. 
  
 it 
  
 := 
  
 client 
 . 
 ListSecrets 
 ( 
 ctx 
 , 
  
 req 
 ) 
  
 for 
  
 { 
  
 resp 
 , 
  
 err 
  
 := 
  
 it 
 . 
 Next 
 () 
  
 if 
  
 err 
  
 == 
  
 iterator 
 . 
 Done 
  
 { 
  
 break 
  
 } 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to list secrets: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Found secret %s\n" 
 , 
  
 resp 
 . 
 Name 
 ) 
  
 } 
  
 return 
  
 nil 
 }

Java

To run this code, first set up a Java development environment and install the Secret Manager Java SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 com.google.cloud.secretmanager.v1. ProjectName 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretManagerServiceClient 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretManagerServiceClient 
. ListSecretsPagedResponse 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 public 
  
 class 
 ListSecrets 
  
 { 
  
 public 
  
 static 
  
 void 
  
 listSecrets 
 () 
  
 throws 
  
 IOException 
  
 { 
  
 // TODO(developer): Replace these variables before running the sample. 
  
 String 
  
 projectId 
  
 = 
  
 "your-project-id" 
 ; 
  
 listSecrets 
 ( 
 projectId 
 ); 
  
 } 
  
 // List all secrets for a project 
  
 public 
  
 static 
  
 void 
  
 listSecrets 
 ( 
 String 
  
 projectId 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // Initialize client that will be used to send requests. This client only needs to be created 
  
 // once, and can be reused for multiple requests. After completing all of your requests, call 
  
 // the "close" method on the client to safely clean up any remaining background resources. 
  
 try 
  
 ( 
  SecretManagerServiceClient 
 
  
 client 
  
 = 
  
  SecretManagerServiceClient 
 
 . 
 create 
 ()) 
  
 { 
  
 // Build the parent name. 
  
  ProjectName 
 
  
 projectName 
  
 = 
  
  ProjectName 
 
 . 
 of 
 ( 
 projectId 
 ); 
  
 // Get all secrets. 
  
  ListSecretsPagedResponse 
 
  
 pagedResponse 
  
 = 
  
 client 
 . 
 listSecrets 
 ( 
 projectName 
 ); 
  
 // List all secrets. 
  
 pagedResponse 
  
 . 
 iterateAll 
 () 
  
 . 
 forEach 
 ( 
  
 secret 
  
 - 
>  
 { 
  
 System 
 . 
 out 
 . 
 printf 
 ( 
 "Secret %s\n" 
 , 
  
 secret 
 . 
 getName 
 ()); 
  
 }); 
  
 } 
  
 } 
 }

Node.js

To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  /** 
 * TODO(developer): Uncomment these variables before running the sample. 
 */ 
 // const parent = 'projects/my-project'; 
 // Imports the Secret Manager library 
 const 
  
 { 
 SecretManagerServiceClient 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/secret-manager 
' 
 ); 
 // Instantiates a client 
 const 
  
 client 
  
 = 
  
 new 
  
  SecretManagerServiceClient 
 
 (); 
 async 
  
 function 
  
 listSecrets 
 () 
  
 { 
  
 const 
  
 [ 
 secrets 
 ] 
  
 = 
  
 await 
  
 client 
 . 
 listSecrets 
 ({ 
  
 parent 
 : 
  
 parent 
 , 
  
 }); 
  
 secrets 
 . 
 forEach 
 ( 
 secret 
  
 = 
>  
 { 
  
 const 
  
 policy 
  
 = 
  
 secret 
 . 
 replication 
 . 
 userManaged 
  
 ? 
  
 secret 
 . 
 replication 
 . 
 userManaged 
  
 : 
  
 secret 
 . 
 replication 
 . 
 automatic 
 ; 
  
 console 
 . 
 log 
 ( 
 ` 
 ${ 
 secret 
 . 
 name 
 } 
 ( 
 ${ 
 policy 
 } 
 )` 
 ); 
  
 }); 
 } 
 listSecrets 
 ();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  // Import the Secret Manager client library. 
 use Google\Cloud\SecretManager\V1\Client\SecretManagerServiceClient; 
 use Google\Cloud\SecretManager\V1\ListSecretsRequest; 
 /** 
 * @param string $projectId Your Google Cloud Project ID (e.g. 'my-project') 
 */ 
 function list_secrets(string $projectId): void 
 { 
 // Create the Secret Manager client. 
 $client = new SecretManagerServiceClient(); 
 // Build the resource name of the parent secret. 
 $parent = $client->projectName($projectId); 
 // Build the request. 
 $request = ListSecretsRequest::build($parent); 
 // List all secrets. 
 foreach ($client->listSecrets($request) as $secret) { 
 printf('Found secret %s', $secret->getName()); 
 } 
 }

Python

To run this code, first set up a Python development environment and install the Secret Manager Python SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  def 
  
 list_secrets 
 ( 
 project_id 
 : 
 str 
 ) 
 - 
> None 
 : 
  
 """ 
 List all secrets in the given project. 
 """ 
 # Import the Secret Manager client library. 
 from 
  
 google.cloud 
  
 import 
 secretmanager 
 # Create the Secret Manager client. 
 client 
 = 
 secretmanager 
 . 
  SecretManagerServiceClient 
 
 () 
 # Build the resource name of the parent project. 
 parent 
 = 
 f 
 "projects/ 
 { 
 project_id 
 } 
 " 
 # List all secrets. 
 for 
 secret 
 in 
 client 
 . 
  list_secrets 
 
 ( 
 request 
 = 
 { 
 "parent" 
 : 
 parent 
 }): 
 print 
 ( 
 f 
 "Found secret: 
 { 
 secret 
 . 
 name 
 } 
 " 
 )

Ruby

To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  # project_id = "YOUR-GOOGLE-CLOUD-PROJECT"  # (e.g. "my-project") 
 # Require the Secret Manager client library. 
 require 
  
 "google/cloud/secret_manager" 
 # Create a Secret Manager client. 
 client 
  
 = 
  
 Google 
 :: 
 Cloud 
 :: 
  SecretManager 
 
 . 
  secret_manager_service 
 
 # Build the resource name of the parent. 
 parent 
  
 = 
  
 client 
 . 
 project_path 
  
 project 
 : 
  
 project_id 
 # Get the list of secrets. 
 list 
  
 = 
  
 client 
 . 
 list_secrets 
  
 parent 
 : 
  
 parent 
 # Print out all secrets. 
 list 
 . 
 each 
  
 do 
  
 | 
 secret 
 | 
  
 puts 
  
 "Got secret 
 #{ 
 secret 
 . 
 name 
 } 
 " 
 end

View secret details

To view a secret's metadata, use one of the following methods:

Console

In the Google Cloud console, go to the Secret Manager page.

Go to Secret Manager
Click the secret whose details you want to view.
On the secret details page, click the Overview tab. This tab displays the general details and metadata associated with the secret.

gcloud

Before using any of the command data below, make the following replacements:

SECRET_ID : the ID of the secret

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud  
secrets  
describe  
 SECRET_ID

Windows (PowerShell)

gcloud  
secrets  
describe  
 SECRET_ID

Windows (cmd.exe)

gcloud  
secrets  
describe  
 SECRET_ID

The response returns the secret.

REST

Before using any of the request data, make the following replacements:

PROJECT_ID : the Google Cloud project ID
SECRET_ID : the ID of the secret

HTTP method and URL:

GET https://secretmanager.googleapis.com/v1/projects/ PROJECT_ID 
/secrets/ SECRET_ID

Request JSON body:

{}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json , and execute the following command:

curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://secretmanager.googleapis.com/v1/projects/ PROJECT_ID 
/secrets/ SECRET_ID 
"

PowerShell

Save the request body in a file named request.json , and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method GET `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://secretmanager.googleapis.com/v1/projects/ PROJECT_ID 
/secrets/ SECRET_ID 
" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "name": "projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets/ SECRET_ID 
",
  "createTime": "2024-09-02T07:14:00.281541Z",
  "etag": "\"16211daf5f29c5\""
}

C#

To run this code, first set up a C# development environment and install the Secret Manager C# SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  using 
  
  Google.Cloud.SecretManager.V1 
 
 ; 
 public 
  
 class 
  
 GetSecretSample 
 { 
  
 public 
  
 Secret 
  
 GetSecret 
 ( 
 string 
  
 projectId 
  
 = 
  
 "my-project" 
 , 
  
 string 
  
 secretId 
  
 = 
  
 "my-secret" 
 ) 
  
 { 
  
 // Create the client. 
  
  SecretManagerServiceClient 
 
  
 client 
  
 = 
  
  SecretManagerServiceClient 
 
 . 
  Create 
 
 (); 
  
 // Build the resource name. 
  
  SecretName 
 
  
 secretName 
  
 = 
  
 new 
  
  SecretName 
 
 ( 
 projectId 
 , 
  
 secretId 
 ); 
  
 // Call the API. 
  
 Secret 
  
 secret 
  
 = 
  
 client 
 . 
  GetSecret 
 
 ( 
 secretName 
 ); 
  
 return 
  
 secret 
 ; 
  
 } 
 }

Go

To run this code, first set up a Go development environment and install the Secret Manager Go SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 secretmanager 
  
 "cloud.google.com/go/secretmanager/apiv1" 
  
 "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb" 
 ) 
 // getSecret gets information about the given secret. This only returns metadata 
 // about the secret container, not any secret material. 
 func 
  
 getSecret 
 ( 
 w 
  
 io 
 . 
 Writer 
 , 
  
 name 
  
 string 
 ) 
  
 error 
  
 { 
  
 // name := "projects/my-project/secrets/my-secret" 
  
 // Create the client. 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 client 
 , 
  
 err 
  
 := 
  
 secretmanager 
 . 
  NewClient 
 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to create secretmanager client: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
  Close 
 
 () 
  
 // Build the request. 
  
 req 
  
 := 
  
& secretmanagerpb 
 . 
 GetSecretRequest 
 { 
  
 Name 
 : 
  
 name 
 , 
  
 } 
  
 // Call the API. 
  
 result 
 , 
  
 err 
  
 := 
  
 client 
 . 
 GetSecret 
 ( 
 ctx 
 , 
  
 req 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to get secret: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 replication 
  
 := 
  
 result 
 . 
 Replication 
 . 
 Replication 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Found secret %s with replication policy %s\n" 
 , 
  
 result 
 . 
 Name 
 , 
  
 replication 
 ) 
  
 return 
  
 nil 
 }

Java

To run this code, first set up a Java development environment and install the Secret Manager Java SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 com.google.cloud.secretmanager.v1. Secret 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretManagerServiceClient 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretName 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 public 
  
 class 
 GetSecret 
  
 { 
  
 public 
  
 static 
  
 void 
  
 getSecret 
 () 
  
 throws 
  
 IOException 
  
 { 
  
 // TODO(developer): Replace these variables before running the sample. 
  
 String 
  
 projectId 
  
 = 
  
 "your-project-id" 
 ; 
  
 String 
  
 secretId 
  
 = 
  
 "your-secret-id" 
 ; 
  
 getSecret 
 ( 
 projectId 
 , 
  
 secretId 
 ); 
  
 } 
  
 // Get an existing secret. 
  
 public 
  
 static 
  
 void 
  
 getSecret 
 ( 
 String 
  
 projectId 
 , 
  
 String 
  
 secretId 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // Initialize client that will be used to send requests. This client only needs to be created 
  
 // once, and can be reused for multiple requests. After completing all of your requests, call 
  
 // the "close" method on the client to safely clean up any remaining background resources. 
  
 try 
  
 ( 
  SecretManagerServiceClient 
 
  
 client 
  
 = 
  
  SecretManagerServiceClient 
 
 . 
 create 
 ()) 
  
 { 
  
 // Build the name. 
  
  SecretName 
 
  
 secretName 
  
 = 
  
  SecretName 
 
 . 
 of 
 ( 
 projectId 
 , 
  
 secretId 
 ); 
  
 // Create the secret. 
  
  Secret 
 
  
 secret 
  
 = 
  
 client 
 . 
 getSecret 
 ( 
 secretName 
 ); 
  
 // Get the replication policy. 
  
 String 
  
 replication 
  
 = 
  
 "" 
 ; 
  
 if 
  
 ( 
 secret 
 . 
  getReplication 
 
 (). 
 getAutomatic 
 () 
  
 != 
  
 null 
 ) 
  
 { 
  
 replication 
  
 = 
  
 "AUTOMATIC" 
 ; 
  
 } 
  
 else 
  
 if 
  
 ( 
 secret 
 . 
  getReplication 
 
 (). 
 getUserManaged 
 () 
  
 != 
  
 null 
 ) 
  
 { 
  
 replication 
  
 = 
  
 "MANAGED" 
 ; 
  
 } 
  
 else 
  
 { 
  
 throw 
  
 new 
  
 IllegalStateException 
 ( 
 "Unknown replication type" 
 ); 
  
 } 
  
 System 
 . 
 out 
 . 
 printf 
 ( 
 "Secret %s, replication %s\n" 
 , 
  
 secret 
 . 
  getName 
 
 (), 
  
 replication 
 ); 
  
 } 
  
 } 
 }

Node.js

To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  /** 
 * Get metadata about a secret. 
 * 
 * @param {string} projectId The ID of the Google Cloud project. 
 * @param {string} secretId The ID of the secret to retrieve. 
 */ 
 async 
  
 function 
  
 getSecret 
 ( 
 projectId 
 , 
  
 secretId 
 ) 
  
 { 
  
 const 
  
 client 
  
 = 
  
 new 
  
 SecretManagerServiceClient 
 (); 
  
 const 
  
 name 
  
 = 
  
 `projects/ 
 ${ 
 projectId 
 } 
 /secrets/ 
 ${ 
 secretId 
 } 
 ` 
 ; 
  
 try 
  
 { 
  
 const 
  
 [ 
 secret 
 ] 
  
 = 
  
 await 
  
 client 
 . 
 getSecret 
 ({ 
  
 name 
 : 
  
 name 
 , 
  
 }); 
  
 if 
  
 ( 
 secret 
 . 
 replication 
 && 
 secret 
 . 
 replication 
 . 
 replication 
 ) 
  
 { 
  
 const 
  
 policy 
  
 = 
  
 secret 
 . 
 replication 
 . 
 replication 
 ; 
  
 console 
 . 
 info 
 ( 
  
 `Found secret 
 ${ 
 secret 
 . 
 name 
 } 
 with replication policy 
 ${ 
 policy 
 } 
 ` 
  
 ); 
  
 } 
  
 else 
  
 { 
  
 console 
 . 
 info 
 ( 
 `Found secret 
 ${ 
 secret 
 . 
 name 
 } 
 with no replication policy.` 
 ); 
  
 } 
  
 return 
  
 secret 
 ; 
  
 } 
  
 catch 
  
 ( 
 err 
 ) 
  
 { 
  
 console 
 . 
 error 
 ( 
 `Failed to retrieve secret 
 ${ 
 name 
 } 
 :` 
 , 
  
 err 
 ); 
  
 } 
  
 finally 
  
 { 
  
 await 
  
 client 
 . 
 close 
 (); 
  
 } 
 }

PHP

To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  // Import the Secret Manager client library. 
 use Google\Cloud\SecretManager\V1\Client\SecretManagerServiceClient; 
 use Google\Cloud\SecretManager\V1\GetSecretRequest; 
 /** 
 * @param string $projectId Your Google Cloud Project ID (e.g. 'my-project') 
 * @param string $secretId  Your secret ID (e.g. 'my-secret') 
 */ 
 function get_secret(string $projectId, string $secretId): void 
 { 
 // Create the Secret Manager client. 
 $client = new SecretManagerServiceClient(); 
 // Build the resource name of the secret. 
 $name = $client->secretName($projectId, $secretId); 
 // Build the request. 
 $request = GetSecretRequest::build($name); 
 // Get the secret. 
 $secret = $client->getSecret($request); 
 // Get the replication policy. 
 $replication = strtoupper($secret->getReplication()->getReplication()); 
 // Print data about the secret. 
 printf('Got secret %s with replication policy %s', $secret->getName(), $replication); 
 }

Python

To run this code, first set up a Python development environment and install the Secret Manager Python SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  def 
  
 get_secret 
 ( 
 project_id 
 : 
 str 
 , 
 secret_id 
 : 
 str 
 ) 
 - 
> secretmanager 
 . 
 GetSecretRequest 
 : 
  
 """ 
 Get information about the given secret. This only returns metadata about 
 the secret container, not any secret material. 
 """ 
 # Import the Secret Manager client library. 
 from 
  
 google.cloud 
  
 import 
 secretmanager 
 # Create the Secret Manager client. 
 client 
 = 
 secretmanager 
 . 
 SecretManagerServiceClient 
 () 
 # Build the resource name of the secret. 
 name 
 = 
 client 
 . 
 secret_path 
 ( 
 project_id 
 , 
 secret_id 
 ) 
 # Get the secret. 
 response 
 = 
 client 
 . 
 get_secret 
 ( 
 request 
 = 
 { 
 "name" 
 : 
 name 
 }) 
 # Get the replication policy. 
 if 
 "automatic" 
 in 
 response 
 . 
 replication 
 : 
 replication 
 = 
 "AUTOMATIC" 
 elif 
 "user_managed" 
 in 
 response 
 . 
 replication 
 : 
 replication 
 = 
 "MANAGED" 
 else 
 : 
 raise 
 Exception 
 ( 
 f 
 "Unknown replication 
 { 
 response 
 . 
 replication 
 } 
 " 
 ) 
 # Print data about the secret. 
 print 
 ( 
 f 
 "Got secret 
 { 
 response 
 . 
 name 
 } 
 with replication policy 
 { 
 replication 
 } 
 " 
 )

Ruby

To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  # project_id = "YOUR-GOOGLE-CLOUD-PROJECT"  # (e.g. "my-project") 
 # secret_id  = "YOUR-SECRET-ID"             # (e.g. "my-secret") 
 # Require the Secret Manager client library. 
 require 
  
 "google/cloud/secret_manager" 
 # Create a Secret Manager client. 
 client 
  
 = 
  
 Google 
 :: 
 Cloud 
 :: 
  SecretManager 
 
 . 
  secret_manager_service 
 
 # Build the resource name of the secret. 
 name 
  
 = 
  
 client 
 . 
 secret_path 
  
 project 
 : 
  
 project_id 
 , 
  
 secret 
 : 
  
 secret_id 
 # Get the secret. 
 secret 
  
 = 
  
 client 
 . 
 get_secret 
  
 name 
 : 
  
 name 
 # Get the replication policy. 
 if 
  
 ! 
 secret 
 . 
 replication 
 . 
 automatic 
 . 
 nil? 
  
 replication 
  
 = 
  
 "automatic" 
 elsif 
  
 ! 
 secret 
 . 
 replication 
 . 
 user_managed 
 . 
 nil? 
  
 replication 
  
 = 
  
 "user managed" 
 else 
  
 raise 
  
 "Unknown replication 
 #{ 
 secret 
 . 
 replication 
 } 
 " 
 end 
 # Print a success message. 
 puts 
  
 "Got secret 
 #{ 
 secret 
 . 
 name 
 } 
 with replication policy 
 #{ 
 replication 
 } 
 "

What's next

Learn how to edit secrets .
Learn how to set up rotation schedules for secrets .
Learn how to set up notifications on a secret .

List secrets and view secret details Stay organized with collections Save and categorize content based on your preferences.

Required roles

List secrets

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

C#

Go

Java

Node.js

PHP

Python

Ruby

View secret details

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

C#

Go

Java

Node.js

PHP

Python

Ruby

What's next

List secrets and view secret details