Manage access to regional secrets

This page describes how to manage access to a regional secret, including the secret material. To learn more about access controls and permissions, see Access control with IAM .

Required roles

To get the permissions that you need to manage access to secrets, ask your administrator to grant you the Secret Manager Admin ( roles/secretmanager.admin ) IAM role on the secret, project, folder, or organization. For more information about granting roles, see Manage access to projects, folders, and organizations .

You might also be able to get the required permissions through custom roles or other predefined roles .

Grant access

To grant access to a secret, use one of the following methods:

Console

In the Google Cloud console, go to the Secret Manager page.

Go to Secret Manager
Go to the Regional secrets tab. To select a secret, click the checkbox next to the name of the secret.
If it is not already open, click Show Info Panel to open the panel.
In the info panel, click Add Principal .
In the New principals field, enter the email address(es) of the members to add.
In the Select a role list, choose Secret Manager , and then select Secret Manager Secret Accessor .

gcloud

Ensure that you have followed the steps described in Enable the Secret Manager API to manage regional secrets.

Before using any of the command data below, make the following replacements:

SECRET_ID : the ID of the secret
LOCATION : the Google Cloud location of the secret
MEMBER : the IAM member , such as a user, group, or service account

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud  
secrets  
add-iam-policy-binding  
 SECRET_ID 
  
--location = 
 LOCATION 
  
 \ 
  
--member = 
 " MEMBER 
" 
  
 \ 
  
--role = 
 "roles/secretmanager.secretAccessor"

Windows (PowerShell)

gcloud  
secrets  
add-iam-policy-binding  
 SECRET_ID 
  
--location = 
 LOCATION 
  
 ` 
  
--member = 
 " MEMBER 
" 
  
 ` 
  
--role = 
 "roles/secretmanager.secretAccessor"

Windows (cmd.exe)

gcloud  
secrets  
add-iam-policy-binding  
 SECRET_ID 
  
--location = 
 LOCATION 
  
^  
--member = 
 " MEMBER 
" 
  
^  
--role = 
 "roles/secretmanager.secretAccessor"

REST

Note: Unlike the other examples, this replaces the entire IAM policy.

Before using any of the request data, make the following replacements:

LOCATION : the Google Cloud location of the secret
PROJECT_ID : the Google Cloud project that contains the secret
SECRET_ID : the ID of the secret
MEMBER : the IAM member , such as a user, group, or service account

HTTP method and URL:

POST https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets/ SECRET_ID 
:setIamPolicy

Request JSON body:

{"policy": {"bindings": [{"members": [" MEMBER 
"], "role": "roles/secretmanager.secretAccessor"}]}}

To send your request, choose one of these options:

curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell , which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list .

Save the request body in a file named request.json , and execute the following command:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets/ SECRET_ID 
:setIamPolicy"

PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list .

Save the request body in a file named request.json , and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets/ SECRET_ID 
:setIamPolicy" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "version": 1,
  "etag": "BwYhOrAmWFQ=",
  "bindings": [
    {
      "role": "roles/secretmanager.secretAccessor",
      "members": [
        "user:username@google.com"
      ]
    }
  ]
}

Go

To run this code, first set up a Go development environment and install the Secret Manager Go SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 secretmanager 
  
 "cloud.google.com/go/secretmanager/apiv1" 
  
 "google.golang.org/api/option" 
 ) 
 // iamGrantAccess grants the given member access to the secret. 
 func 
  
 IamGrantAccessWithRegionalSecret 
 ( 
 w 
  
 io 
 . 
 Writer 
 , 
  
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 , 
  
 member 
  
 string 
 ) 
  
 error 
  
 { 
  
 // name := "projects/my-project/locations/my-location/secrets/my-secret" 
  
 // member := "user:foo@example.com" 
  
 // Create the client. 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 //Endpoint to send the request to regional server 
  
 endpoint 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "secretmanager.%s.rep.googleapis.com:443" 
 , 
  
 locationId 
 ) 
  
 client 
 , 
  
 err 
  
 := 
  
 secretmanager 
 . 
  NewClient 
 
 ( 
 ctx 
 , 
  
 option 
 . 
 WithEndpoint 
 ( 
 endpoint 
 )) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to create regional secretmanager client: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
  Close 
 
 () 
  
 name 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "projects/%s/locations/%s/secrets/%s" 
 , 
  
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 ) 
  
 // Get the current IAM policy. 
  
 handle 
  
 := 
  
 client 
 . 
  IAM 
 
 ( 
 name 
 ) 
  
 policy 
 , 
  
 err 
  
 := 
  
 handle 
 . 
 Policy 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to get policy: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 // Grant the member access permissions. 
  
 policy 
 . 
 Add 
 ( 
 member 
 , 
  
 "roles/secretmanager.secretAccessor" 
 ) 
  
 if 
  
 err 
  
 = 
  
 handle 
 . 
 SetPolicy 
 ( 
 ctx 
 , 
  
 policy 
 ); 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to save policy: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Updated IAM policy for %s\n" 
 , 
  
 name 
 ) 
  
 return 
  
 nil 
 }

Java

To run this code, first set up a Java development environment and install the Secret Manager Java SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 com.google.cloud.secretmanager.v1. SecretManagerServiceClient 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretManagerServiceSettings 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretName 
 
 ; 
 import 
  
 com.google.iam.v1. Binding 
 
 ; 
 import 
  
 com.google.iam.v1. GetIamPolicyRequest 
 
 ; 
 import 
  
 com.google.iam.v1. Policy 
 
 ; 
 import 
  
 com.google.iam.v1. SetIamPolicyRequest 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 public 
  
 class 
 IamGrantAccessWithRegionalSecret 
  
 { 
  
 public 
  
 static 
  
 void 
  
 main 
 ( 
 String 
 [] 
  
 args 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // TODO(developer): Replace these variables before running the sample. 
  
 // Your GCP project ID. 
  
 String 
  
 projectId 
  
 = 
  
 "your-project-id" 
 ; 
  
 // Location of the secret. 
  
 String 
  
 locationId 
  
 = 
  
 "your-location-id" 
 ; 
  
 // Resource ID of the secret to grant access to. 
  
 String 
  
 secretId 
  
 = 
  
 "your-secret-id" 
 ; 
  
 // IAM member, such as a user group or service account you want to grant access. 
  
 String 
  
 member 
  
 = 
  
 "user:foo@example.com" 
 ; 
  
 iamGrantAccessWithRegionalSecret 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 , 
  
 member 
 ); 
  
 } 
  
 // Grant a member access to a particular secret. 
  
 public 
  
 static 
  
  Policy 
 
  
 iamGrantAccessWithRegionalSecret 
 ( 
  
 String 
  
 projectId 
 , 
  
 String 
  
 locationId 
 , 
  
 String 
  
 secretId 
 , 
  
 String 
  
 member 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // Endpoint to call the regional secret manager sever 
  
 String 
  
 apiEndpoint 
  
 = 
  
 String 
 . 
 format 
 ( 
 "secretmanager.%s.rep.googleapis.com:443" 
 , 
  
 locationId 
 ); 
  
  SecretManagerServiceSettings 
 
  
 secretManagerServiceSettings 
  
 = 
  
  SecretManagerServiceSettings 
 
 . 
 newBuilder 
 (). 
 setEndpoint 
 ( 
 apiEndpoint 
 ). 
 build 
 (); 
  
 // Initialize the client that will be used to send requests. This client only needs to be 
  
 // created once, and can be reused for multiple requests. 
  
 try 
  
 ( 
  SecretManagerServiceClient 
 
  
 client 
  
 = 
  
  
  SecretManagerServiceClient 
 
 . 
 create 
 ( 
 secretManagerServiceSettings 
 )) 
  
 { 
  
 // Build the name from the version. 
  
  SecretName 
 
  
 secretName 
  
 = 
  
  
  SecretName 
 
 . 
  ofProjectLocationSecretName 
 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 ); 
  
 // Request the current IAM policy. 
  
  Policy 
 
  
 currentPolicy 
  
 = 
  
 client 
 . 
 getIamPolicy 
 ( 
  
  GetIamPolicyRequest 
 
 . 
 newBuilder 
 (). 
 setResource 
 ( 
 secretName 
 . 
  toString 
 
 ()). 
 build 
 ()); 
  
 // Build the new binding. 
  
  Binding 
 
  
 binding 
  
 = 
  
  Binding 
 
 . 
 newBuilder 
 () 
  
 . 
 setRole 
 ( 
 "roles/secretmanager.secretAccessor" 
 ) 
  
 . 
  addMembers 
 
 ( 
 member 
 ) 
  
 . 
 build 
 (); 
  
 // Create a new IAM policy from the current policy, adding the binding. 
  
  Policy 
 
  
 newPolicy 
  
 = 
  
  Policy 
 
 . 
 newBuilder 
 (). 
 mergeFrom 
 ( 
 currentPolicy 
 ). 
  addBindings 
 
 ( 
 binding 
 ). 
 build 
 (); 
  
 // Save the updated IAM policy. 
  
  Policy 
 
  
 updatedPolicy 
  
 = 
  
 client 
 . 
 setIamPolicy 
 ( 
  
  SetIamPolicyRequest 
 
 . 
 newBuilder 
 () 
  
 . 
 setResource 
 ( 
 secretName 
 . 
  toString 
 
 ()) 
  
 . 
  setPolicy 
 
 ( 
 newPolicy 
 ) 
  
 . 
 build 
 ()); 
  
 System 
 . 
 out 
 . 
 printf 
 ( 
 "Updated IAM policy for %s\n" 
 , 
  
 secretId 
 ); 
  
 return 
  
 updatedPolicy 
 ; 
  
 } 
  
 } 
 }

Node.js

To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  /** 
 * TODO(developer): Uncomment these variables before running the sample. 
 */ 
 // const projectId = 'my-project'; 
 // const locationId = 'my-location'; 
 // const secretId = 'my-secret'; 
 // const member = 'user:you@example.com'; 
 // 
 // NOTE: Each member must be prefixed with its type. See the IAM documentation 
 // for more information: https://cloud.google.com/iam/docs/overview. 
 const 
  
 name 
  
 = 
  
 `projects/ 
 ${ 
 projectId 
 } 
 /locations/ 
 ${ 
 locationId 
 } 
 /secrets/ 
 ${ 
 secretId 
 } 
 ` 
 ; 
 // Imports the Secret Manager library 
 const 
  
 { 
 SecretManagerServiceClient 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/secret-manager 
' 
 ); 
 // Adding the endpoint to call the regional secret manager sever 
 const 
  
 options 
  
 = 
  
 {}; 
 options 
 . 
 apiEndpoint 
  
 = 
  
 `secretmanager. 
 ${ 
 locationId 
 } 
 .rep.googleapis.com` 
 ; 
 // Instantiates a client 
 const 
  
 client 
  
 = 
  
 new 
  
  SecretManagerServiceClient 
 
 ( 
 options 
 ); 
 async 
  
 function 
  
 grantAccessRegionalSecret 
 () 
  
 { 
  
 // Get the current IAM policy. 
  
 const 
  
 [ 
 policy 
 ] 
  
 = 
  
 await 
  
 client 
 . 
 getIamPolicy 
 ({ 
  
 resource 
 : 
  
 name 
 , 
  
 }); 
  
 // Add the user with accessor permissions to the bindings list. 
  
 policy 
 . 
 bindings 
 . 
 push 
 ({ 
  
 role 
 : 
  
 'roles/secretmanager.secretAccessor' 
 , 
  
 members 
 : 
  
 [ 
 member 
 ], 
  
 }); 
  
 // Save the updated IAM policy. 
  
 await 
  
 client 
 . 
 setIamPolicy 
 ({ 
  
 resource 
 : 
  
 name 
 , 
  
 policy 
 : 
  
 policy 
 , 
  
 }); 
  
 console 
 . 
 log 
 ( 
 `Updated IAM policy for 
 ${ 
 name 
 } 
 ` 
 ); 
 } 
 grantAccessRegionalSecret 
 ();

Python

To run this code, first set up a Python development environment and install the Secret Manager Python SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  # Import the Secret Manager client library. 
 from 
  
 google 
  
 import 
 iam 
 from 
  
 google.cloud 
  
 import 
 secretmanager_v1 
 def 
  
 iam_grant_access_with_regional_secret 
 ( 
 project_id 
 : 
 str 
 , 
 location_id 
 : 
 str 
 , 
 secret_id 
 : 
 str 
 , 
 member 
 : 
 str 
 , 
 ) 
 - 
> iam 
 . 
 v1 
 . 
 iam_policy_pb2 
 . 
 SetIamPolicyRequest 
 : 
  
 """ 
 Grants the given member access to a secret. 
 """ 
 # Endpoint to call the regional secret manager sever. 
 api_endpoint 
 = 
 f 
 "secretmanager. 
 { 
 location_id 
 } 
 .rep.googleapis.com" 
 # Create the Secret Manager client. 
 client 
 = 
 secretmanager_v1 
 . 
 SecretManagerServiceClient 
 ( 
 client_options 
 = 
 { 
 "api_endpoint" 
 : 
 api_endpoint 
 }, 
 ) 
 # Build the resource name of the secret. 
 name 
 = 
 f 
 "projects/ 
 { 
 project_id 
 } 
 /locations/ 
 { 
 location_id 
 } 
 /secrets/ 
 { 
 secret_id 
 } 
 " 
 # Get the current IAM policy. 
 policy 
 = 
 client 
 . 
 get_iam_policy 
 ( 
 request 
 = 
 { 
 "resource" 
 : 
 name 
 }) 
 # Add the given member with access permissions. 
 policy 
 . 
 bindings 
 . 
 add 
 ( 
 role 
 = 
 "roles/secretmanager.secretAccessor" 
 , 
 members 
 = 
 [ 
 member 
 ]) 
 # Update the IAM Policy. 
 new_policy 
 = 
 client 
 . 
 set_iam_policy 
 ( 
 request 
 = 
 { 
 "resource" 
 : 
 name 
 , 
 "policy" 
 : 
 policy 
 }) 
 # Print data about the secret. 
 print 
 ( 
 f 
 "Updated IAM policy on 
 { 
 secret_id 
 } 
 " 
 ) 
 return 
 new_policy

Revoke access

To revoke access from a secret, use one of the following methods:

Console

In the Google Cloud console, go to the Secret Manager page.

Go to Secret Manager
Go to the Regional secrets tab. To select a secret, click the checkbox next to the name of the secret.
If it is not already open, click Show Info Panel to open the panel.
In the info panel, click the expander arrow next to the user role to see a list of the users or service accounts with access to that role.
To remove the user or service account, click Delete next to service account or user ID.
In the confirmation dialog that appears, click Remove .

gcloud

Before using any of the command data below, make the following replacements:

SECRET_ID : the ID of the secret
LOCATION : the Google Cloud location of the secret
MEMBER : the IAM member , such as a user, group, or service account

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud  
secrets  
remove-iam-policy-binding  
 SECRET_ID 
  
--location = 
 LOCATION 
  
 \ 
  
--member = 
 " MEMBER 
" 
  
 \ 
  
--role = 
 "roles/secretmanager.secretAccessor"

Windows (PowerShell)

gcloud  
secrets  
remove-iam-policy-binding  
 SECRET_ID 
  
--location = 
 LOCATION 
  
 ` 
  
--member = 
 " MEMBER 
" 
  
 ` 
  
--role = 
 "roles/secretmanager.secretAccessor"

Windows (cmd.exe)

gcloud  
secrets  
remove-iam-policy-binding  
 SECRET_ID 
  
--location = 
 LOCATION 
  
^  
--member = 
 " MEMBER 
" 
  
^  
--role = 
 "roles/secretmanager.secretAccessor"

REST

Note: Unlike the other examples, this replaces the entire IAM policy.

Before using any of the request data, make the following replacements:

LOCATION : the Google Cloud location of the secret
PROJECT_ID : the Google Cloud project ID
SECRET_ID : the ID of the secret

HTTP method and URL:

POST https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets/ SECRET_ID 
:setIamPolicy

Request JSON body:

{"policy": {"bindings": []}}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json , and execute the following command:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets/ SECRET_ID 
:setIamPolicy"

PowerShell

Save the request body in a file named request.json , and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets/ SECRET_ID 
:setIamPolicy" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "version": 1,
  "etag": "BwYhOtzsOBk="
}

Go

To run this code, first set up a Go development environment and install the Secret Manager Go SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 secretmanager 
  
 "cloud.google.com/go/secretmanager/apiv1" 
  
 "google.golang.org/api/option" 
 ) 
 // iamRevokeAccess revokes the given member's access on the secret. 
 func 
  
 IamRevokeAccessWithRegionalSecret 
 ( 
 w 
  
 io 
 . 
 Writer 
 , 
  
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 , 
  
 member 
  
 string 
 ) 
  
 error 
  
 { 
  
 // name := "projects/my-project/locations/my-location/secrets/my-secret" 
  
 // member := "user:foo@example.com" 
  
 // Create the client. 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 //Endpoint to send the request to regional server 
  
 endpoint 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "secretmanager.%s.rep.googleapis.com:443" 
 , 
  
 locationId 
 ) 
  
 client 
 , 
  
 err 
  
 := 
  
 secretmanager 
 . 
  NewClient 
 
 ( 
 ctx 
 , 
  
 option 
 . 
 WithEndpoint 
 ( 
 endpoint 
 )) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to create regional secretmanager client: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
  Close 
 
 () 
  
 name 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "projects/%s/locations/%s/secrets/%s" 
 , 
  
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 ) 
  
 // Get the current IAM policy. 
  
 handle 
  
 := 
  
 client 
 . 
  IAM 
 
 ( 
 name 
 ) 
  
 policy 
 , 
  
 err 
  
 := 
  
 handle 
 . 
 Policy 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to get policy: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 // Grant the member access permissions. 
  
 policy 
 . 
 Remove 
 ( 
 member 
 , 
  
 "roles/secretmanager.secretAccessor" 
 ) 
  
 if 
  
 err 
  
 = 
  
 handle 
 . 
 SetPolicy 
 ( 
 ctx 
 , 
  
 policy 
 ); 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to save policy: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Updated IAM policy for %s\n" 
 , 
  
 name 
 ) 
  
 return 
  
 nil 
 }

Java

To run this code, first set up a Java development environment and install the Secret Manager Java SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 com.google.cloud.secretmanager.v1. SecretManagerServiceClient 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretManagerServiceSettings 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretName 
 
 ; 
 import 
  
 com.google.iam.v1. Binding 
 
 ; 
 import 
  
 com.google.iam.v1. GetIamPolicyRequest 
 
 ; 
 import 
  
 com.google.iam.v1. Policy 
 
 ; 
 import 
  
 com.google.iam.v1. SetIamPolicyRequest 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 public 
  
 class 
 IamRevokeAccessWithRegionalSecret 
  
 { 
  
 public 
  
 static 
  
 void 
  
 main 
 ( 
 String 
 [] 
  
 args 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // TODO(developer): Replace these variables before running the sample. 
  
 // Your GCP project ID. 
  
 String 
  
 projectId 
  
 = 
  
 "your-project-id" 
 ; 
  
 // Location of the secret. 
  
 String 
  
 locationId 
  
 = 
  
 "your-location-id" 
 ; 
  
 // Resource ID of the secret to revoke access to. 
  
 String 
  
 secretId 
  
 = 
  
 "your-secret-id" 
 ; 
  
 // IAM member, such as a user group or service account you want to revoke access. 
  
 String 
  
 member 
  
 = 
  
 "user:foo@example.com" 
 ; 
  
 iamRevokeAccessWithRegionalSecret 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 , 
  
 member 
 ); 
  
 } 
  
 // Revoke a member access to a particular secret. 
  
 public 
  
 static 
  
  Policy 
 
  
 iamRevokeAccessWithRegionalSecret 
 ( 
  
 String 
  
 projectId 
 , 
  
 String 
  
 locationId 
 , 
  
 String 
  
 secretId 
 , 
  
 String 
  
 member 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // Endpoint to call the regional secret manager sever 
  
 String 
  
 apiEndpoint 
  
 = 
  
 String 
 . 
 format 
 ( 
 "secretmanager.%s.rep.googleapis.com:443" 
 , 
  
 locationId 
 ); 
  
  SecretManagerServiceSettings 
 
  
 secretManagerServiceSettings 
  
 = 
  
  SecretManagerServiceSettings 
 
 . 
 newBuilder 
 (). 
 setEndpoint 
 ( 
 apiEndpoint 
 ). 
 build 
 (); 
  
 // Initialize the client that will be used to send requests. This client only needs to be 
  
 // created once, and can be reused for multiple requests. 
  
 try 
  
 ( 
  SecretManagerServiceClient 
 
  
 client 
  
 = 
  
  
  SecretManagerServiceClient 
 
 . 
 create 
 ( 
 secretManagerServiceSettings 
 )) 
  
 { 
  
 // Build the name from the version. 
  
  SecretName 
 
  
 secretName 
  
 = 
  
  
  SecretName 
 
 . 
  ofProjectLocationSecretName 
 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 ); 
  
 // Request the current IAM policy. 
  
  Policy 
 
  
 policy 
  
 = 
  
 client 
 . 
 getIamPolicy 
 ( 
  
  GetIamPolicyRequest 
 
 . 
 newBuilder 
 (). 
 setResource 
 ( 
 secretName 
 . 
  toString 
 
 ()). 
 build 
 ()); 
  
 // Search through bindings and remove matches. 
  
 String 
  
 roleToFind 
  
 = 
  
 "roles/secretmanager.secretAccessor" 
 ; 
  
 for 
  
 ( 
  Binding 
 
  
 binding 
  
 : 
  
 policy 
 . 
  getBindingsList 
 
 ()) 
  
 { 
  
 if 
  
 ( 
 binding 
 . 
 getRole 
 () 
  
 == 
  
 roleToFind 
 && 
 binding 
 . 
 getMembersList 
 (). 
 contains 
 ( 
 member 
 )) 
  
 { 
  
 binding 
 . 
 getMembersList 
 (). 
 remove 
 ( 
 member 
 ); 
  
 } 
  
 } 
  
 // Save the updated IAM policy. 
  
  Policy 
 
  
 updatedPolicy 
  
 = 
  
 client 
 . 
 setIamPolicy 
 ( 
  
  SetIamPolicyRequest 
 
 . 
 newBuilder 
 () 
  
 . 
 setResource 
 ( 
 secretName 
 . 
  toString 
 
 ()) 
  
 . 
  setPolicy 
 
 ( 
 policy 
 ) 
  
 . 
 build 
 ()); 
  
 System 
 . 
 out 
 . 
 printf 
 ( 
 "Updated IAM policy for %s\n" 
 , 
  
 secretId 
 ); 
  
 return 
  
 updatedPolicy 
 ; 
  
 } 
  
 } 
 }

Node.js

To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  /** 
 * TODO(developer): Uncomment these variables before running the sample. 
 */ 
 // const projectId = 'my-project'; 
 // const locationId = 'my-location'; 
 // const secretId = 'my-secret'; 
 // const versionId = 'my-version'; 
 // const member = 'user:you@example.com'; 
 // 
 // NOTE: Each member must be prefixed with its type. See the IAM documentation 
 // for more information: https://cloud.google.com/iam/docs/overview. 
 const 
  
 name 
  
 = 
  
 `projects/ 
 ${ 
 projectId 
 } 
 /locations/ 
 ${ 
 locationId 
 } 
 /secrets/ 
 ${ 
 secretId 
 } 
 ` 
 ; 
 // Imports the Secret Manager library 
 const 
  
 { 
 SecretManagerServiceClient 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/secret-manager 
' 
 ); 
 // Adding the endpoint to call the regional secret manager sever 
 const 
  
 options 
  
 = 
  
 {}; 
 options 
 . 
 apiEndpoint 
  
 = 
  
 `secretmanager. 
 ${ 
 locationId 
 } 
 .rep.googleapis.com` 
 ; 
 // Instantiates a client 
 const 
  
 client 
  
 = 
  
 new 
  
  SecretManagerServiceClient 
 
 ( 
 options 
 ); 
 async 
  
 function 
  
 grantAccessRegionalSecret 
 () 
  
 { 
  
 // Get the current IAM policy. 
  
 const 
  
 [ 
 policy 
 ] 
  
 = 
  
 await 
  
 client 
 . 
 getIamPolicy 
 ({ 
  
 resource 
 : 
  
 name 
 , 
  
 }); 
  
 // Build a new list of policy bindings with the user excluded. 
  
 for 
  
 ( 
 const 
  
 i 
  
 in 
  
 policy 
 . 
 bindings 
 ) 
  
 { 
  
 const 
  
 binding 
  
 = 
  
 policy 
 . 
 bindings 
 [ 
 i 
 ]; 
  
 if 
  
 ( 
 binding 
 . 
 role 
  
 !== 
  
 'roles/secretmanager.secretAccessor' 
 ) 
  
 { 
  
 continue 
 ; 
  
 } 
  
 const 
  
 idx 
  
 = 
  
 binding 
 . 
 members 
 . 
 indexOf 
 ( 
 member 
 ); 
  
 if 
  
 ( 
 idx 
  
 !== 
  
 - 
 1 
 ) 
  
 { 
  
 binding 
 . 
 members 
 . 
 splice 
 ( 
 idx 
 , 
  
 1 
 ); 
  
 } 
  
 } 
  
 // Save the updated IAM policy. 
  
 await 
  
 client 
 . 
 setIamPolicy 
 ({ 
  
 resource 
 : 
  
 name 
 , 
  
 policy 
 : 
  
 policy 
 , 
  
 }); 
  
 console 
 . 
 log 
 ( 
 `Updated IAM policy for 
 ${ 
 name 
 } 
 ` 
 ); 
 } 
 grantAccessRegionalSecret 
 ();

Python

To run this code, first set up a Python development environment and install the Secret Manager Python SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  # Import the Secret Manager client library. 
 from 
  
 google 
  
 import 
 iam 
 from 
  
 google.cloud 
  
 import 
 secretmanager_v1 
 def 
  
 iam_revoke_access_with_regional_secret 
 ( 
 project_id 
 : 
 str 
 , 
 location_id 
 : 
 str 
 , 
 secret_id 
 : 
 str 
 , 
 member 
 : 
 str 
 , 
 ) 
 - 
> iam 
 . 
 v1 
 . 
 iam_policy_pb2 
 . 
 SetIamPolicyRequest 
 : 
  
 """ 
 Revokes the given member access to a secret. 
 """ 
 # Endpoint to call the regional secret manager sever. 
 api_endpoint 
 = 
 f 
 "secretmanager. 
 { 
 location_id 
 } 
 .rep.googleapis.com" 
 # Create the Secret Manager client. 
 client 
 = 
 secretmanager_v1 
 . 
 SecretManagerServiceClient 
 ( 
 client_options 
 = 
 { 
 "api_endpoint" 
 : 
 api_endpoint 
 }, 
 ) 
 # Build the resource name of the secret. 
 name 
 = 
 f 
 "projects/ 
 { 
 project_id 
 } 
 /locations/ 
 { 
 location_id 
 } 
 /secrets/ 
 { 
 secret_id 
 } 
 " 
 # Get the current IAM policy. 
 policy 
 = 
 client 
 . 
 get_iam_policy 
 ( 
 request 
 = 
 { 
 "resource" 
 : 
 name 
 }) 
 # Remove the given member's access permissions. 
 accessRole 
 = 
 "roles/secretmanager.secretAccessor" 
 for 
 b 
 in 
 list 
 ( 
 policy 
 . 
 bindings 
 ): 
 if 
 b 
 . 
 role 
 == 
 accessRole 
 and 
 member 
 in 
 b 
 . 
 members 
 : 
 b 
 . 
 members 
 . 
 remove 
 ( 
 member 
 ) 
 # Update the IAM Policy. 
 new_policy 
 = 
 client 
 . 
 set_iam_policy 
 ( 
 request 
 = 
 { 
 "resource" 
 : 
 name 
 , 
 "policy" 
 : 
 policy 
 }) 
 # Print data about the secret. 
 print 
 ( 
 f 
 "Updated IAM policy on 
 { 
 secret_id 
 } 
 " 
 ) 
 return 
 new_policy

Manage access to regional secrets Stay organized with collections Save and categorize content based on your preferences.

Required roles

Grant access

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

Go

Java

Node.js

Python

Revoke access

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

Go

Java

Node.js

Python

What's next

Manage access to regional secrets