On theCreate secretpage, under Name, enter a name for the secret
(for example `universe-secret).
To add a secret version when creating the initial secret, in theSecret valuefield, enter a value for the secret (for example42).
Choose your region.
Click theCreate secretbutton.
Build and run a pipeline with Python function based components
The following is a sample component that prints out the previously created
secret.
Grant the service account that runs the pipeline with the Secret Manager
permission. See the "Configure a service account with granular permissions"
section ofConfigure your Google Cloud project for Vertex AI Pipelinesfor more information.
Using Kubeflow Pipelines SDK, build a simple pipeline with one task.
fromkfpimportcompilerfromkfpimportdsl# A simple component that prints a secret stored in Secret Manager# Be sure to specify "google-cloud-secret-manager" as one of packages_to_install@dsl.component(packages_to_install=['google-cloud-secret-manager'])defprint_secret_op(project_id:str,secret_id:str,version_id:str)->str:fromgoogle.cloudimportsecretmanagersecret_client=secretmanager.SecretManagerServiceClient()secret_name=f'projects/{project_id}/secrets/{secret_id}/versions/{version_id}'response=secret_client.access_secret_version(request={"name":secret_name})payload=response.payload.data.decode("UTF-8")answer="The secret is:{}".format(payload)print(answer)returnanswer# A simple pipeline that contains a single print_secret task@dsl.pipeline(name='secret-manager-demo-pipeline')defsecret_manager_demo_pipeline(project_id:str,secret_id:str,version_id:str):print_secret_task=print_secret_op(project_id,secret_id,version_id)# Compile the pipelinecompiler.Compiler().compile(pipeline_func=secret_manager_demo_pipeline,package_path='secret_manager_demo_pipeline.yaml')
PROJECT_ID: The Google Cloud project that this
pipeline runs in.
SECRET_ID: The secret ID created in previous steps
(for exampleuniverse-secret).
VERSION_ID: The version name of the secret.
REGION: The region that this pipeline runs in.
PIPELINE_ROOT: Specify a Cloud Storage URI that your
pipelines service account can access. The artifacts of your pipeline
runs are stored within the pipeline root.
SERVICE_ACCOUNT: The email address of the service account you
created with Secret Manager Accessor permission.
In the output of thejob.submit()function, you should be able to click the
link that brings you to view the pipeline execution in the Google Cloud console.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Configure secrets with Secret Manager\n\nYou can use Secret Manager's Python client with\nVertex AI Pipelines to access secrets stored on Secret Manager.\n\nCreate a secret using Google Cloud console\n------------------------------------------\n\n1. [Enable the Secret Manager API](http://console.cloud.google.com/apis/library/secretmanager.googleapis.com) in Google Cloud console.\n\n2. Go to the **Secret Manager** page in the Cloud console.\n\n [Go to the Secret Manager page](https://console.cloud.google.com/security/secret-manager)\n3. On the Secret Manager page, click **Create Secret**.\n\n4. On the **Create secret** page, under Name, enter a name for the secret\n (for example \\`universe-secret).\n\n5. To add a secret version when creating the initial secret, in the\n **Secret value** field, enter a value for the secret (for example `42`).\n\n6. Choose your region.\n\n7. Click the **Create secret** button.\n\nBuild and run a pipeline with Python function based components\n--------------------------------------------------------------\n\nThe following is a sample component that prints out the previously created\nsecret.\n\n1. Grant the service account that runs the pipeline with the Secret Manager\n permission. See the \"Configure a service account with granular permissions\"\n section of\n [Configure your Google Cloud project for Vertex AI Pipelines](/vertex-ai/docs/pipelines/configure-project#service-account)\n for more information.\n\n2. Using Kubeflow Pipelines SDK, build a simple pipeline with one task.\n\n from kfp import compiler\n from kfp import dsl\n\n # A simple component that prints a secret stored in Secret Manager\n # Be sure to specify \"google-cloud-secret-manager\" as one of packages_to_install\n @dsl.component(\n packages_to_install=['google-cloud-secret-manager']\n )\n def print_secret_op(project_id: str, secret_id: str, version_id: str) -\u003e str:\n from google.cloud import secretmanager\n\n secret_client = secretmanager.https://cloud.google.com/python/docs/reference/secretmanager/latest/google.cloud.secretmanager_v1.services.secret_manager_service.SecretManagerServiceClient.html()\n secret_name = f'projects/{project_id}/secrets/{secret_id}/versions/{version_id}'\n response = secret_client.https://cloud.google.com/python/docs/reference/secretmanager/latest/google.cloud.secretmanager_v1.services.secret_manager_service.SecretManagerServiceClient.html#google_cloud_secretmanager_v1_services_secret_manager_service_SecretManagerServiceClient_access_secret_version(request={\"name\": secret_name})\n payload = response.payload.data.decode(\"UTF-8\")\n answer = \"The secret is: {}\".format(payload)\n print(answer)\n return answer\n\n # A simple pipeline that contains a single print_secret task\n @dsl.pipeline(\n name='secret-manager-demo-pipeline')\n def secret_manager_demo_pipeline(project_id: str, secret_id: str, version_id: str):\n print_secret_task = print_secret_op(project_id, secret_id, version_id)\n\n # Compile the pipeline\n compiler.Compiler().compile(pipeline_func=secret_manager_demo_pipeline,\n package_path='secret_manager_demo_pipeline.yaml')\n\n3. Run the pipeline using the Vertex AI SDK.\n\n from google.cloud import aiplatform\n\n parameter_values = {\n \"project_id\": \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-n\"\u003ePROJECT_ID\u003c/span\u003e\u003c/var\u003e,\n \"secret_id\": \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-n\"\u003eSECRET_ID\u003c/span\u003e\u003c/var\u003e,\n \"version_id\": \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-n\"\u003eVERSION_ID\u003c/span\u003e\u003c/var\u003e\n }\n\n aiplatform.https://cloud.google.com/python/docs/reference/aiplatform/latest/google.cloud.aiplatform.html(\n project=\u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-n\"\u003ePROJECT_ID\u003c/span\u003e\u003c/var\u003e,\n location=\u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-n\"\u003eREGION\u003c/span\u003e\u003c/var\u003e,\n )\n\n job = aiplatform.https://cloud.google.com/python/docs/reference/aiplatform/latest/google.cloud.aiplatform_v1.types.PipelineJob.html(\n display_name=f'test-secret-manager-pipeline',\n template_path='secret_manager_demo_pipeline.yaml',\n pipeline_root=\u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-n\"\u003ePIPELINE_ROOT\u003c/span\u003e\u003c/var\u003e,\n enable_caching=False,\n parameter_values=parameter_values\n )\n\n job.submit(\n service_account=\u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-n\"\u003eSERVICE_ACCOUNT\u003c/span\u003e\u003c/var\u003e\n )\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The Google Cloud project that this pipeline runs in.\n - \u003cvar translate=\"no\"\u003eSECRET_ID\u003c/var\u003e: The secret ID created in previous steps (for example `universe-secret`).\n - \u003cvar translate=\"no\"\u003eVERSION_ID\u003c/var\u003e: The version name of the secret.\n - \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e: The region that this pipeline runs in.\n - \u003cvar translate=\"no\"\u003ePIPELINE_ROOT\u003c/var\u003e: Specify a Cloud Storage URI that your pipelines service account can access. The artifacts of your pipeline runs are stored within the pipeline root.\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT\u003c/var\u003e: The email address of the service account you created with Secret Manager Accessor permission.\n\nIn the output of the `job.submit()` function, you should be able to click the\nlink that brings you to view the pipeline execution in the Google Cloud console."]]
