Secret Manager API Connector Overview

The Workflows connector defines the built-in functions that can be used to access other Google Cloud products within a workflow.

This page provides an overview of the individual connector. There is no need to import or load connector libraries in a workflow—connectors work out of the box when used in a call step.

Secret Manager API

Stores sensitive data such as API keys, passwords, and certificates. Provides convenience while improving security. To learn more, see the Secret Manager API documentation .

Helper methods

You can use the helper method accessString to retrieve the secret data as a string. This is simpler than using the access API as the secret data is automatically decoded to a string format. To learn more, see the accessString documentation .

You can use the helper method addVersionString to add a new secret value to an existing secret. This is simpler than using the addVersion API as the secret data is automatically encoded to a base-64 string, which is required by addVersion . To learn more, see the addVersionString documentation .

In addition to using a call step, you can call the helper methods in an expression like this:

  ${ 
 googleapis 
 . 
 secretmanager 
 . 
 v1 
 . 
 projects 
 . 
 secrets 
 . 
 versions 
 . 
 accessString 
 ( 
 secret_id 
 , 
 version 
 , 
 project_id 
 ) 
 }

Secret Manager connector sample

YAML

  # This workflow demonstrates how to use the Secret Manager connector: 
 # Retrieve a secret using three different methods 
 # Expected output: the secret data (thrice) 
 - 
  
 init 
 : 
  
 assign 
 : 
  
 - 
  
 project_id 
 : 
  
 ${sys.get_env("GOOGLE_CLOUD_PROJECT_ID")} 
  
 - 
  
 secret_id 
 : 
  
 "test-secret" 
  
 # Make sure you have this secret and it has a version of 1. 
  
 - 
  
 version 
 : 
  
 "1" 
 # Add data to an existing secret without base-64 encoding 
 - 
  
 add_version_string 
 : 
  
 call 
 : 
  
 googleapis.secretmanager.v1.projects.secrets.addVersionString 
  
 args 
 : 
  
 secret_id 
 : 
  
 ${secret_id} 
  
 project_id 
 : 
  
 ${project_id} 
  
 data 
 : 
  
 "a 
  
 new 
  
 secret" 
 # Retrieve the secret in string format without base-64 decoding and assume 
 # that the secret data is a valid UTF-8 string; if not, raise an error 
 - 
  
 access_string_secret 
 : 
  
 call 
 : 
  
 googleapis.secretmanager.v1.projects.secrets.versions.accessString 
  
 args 
 : 
  
 secret_id 
 : 
  
 ${secret_id} 
  
 version 
 : 
  
 ${version} 
  
 # if not set, "latest" is used 
  
 project_id 
 : 
  
 ${project_id} 
  
 result 
 : 
  
 str_secret 
 # Retrieve the secret in string format without base-64 decoding 
 - 
  
 access_secret 
 : 
  
 call 
 : 
  
 googleapis.secretmanager.v1.projects.secrets.versions.access 
  
 args 
 : 
  
 name 
 : 
  
 ${"projects/" + project_id + "/secrets/" + secret_id + "/versions/" + version} 
  
 result 
 : 
  
 base64_encoded_secret 
 # Retrieve the secret using positional arguments in an expression 
 - 
  
 expression 
 : 
  
 assign 
 : 
  
 - 
  
 secret_str_from_exp 
 : 
  
 ${googleapis.secretmanager.v1.projects.secrets.versions.accessString(secret_id, version, project_id)} 
 - 
  
 the_end 
 : 
  
 return 
 : 
  
 - 
  
 ${str_secret} 
  
 - 
  
 ${text.decode(base64.decode(base64_encoded_secret.payload.data))} 
  
 - 
  
 ${secret_str_from_exp}

JSON

  [ 
  
 { 
  
 "init" 
 : 
  
 { 
  
 "assign" 
 : 
  
 [ 
  
 { 
  
 "project_id" 
 : 
  
 "${sys.get_env(\"GOOGLE_CLOUD_PROJECT_ID\")}" 
  
 }, 
  
 { 
  
 "secret_id" 
 : 
  
 "test-secret" 
  
 }, 
  
 { 
  
 "version" 
 : 
  
 "1" 
  
 } 
  
 ] 
  
 } 
  
 }, 
  
 { 
  
 "add_version_string" 
 : 
  
 { 
  
 "call" 
 : 
  
 "googleapis.secretmanager.v1.projects.secrets.addVersionString" 
 , 
  
 "args" 
 : 
  
 { 
  
 "secret_id" 
 : 
  
 "${secret_id}" 
 , 
  
 "project_id" 
 : 
  
 "${project_id}" 
 , 
  
 "data" 
 : 
  
 "a new secret" 
  
 } 
  
 } 
  
 }, 
  
 { 
  
 "access_string_secret" 
 : 
  
 { 
  
 "call" 
 : 
  
 "googleapis.secretmanager.v1.projects.secrets.versions.accessString" 
 , 
  
 "args" 
 : 
  
 { 
  
 "secret_id" 
 : 
  
 "${secret_id}" 
 , 
  
 "version" 
 : 
  
 "${version}" 
 , 
  
 "project_id" 
 : 
  
 "${project_id}" 
  
 }, 
  
 "result" 
 : 
  
 "str_secret" 
  
 } 
  
 }, 
  
 { 
  
 "access_secret" 
 : 
  
 { 
  
 "call" 
 : 
  
 "googleapis.secretmanager.v1.projects.secrets.versions.access" 
 , 
  
 "args" 
 : 
  
 { 
  
 "name" 
 : 
  
 "${\"projects/\" + project_id + \"/secrets/\" + secret_id + \"/versions/\" + version}" 
  
 }, 
  
 "result" 
 : 
  
 "base64_encoded_secret" 
  
 } 
  
 }, 
  
 { 
  
 "expression" 
 : 
  
 { 
  
 "assign" 
 : 
  
 [ 
  
 { 
  
 "secret_str_from_exp" 
 : 
  
 "${googleapis.secretmanager.v1.projects.secrets.versions.accessString(secret_id, version, project_id)}" 
  
 } 
  
 ] 
  
 } 
  
 }, 
  
 { 
  
 "the_end" 
 : 
  
 { 
  
 "return" 
 : 
  
 [ 
  
 "${str_secret}" 
 , 
  
 "${text.decode(base64.decode(base64_encoded_secret.payload.data))}" 
 , 
  
 "${secret_str_from_exp}" 
  
 ] 
  
 } 
  
 } 
 ]

Module: googleapis.secretmanager.v1.projects.locations

Functions
`get`	Gets information about a location.
`list`	Lists information about the supported locations for this service.

Module: googleapis.secretmanager.v1.projects.secrets

Functions
`addVersion`	Creates a new SecretVersion containing secret data and attaches it to an existing Secret.
`addVersionBytes`	Creates a new SecretVersion containing secret data. The secret data needs to be in bytes format.
`addVersionString`	Creates a new SecretVersion containing secret data. The secret data needs to be in string format.
`create`	Creates a new Secret containing no SecretVersions.
`delete`	Deletes a Secret.
`get`	Gets metadata for a given Secret.
`getIamPolicy`	Gets the access control policy for a secret. Returns empty policy if the secret exists and does not have a policy set.
`list`	Lists Secrets.
`patch`	Updates metadata of an existing Secret.
`setIamPolicy`	Sets the access control policy on the specified secret. Replaces any existing policy. Permissions on SecretVersions are enforced according to the policy set on the associated Secret.
`testIamPermissions`	Returns permissions that a caller has for the specified secret. If the secret does not exist, this call returns an empty set of permissions, not a NOT_FOUND error. Note: This operation is designed to be used for building permission-aware UIs and command-line tools, not for authorization checking. This operation may "fail open" without warning.

Module: googleapis.secretmanager.v1.projects.secrets.versions

Functions
`access`	Accesses a SecretVersion. This call returns the secret data. `projects//secrets//versions/latest` is an alias to the most recently created SecretVersion.
`accessBytes`	Accesses the secret value in bytes.
`accessRaw`	Should be removed and not recommended to use as it enforces UTF-8 conversion that could corrupt user's secret.
`accessString`	Accesses the secret value in string format. If the secret contains characters not in UTF-8 format, an error is raised.
`destroy`	Destroys a SecretVersion. Sets the state of the SecretVersion to DESTROYED and irrevocably destroys the secret data.
`disable`	Disables a SecretVersion. Sets the state of the SecretVersion to DISABLED.
`enable`	Enables a SecretVersion. Sets the state of the SecretVersion to ENABLED.
`get`	Gets metadata for a SecretVersion. `projects//secrets//versions/latest` is an alias to the most recently created SecretVersion.
`list`	Lists SecretVersions. This call does not return secret data.

Secret Manager API Connector Overview Stay organized with collections Save and categorize content based on your preferences.