Reference secrets in parameters

This page describes how to reference secrets in parameters. To learn more about secrets, see Secret Manager overview .

You can store sensitive information such as your passwords and API keys in Secret Manager and then reference those secrets from within parameters used in your applications or infrastructure. The maximum number of secret references a parameter version can contain is 15.

For example, you have a database connection string that includes a password. Do the following:

Store the password as a secret in Secret Manager.
Create a parameter in Parameter Manager for the connection string.
Store a reference to the secret in your parameter version.

When your application or infrastructure needs the secret, it retrieves the parameter value, which contains the reference to the secret. Then, it uses that reference to fetch the actual secret value from Secret Manager. This way, the actual password is not exposed in your configuration files.

By storing secrets separately from configuration files and application code, you can reduce the risk of accidental exposure or unauthorized access. You can securely store, audit, and rotate your secrets in Secret Manager while keeping all your configuration data organized in Parameter Manager.

To reference secrets within parameters, you must do the following:

Create a parameter version with the secret reference
Grant the Secret Manager Secret Accessor role to the parameter

Required roles

To get the permissions that you need to create a parameter version with a secret reference, ask your administrator to grant you the Parameter Manager Parameter Version Adder ( roles/parametermanager.parameterversions.create ) IAM role on the project, folder, or organization. For more information about granting roles, see Manage access to projects, folders, and organizations .

You might also be able to get the required permissions through custom roles or other predefined roles .

Create a parameter version with the secret reference

If you are using the REST API to manage parameter versions, complete these steps before creating a new version:

Encode the parameter payload data containing the secret reference using Base64 and then pass the encoded string in the create version command. For example, you want to create a new version of an existing parameter with a secret reference using the following YAML data:
```
 project:
  display_name: PM Bank
  locale: en-US
  port: 8080
  db_password: __REF__("//secretmanager.googleapis.com/projects/production-1/secrets/db_password/versions/1")
  mask_sensitive_fields: false 
```
The field db_password uses a special reference ( __REF__() ) to pull the actual password value from Secret Manager and the corresponding URL specifies the location of your database password within Secret Manager.

Here's the Base64 string for the sample YAML data given in this section:

cHJvamVjdDoNCiAgZGlzcGxheV9uYW1lOiBQTSBCYW5rDQogIGxvY2FsZTogZW4tVVMNCiAgcG9ydDogODA4MA0KICBkYl9wYXNzd29yZDogX19SRUZfXygiLy9zZWNyZXRtYW5hZ2VyLmdvb2dsZWFwaXMuY29tL3Byb2plY3RzL2FjbS1zYW1wbGUvc2VjcmV0cy9kYl9wYXNzd29yZC92ZXJzaW9ucy8xIikNCiAgbWFza19zZW5zaXRpdmVfZmllbGRzOiBmYWxzZQ==

To create a new version with the secret reference, use one of the following methods:

Global parameters

Console

In the Google Cloud console, go to the Secret Manager page.

Go to Secret Manager
Click Parameter Manager to go to the Parameter Manager page.
Click the parameter name for which you want to add the new version. The parameter details are displayed.
Click the Versions tab and then click New version . The Create parameter version page opens.
Enter the version name. Parameter version names must be 63 characters or less and consist only of alphanumeric characters (A-Z, a-z, 0-9), dashes (-), and underscores (_). Names cannot begin with a dash.
In the Payload section, enter the parameter value containing the secret reference. Alternatively, you can upload a file containing the parameter value with the secret reference.
Click Create .

gcloud

Before using any of the command data below, make the following replacements:

PARAMETER_VERSION_ID : the ID that you want to assign to the parameter version. Parameter version IDs must be 63 characters or less and consist only of alphanumeric characters (A-Z, a-z, 0-9), dashes (-), and underscores (_). IDs cannot begin with a dash.
PARAMETER_ID : the name of the parameter.
PARAMETER_PAYLOAD : the data, in plaintext, containing the secret references that you want to store within the parameter version.
PROJECT_ID : the Google Cloud project ID.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud  
parametermanager  
parameters  
versions  
create  
 PARAMETER_VERSION_ID 
  
--parameter = 
 PARAMETER_ID 
  
--location = 
global  
--payload-data = 
 " PARAMETER_PAYLOAD 
" 
  
--project = 
 PROJECT_ID

Windows (PowerShell)

gcloud  
parametermanager  
parameters  
versions  
create  
 PARAMETER_VERSION_ID 
  
--parameter = 
 PARAMETER_ID 
  
--location = 
global  
--payload-data = 
 " PARAMETER_PAYLOAD 
" 
  
--project = 
 PROJECT_ID

Windows (cmd.exe)

gcloud  
parametermanager  
parameters  
versions  
create  
 PARAMETER_VERSION_ID 
  
--parameter = 
 PARAMETER_ID 
  
--location = 
global  
--payload-data = 
 " PARAMETER_PAYLOAD 
" 
  
--project = 
 PROJECT_ID

You should receive a response similar to the following:

Created parameterVersion [refv1].

REST

Before using any of the request data, make the following replacements:

PROJECT_ID : the Google Cloud project ID.
PARAMETER_ID : the name of the parameter.
PARAMETER_VERSION_ID : the ID that you want to assign to the parameter version. Parameter version IDs must be 63 characters or less and consist only of alphanumeric characters (A-Z, a-z, 0-9), dashes (-), and underscores (_). IDs cannot begin with a dash.
PARAMETER_PAYLOAD : the data, as a Base64 encoded string, containing the secret references that you want to store within the parameter version.

HTTP method and URL:

POST https://parametermanager.googleapis.com/v1/projects/ PROJECT_ID 
/locations/global/parameters/ PARAMETER_ID 
/versions?parameter_version_id= PARAMETER_VERSION_ID

Request JSON body:

{"payload": {"data": " PARAMETER_PAYLOAD 
"}}

To send your request, choose one of these options:

curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell , which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list .

Save the request body in a file named request.json , and execute the following command:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://parametermanager.googleapis.com/v1/projects/ PROJECT_ID 
/locations/global/parameters/ PARAMETER_ID 
/versions?parameter_version_id= PARAMETER_VERSION_ID 
"

PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list .

Save the request body in a file named request.json , and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://parametermanager.googleapis.com/v1/projects/ PROJECT_ID 
/locations/global/parameters/ PARAMETER_ID 
/versions?parameter_version_id= PARAMETER_VERSION_ID 
" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "name": "projects/production-1/locations/global/parameters/db_password_secret_ref/versions/refv1",
  "createTime": "2024-10-15T08:39:05.191747694Z",
  "updateTime": "2024-10-15T08:39:05.191747694Z"
}

C#

To run this code, first set up a C# development environment and install the Parameter Manager C# SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  using 
  
  Google.Cloud.ParameterManager.V1 
 
 ; 
 using 
  
  Google.Protobuf 
 
 ; 
 using 
  
 System.Text 
 ; 
 public 
  
 class 
  
 CreateParameterVersionWithSecretSample 
 { 
  
 /// <summary> 
  
 /// This function creates a parameter version with a JSON payload that includes a secret reference using the Parameter Manager SDK for GCP. 
  
 /// </summary> 
  
 /// <param name="projectId">The ID of the project where the parameter is located.</param> 
  
 /// <param name="parameterId">The ID of the parameter for which the version is to be created.</param> 
  
 /// <param name="versionId">The ID of the version to be created.</param> 
  
 /// <param name="secretId">The ID of the secret to be referenced.</param> 
  
 /// <returns>The created ParameterVersion object.</returns> 
  
 public 
  
 ParameterVersion 
  
 CreateParameterVersionWithSecret 
 ( 
  
 string 
  
 projectId 
 , 
  
 string 
  
 parameterId 
 , 
  
 string 
  
 versionId 
 , 
  
 string 
  
 secretId 
 ) 
  
 { 
  
 // Create the client. 
  
  ParameterManagerClient 
 
  
 client 
  
 = 
  
  ParameterManagerClient 
 
 . 
  Create 
 
 (); 
  
 // Build the parent resource name. 
  
  ParameterName 
 
  
 parent 
  
 = 
  
 new 
  
  ParameterName 
 
 ( 
 projectId 
 , 
  
 "global" 
 , 
  
 parameterId 
 ); 
  
 // Convert the JSON payload to bytes. 
  
 string 
  
 payload 
  
 = 
  
 $"{{\"username\": \"test-user\", \"password\": \"__REF__(//secretmanager.googleapis.com/{secretId}\"}}" 
 ; 
  
  ByteString 
 
  
 data 
  
 = 
  
  ByteString 
 
 . 
  CopyFrom 
 
 ( 
 payload 
 , 
  
 Encoding 
 . 
 UTF8 
 ); 
  
 // Build the parameter version with the JSON payload that includes a secret reference. 
  
  ParameterVersion 
 
  
 parameterVersion 
  
 = 
  
 new 
  
  ParameterVersion 
 
  
 { 
  
 Payload 
  
 = 
  
 new 
  
  ParameterVersionPayload 
 
  
 { 
  
 Data 
  
 = 
  
 data 
  
 } 
  
 }; 
  
 // Call the API to create the parameter version. 
  
  ParameterVersion 
 
  
 createdParameterVersion 
  
 = 
  
 client 
 . 
  CreateParameterVersion 
 
 ( 
 parent 
 , 
  
 parameterVersion 
 , 
  
 versionId 
 ); 
  
 // Print the created parameter version name. 
  
 Console 
 . 
 WriteLine 
 ( 
 $"Created parameter version: {createdParameterVersion. Name 
}" 
 ); 
  
 // Return the created parameter version. 
  
 return 
  
 createdParameterVersion 
 ; 
  
 } 
 }

Go

To run this code, first set up a Go development environment and install the Parameter Manager Go SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 parametermanager 
  
 "cloud.google.com/go/parametermanager/apiv1" 
  
 parametermanagerpb 
  
 "cloud.google.com/go/parametermanager/apiv1/parametermanagerpb" 
 ) 
 // createParamVersionWithSecret creates a new version of a parameter with a JSON payload that has a secret reference in it using the Parameter Manager SDK for GCP. 
 // 
 // w: The io.Writer object used to write the output. 
 // projectID: The ID of the project where the parameter is located. 
 // parameterID: The ID of the parameter for which the version is to be created. 
 // versionID: The ID of the version to be created. 
 // secretID: The ID of the secret to be referenced. 
 // 
 // The function returns an error if the parameter version creation fails. 
 func 
  
 createParamVersionWithSecret 
 ( 
 w 
  
 io 
 . 
 Writer 
 , 
  
 projectID 
 , 
  
 parameterID 
 , 
  
 versionID 
 , 
  
 secretID 
  
 string 
 ) 
  
 error 
  
 { 
  
 // Create a context and a Parameter Manager client. 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 client 
 , 
  
 err 
  
 := 
  
 parametermanager 
 . 
  NewClient 
 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to create Parameter Manager client: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
  Close 
 
 () 
  
 // Construct the name of the create parameter version. 
  
 parent 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "projects/%s/locations/global/parameters/%s" 
 , 
  
 projectID 
 , 
  
 parameterID 
 ) 
  
 payload 
  
 := 
  
 [] 
 byte 
 ( 
 fmt 
 . 
 Sprintf 
 ( 
 `{"username": "test-user","password": "__REF__(//secretmanager.googleapis.com/%s)"}` 
 , 
  
 secretID 
 )) 
  
 // Build the request to create a new parameter version with the JSON payload that has a secret reference. 
  
 req 
  
 := 
  
& parametermanagerpb 
 . 
 CreateParameterVersionRequest 
 { 
  
 Parent 
 : 
  
 parent 
 , 
  
 ParameterVersionId 
 : 
  
 versionID 
 , 
  
 ParameterVersion 
 : 
  
& parametermanagerpb 
 . 
 ParameterVersion 
 { 
  
 Payload 
 : 
  
& parametermanagerpb 
 . 
 ParameterVersionPayload 
 { 
  
 Data 
 : 
  
 payload 
 , 
  
 }, 
  
 }, 
  
 } 
  
 // Call the API to create the parameter version. 
  
 version 
 , 
  
 err 
  
 := 
  
 client 
 . 
 CreateParameterVersion 
 ( 
 ctx 
 , 
  
 req 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to create parameter version: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Created parameter version with secret reference: %s\n" 
 , 
  
 version 
 . 
 Name 
 ) 
  
 return 
  
 nil 
 }

Java

To run this code, first set up a Java development environment and install the Parameter Manager Java SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 com.google.cloud.parametermanager.v1. ParameterManagerClient 
 
 ; 
 import 
  
 com.google.cloud.parametermanager.v1. ParameterName 
 
 ; 
 import 
  
 com.google.cloud.parametermanager.v1. ParameterVersion 
 
 ; 
 import 
  
 com.google.cloud.parametermanager.v1. ParameterVersionPayload 
 
 ; 
 import 
  
 com.google.protobuf. ByteString 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 /** 
 * This class demonstrates how to create a parameter version with a JSON payload that includes a 
 * secret reference using the Parameter Manager SDK for GCP. 
 */ 
 public 
  
 class 
 CreateParamVersionWithSecret 
  
 { 
  
 public 
  
 static 
  
 void 
  
 main 
 ( 
 String 
 [] 
  
 args 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // TODO(developer): Replace these variables before running the sample. 
  
 String 
  
 projectId 
  
 = 
  
 "your-project-id" 
 ; 
  
 String 
  
 parameterId 
  
 = 
  
 "your-parameter-id" 
 ; 
  
 String 
  
 versionId 
  
 = 
  
 "your-version-id" 
 ; 
  
 String 
  
 secretId 
  
 = 
  
 "projects/your-project-id/secrets/your-secret-id/versions/latest" 
 ; 
  
 // Call the method to create parameter version with JSON payload that includes a secret 
  
 // reference. 
  
 createParamVersionWithSecret 
 ( 
 projectId 
 , 
  
 parameterId 
 , 
  
 versionId 
 , 
  
 secretId 
 ); 
  
 } 
  
 // This is an example snippet that creates a parameter version with a JSON payload that includes a 
  
 // secret reference. 
  
 public 
  
 static 
  
  ParameterVersion 
 
  
 createParamVersionWithSecret 
 ( 
  
 String 
  
 projectId 
 , 
  
 String 
  
 parameterId 
 , 
  
 String 
  
 versionId 
 , 
  
 String 
  
 secretId 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // Initialize the client that will be used to send requests. This client only 
  
 // needs to be created once, and can be reused for multiple requests. 
  
 try 
  
 ( 
  ParameterManagerClient 
 
  
 client 
  
 = 
  
  ParameterManagerClient 
 
 . 
 create 
 ()) 
  
 { 
  
 String 
  
 locationId 
  
 = 
  
 "global" 
 ; 
  
 // Build the parameter name. 
  
  ParameterName 
 
  
 parameterName 
  
 = 
  
  ParameterName 
 
 . 
 of 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 parameterId 
 ); 
  
 // Convert the JSON payload string to ByteString. 
  
 String 
  
 payload 
  
 = 
  
 String 
 . 
 format 
 ( 
  
 "{\"username\": \"test-user\", " 
  
 + 
  
 "\"password\": \"__REF__(//secretmanager.googleapis.com/%s)\"}" 
 , 
  
 secretId 
 ); 
  
  ByteString 
 
  
 byteStringPayload 
  
 = 
  
  ByteString 
 
 . 
  copyFromUtf8 
 
 ( 
 payload 
 ); 
  
 // Create the parameter version payload with the secret reference. 
  
  ParameterVersionPayload 
 
  
 parameterVersionPayload 
  
 = 
  
  ParameterVersionPayload 
 
 . 
 newBuilder 
 (). 
  setData 
 
 ( 
 byteStringPayload 
 ). 
 build 
 (); 
  
 // Create the parameter version with the JSON payload. 
  
  ParameterVersion 
 
  
 parameterVersion 
  
 = 
  
  ParameterVersion 
 
 . 
 newBuilder 
 (). 
 setPayload 
 ( 
 parameterVersionPayload 
 ). 
 build 
 (); 
  
 // Create the parameter version in the Parameter Manager. 
  
  ParameterVersion 
 
  
 createdParameterVersion 
  
 = 
  
 client 
 . 
 createParameterVersion 
 ( 
 parameterName 
 . 
  toString 
 
 (), 
  
 parameterVersion 
 , 
  
 versionId 
 ); 
  
 System 
 . 
 out 
 . 
 printf 
 ( 
 "Created parameter version: %s\n" 
 , 
  
 createdParameterVersion 
 . 
  getName 
 
 ()); 
  
 return 
  
 createdParameterVersion 
 ; 
  
 } 
  
 } 
 }

Node.js

To run this code, first set up a Node.js development environment and install the Parameter Manager Node.js SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  /** 
 * TODO(developer): Uncomment these variables before running the sample. 
 */ 
 // const projectId = 'YOUR_PROJECT_ID'; 
 // const parameterId = 'YOUR_PARAMETER_ID'; 
 // const parameterVersionId = 'YOUR_PARAMETER_VERSION_ID'; 
 // const secretId = 'YOUR_SECRET_ID'; // For example projects/my-project/secrets/application-secret/version/latest 
 // Imports the Parameter Manager library 
 const 
  
 { 
 ParameterManagerClient 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/parametermanager 
' 
 ); 
 // Instantiates a client 
 const 
  
 client 
  
 = 
  
 new 
  
  ParameterManagerClient 
 
 (); 
 async 
  
 function 
  
 createParamVersionWithSecret 
 () 
  
 { 
  
 // Construct the parent resource name 
  
 const 
  
 parent 
  
 = 
  
 client 
 . 
  parameterPath 
 
 ( 
 projectId 
 , 
  
 'global' 
 , 
  
 parameterId 
 ); 
  
 // Construct the JSON data with secret references 
  
 const 
  
 jsonData 
  
 = 
  
 { 
  
 db_user 
 : 
  
 'test_user' 
 , 
  
 db_password 
 : 
  
 `__REF__(//secretmanager.googleapis.com/ 
 ${ 
 secretId 
 } 
 )` 
 , 
  
 }; 
  
 // Construct the parameter version 
  
 const 
  
 parameterVersion 
  
 = 
  
 { 
  
 payload 
 : 
  
 { 
  
 data 
 : 
  
 Buffer 
 . 
 from 
 ( 
  JSON 
 
 . 
 stringify 
 ( 
 jsonData 
 ), 
  
 'utf8' 
 ), 
  
 }, 
  
 }; 
  
 // Construct the request 
  
 const 
  
 request 
  
 = 
  
 { 
  
 parent 
 : 
  
 parent 
 , 
  
 parameterVersionId 
 : 
  
 parameterVersionId 
 , 
  
 parameterVersion 
 : 
  
 parameterVersion 
 , 
  
 }; 
  
 // Create the parameter version 
  
 const 
  
 [ 
 paramVersion 
 ] 
  
 = 
  
 await 
  
 client 
 . 
 createParameterVersion 
 ( 
 request 
 ); 
  
 console 
 . 
 log 
 ( 
  
 `Created parameter version with secret references: 
 ${ 
 paramVersion 
 . 
 name 
 } 
 ` 
  
 ); 
  
 return 
  
 paramVersion 
 ; 
 } 
 return 
  
 await 
  
 createParamVersionWithSecret 
 ();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Parameter Manager PHP SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  // Import necessary classes for creating a parameter version. 
 use Google\Cloud\ParameterManager\V1\Client\ParameterManagerClient; 
 use Google\Cloud\ParameterManager\V1\CreateParameterVersionRequest; 
 use Google\Cloud\ParameterManager\V1\ParameterVersion; 
 use Google\Cloud\ParameterManager\V1\ParameterVersionPayload; 
 /** 
 * Creates a parameter version with an secret reference. 
 * 
 * @param string $projectId The Google Cloud Project ID (e.g. 'my-project') 
 * @param string $parameterId The Parameter ID (e.g. 'my-param') 
 * @param string $versionId The Version ID (e.g. 'my-param-version') 
 * @param string $secretId The ID of the secret to be referenced (e.g. 'projects/my-project/secrets/my-secret/versions/latest') 
 */ 
 function create_param_version_with_secret(string $projectId, string $parameterId, string $versionId, string $secretId): void 
 { 
 // Create a client for the Parameter Manager service. 
 $client = new ParameterManagerClient(); 
 // Build the resource name of the parent object. 
 $parent = $client->parameterName($projectId, 'global', $parameterId); 
 // Build payload. 
 $payload = json_encode([ 
 'username' => 'test-user', 
 'password' => sprintf('__REF__(//secretmanager.googleapis.com/%s)', $secretId) 
 ], JSON_UNESCAPED_SLASHES); 
 // Create a new ParameterVersionPayload object and set the payload with secret reference. 
 $parameterVersionPayload = new ParameterVersionPayload(); 
 $parameterVersionPayload->setData($payload); 
 // Create a new ParameterVersion object and set the payload. 
 $parameterVersion = new ParameterVersion(); 
 $parameterVersion->setPayload($parameterVersionPayload); 
 // Prepare the request with the parent and parameter version object. 
 $request = (new CreateParameterVersionRequest()) 
 ->setParent($parent) 
 ->setParameterVersionId($versionId) 
 ->setParameterVersion($parameterVersion); 
 // Call the API to create the parameter version. 
 $newParameterVersion = $client->createParameterVersion($request); 
 printf('Created parameter version: %s' . PHP_EOL, $newParameterVersion->getName()); 
 }

Python

To run this code, first set up a Python development environment and install the Parameter Manager Python SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  def 
  
 create_param_version_with_secret 
 ( 
 project_id 
 : 
 str 
 , 
 parameter_id 
 : 
 str 
 , 
 version_id 
 : 
 str 
 , 
 secret_id 
 : 
 str 
 ) 
 - 
> parametermanager_v1 
 . 
 ParameterVersion 
 : 
  
 """ 
 Creates a new version of an existing parameter in the global location 
 of the specified project using the Google Cloud Parameter Manager SDK. 
 The payload is specified as a JSON string and 
 includes a reference to a secret. 
 Args: 
 project_id (str): The ID of the project where the parameter is located. 
 parameter_id (str): The ID of the parameter for 
 which the version is to be created. 
 version_id (str): The ID of the version to be created. 
 secret_id (str): The ID of the secret to be referenced. 
 Returns: 
 parametermanager_v1.ParameterVersion: An object representing the 
 newly created parameter version. 
 Example: 
 create_param_version_with_secret( 
 "my-project", 
 "my-global-parameter", 
 "v1", 
 "projects/my-project/secrets/application-secret/versions/latest" 
 ) 
 """ 
 # Import the necessary library for Google Cloud Parameter Manager. 
 from 
  
 google.cloud 
  
 import 
  parametermanager_v1 
 
 import 
  
 json 
 # Create the Parameter Manager client. 
 client 
 = 
  parametermanager_v1 
 
 . 
  ParameterManagerClient 
 
 () 
 # Build the resource name of the parameter. 
 parent 
 = 
 client 
 . 
  parameter_path 
 
 ( 
 project_id 
 , 
 "global" 
 , 
 parameter_id 
 ) 
 # Create the JSON payload with a secret reference. 
 payload_dict 
 = 
 { 
 "username" 
 : 
 "test-user" 
 , 
 "password" 
 : 
 f 
 "__REF__('//secretmanager.googleapis.com/ 
 { 
 secret_id 
 } 
 ')" 
 , 
 } 
 payload_json 
 = 
 json 
 . 
 dumps 
 ( 
 payload_dict 
 ) 
 # Define the parameter version creation request with the JSON payload. 
 request 
 = 
  parametermanager_v1 
 
 . 
  CreateParameterVersionRequest 
 
 ( 
 parent 
 = 
 parent 
 , 
 parameter_version_id 
 = 
 version_id 
 , 
 parameter_version 
 = 
  parametermanager_v1 
 
 . 
  ParameterVersion 
 
 ( 
 payload 
 = 
  parametermanager_v1 
 
 . 
  ParameterVersionPayload 
 
 ( 
 data 
 = 
 payload_json 
 . 
 encode 
 ( 
 "utf-8" 
 ) 
 ) 
 ), 
 ) 
 # Create the parameter version. 
 response 
 = 
 client 
 . 
  create_parameter_version 
 
 ( 
 request 
 = 
 request 
 ) 
 # Print the newly created parameter version name. 
 print 
 ( 
 f 
 "Created parameter version: 
 { 
 response 
 . 
 name 
 } 
 " 
 )

Ruby

To run this code, first set up a Ruby development environment and install the Parameter Manager Ruby SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  require 
  
 "google/cloud/parameter_manager" 
 ## 
 # Create a parameter version 
 # 
 # @param project_id [String] The Google Cloud project (e.g. "my-project") 
 # @param parameter_id [String] The parameter name (e.g. "my-parameter") 
 # @param version_id [String] The version name (e.g. "my-version") 
 # @param secret_id [String] The secret name 
 # (e.g. "projects/my-project/secrets/my-secret/versions/latest") 
 # 
 def 
  
 create_param_version_with_secret 
  
 project_id 
 :, 
  
 parameter_id 
 :, 
  
 version_id 
 :, 
  
 secret_id 
 : 
  
 # Create a Parameter Manager client. 
  
 client 
  
 = 
  
 Google 
 :: 
 Cloud 
 :: 
  ParameterManager 
 
 . 
  parameter_manager 
 
  
 # Build the resource name of the parent project. 
  
 parent 
  
 = 
  
 client 
 . 
  parameter_path 
 
  
 project 
 : 
  
 project_id 
 , 
  
 location 
 : 
  
 "global" 
 , 
  
 parameter 
 : 
  
 parameter_id 
  
 payload 
  
 = 
  
 "{ 
 \" 
 username 
 \" 
 : 
 \" 
 test-user 
 \" 
 , 
 \" 
 password 
 \" 
 : 
 \" 
 __REF__(//secretmanager.googleapis.com/ 
 #{ 
 secret_id 
 } 
 ) 
 \" 
 }" 
  
 parameter_version 
  
 = 
  
 { 
  
 payload 
 : 
  
 { 
  
 data 
 : 
  
 payload 
  
 } 
  
 } 
  
 # Create the parameter version. 
  
 param_version 
  
 = 
  
 client 
 . 
 create_parameter_version 
  
 parent 
 : 
  
 parent 
 , 
  
 parameter_version_id 
 : 
  
 version_id 
 , 
  
 parameter_version 
 : 
  
 parameter_version 
  
 # Print the new parameter version name. 
  
 puts 
  
 "Created parameter version 
 #{ 
 param_version 
 . 
 name 
 } 
 " 
 end

Regional parameters

Console

In the Google Cloud console, go to the Secret Manager page.

Go to Secret Manager
Click Parameter Manager to go to the Parameter Manager page.
Click the parameter name for which you want to add the new version. The parameter details are displayed.
Click the Versions tab and then click New version . The Create parameter version page opens.
Enter the version name. Parameter version names must be 63 characters or less and consist only of alphanumeric characters (A-Z, a-z, 0-9), dashes (-), and underscores (_). Names cannot begin with a dash.
In the Payload section, enter the parameter value containing the secret reference. Alternatively, you can upload a file containing the parameter value with the secret reference.
Click Create .

gcloud

Before using any of the command data below, make the following replacements:

PARAMETER_VERSION_ID : the ID that you want to assign to the parameter version. Parameter version IDs must be 63 characters or less and consist only of alphanumeric characters (A-Z, a-z, 0-9), dashes (-), and underscores (_). IDs cannot begin with a dash.
PARAMETER_ID : the name of the parameter.
LOCATION : the Google Cloud location of the parameter.
PARAMETER_PAYLOAD : the data, in plaintext, containing the secret references that you want to store within the parameter version.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud  
parametermanager  
parameters  
versions  
create  
 PARAMETER_VERSION_ID 
  
--parameter = 
 PARAMETER_ID 
  
--location = 
 LOCATION 
  
--payload-data = 
 " PARAMETER_PAYLOAD 
" 
  
--project = 
 PROJECT_ID

Windows (PowerShell)

gcloud  
parametermanager  
parameters  
versions  
create  
 PARAMETER_VERSION_ID 
  
--parameter = 
 PARAMETER_ID 
  
--location = 
 LOCATION 
  
--payload-data = 
 " PARAMETER_PAYLOAD 
" 
  
--project = 
 PROJECT_ID

Windows (cmd.exe)

gcloud  
parametermanager  
parameters  
versions  
create  
 PARAMETER_VERSION_ID 
  
--parameter = 
 PARAMETER_ID 
  
--location = 
 LOCATION 
  
--payload-data = 
 " PARAMETER_PAYLOAD 
" 
  
--project = 
 PROJECT_ID

You should receive a response similar to the following:

Created parameterVersion [refv2].

REST

Before using any of the request data, make the following replacements:

LOCATION : the Google Cloud location of the parameter.
PROJECT_ID : the Google Cloud project ID.
PARAMETER_ID : the name of the parameter.
PARAMETER_VERSION_ID : the ID that you want to assign to the parameter version. Parameter version IDs must be 63 characters or less and consist only of alphanumeric characters (A-Z, a-z, 0-9), dashes (-), and underscores (_). IDs cannot begin with a dash.
PARAMETER_PAYLOAD : the data, as a Base64 encoded string, containing the secret references that you want to store within the parameter version.

HTTP method and URL:

POST https://parametermanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/parameters/ PARAMETER_ID 
/versions?parameter_version_id= PARAMETER_VERSION_ID

Request JSON body:

{"payload": {"data": " PARAMETER_PAYLOAD 
"}}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json , and execute the following command:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://parametermanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/parameters/ PARAMETER_ID 
/versions?parameter_version_id= PARAMETER_VERSION_ID 
"

PowerShell

Save the request body in a file named request.json , and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://parametermanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/parameters/ PARAMETER_ID 
/versions?parameter_version_id= PARAMETER_VERSION_ID 
" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "name": "projects/production-1/locations/us-central1/parameters/db_password_secret_ref/versions/refv2",
  "createTime": "2024-10-15T08:39:05.191747694Z",
  "updateTime": "2024-10-15T08:39:05.191747694Z"
}

C#

To run this code, first set up a C# development environment and install the Parameter Manager C# SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  using 
  
  Google.Cloud.ParameterManager.V1 
 
 ; 
 using 
  
  Google.Protobuf 
 
 ; 
 using 
  
 System.Text 
 ; 
 public 
  
 class 
  
 CreateRegionalParameterVersionWithSecretSample 
 { 
  
 /// <summary> 
  
 /// This function creates a regional parameter version with a JSON payload that includes a secret reference using the Parameter Manager SDK for GCP. 
  
 /// </summary> 
  
 /// <param name="projectId">The ID of the project where the parameter is located.</param> 
  
 /// <param name="locationId">The ID of the region where the parameter is located.</param> 
  
 /// <param name="parameterId">The ID of the parameter for which the version is to be created.</param> 
  
 /// <param name="versionId">The ID of the version to be created.</param> 
  
 /// <param name="secretId">The ID of the secret to be referenced.</param> 
  
 /// <returns>The created ParameterVersion object.</returns> 
  
 public 
  
 ParameterVersion 
  
 CreateRegionalParameterVersionWithSecret 
 ( 
  
 string 
  
 projectId 
 , 
  
 string 
  
 locationId 
 , 
  
 string 
  
 parameterId 
 , 
  
 string 
  
 versionId 
 , 
  
 string 
  
 secretId 
 ) 
  
 { 
  
 // Define the regional endpoint 
  
 string 
  
 regionalEndpoint 
  
 = 
  
 $"parametermanager.{locationId}.rep.googleapis.com" 
 ; 
  
 // Create the client with the regional endpoint 
  
  ParameterManagerClient 
 
  
 client 
  
 = 
  
 new 
  
  ParameterManagerClientBuilder 
 
  
 { 
  
 Endpoint 
  
 = 
  
 regionalEndpoint 
  
 }. 
  Build 
 
 (); 
  
 // Build the parent resource name using ParameterName 
  
  ParameterName 
 
  
 parent 
  
 = 
  
 new 
  
  ParameterName 
 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 parameterId 
 ); 
  
 // Convert the JSON payload to bytes 
  
 string 
  
 payload 
  
 = 
  
 $"{{\"username\": \"test-user\", \"password\": \"__REF__(//secretmanager.googleapis.com/{secretId}\"}}" 
 ; 
  
  ByteString 
 
  
 data 
  
 = 
  
  ByteString 
 
 . 
  CopyFrom 
 
 ( 
 payload 
 , 
  
 Encoding 
 . 
 UTF8 
 ); 
  
 // Build the parameter version with the JSON payload that includes a secret reference 
  
  ParameterVersion 
 
  
 parameterVersion 
  
 = 
  
 new 
  
  ParameterVersion 
 
  
 { 
  
 Payload 
  
 = 
  
 new 
  
  ParameterVersionPayload 
 
  
 { 
  
 Data 
  
 = 
  
 data 
  
 } 
  
 }; 
  
 // Call the API to create the parameter version 
  
  ParameterVersion 
 
  
 createdParameterVersion 
  
 = 
  
 client 
 . 
  CreateParameterVersion 
 
 ( 
 parent 
 , 
  
 parameterVersion 
 , 
  
 versionId 
 ); 
  
 // Print the created parameter version name 
  
 Console 
 . 
 WriteLine 
 ( 
 $"created regional parameter version: {createdParameterVersion. Name 
}" 
 ); 
  
 // Return the created parameter version 
  
 return 
  
 createdParameterVersion 
 ; 
  
 } 
 }

Go

To run this code, first set up a Go development environment and install the Parameter Manager Go SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 parametermanager 
  
 "cloud.google.com/go/parametermanager/apiv1" 
  
 parametermanagerpb 
  
 "cloud.google.com/go/parametermanager/apiv1/parametermanagerpb" 
  
 "google.golang.org/api/option" 
 ) 
 // createRegionalParamVersionWithSecret creates a new version of a regional parameter with a JSON payload that has a secret reference in it using the Parameter Manager SDK for GCP. 
 // 
 // w: The io.Writer object used to write the output. 
 // projectID: The ID of the project where the parameter is located. 
 // locationID: The ID of the region where the parameter is located. 
 // parameterID: The ID of the parameter for which the version is to be created. 
 // versionID: The ID of the version to be created. 
 // secretID: The ID of the secret to be referenced. 
 // 
 // The function returns an error if the parameter version creation fails. 
 func 
  
 createRegionalParamVersionWithSecret 
 ( 
 w 
  
 io 
 . 
 Writer 
 , 
  
 projectID 
 , 
  
 locationID 
 , 
  
 parameterID 
 , 
  
 versionID 
 , 
  
 secretID 
  
 string 
 ) 
  
 error 
  
 { 
  
 // Create a context. 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 // Create a Parameter Manager client. 
  
 endpoint 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "parametermanager.%s.rep.googleapis.com:443" 
 , 
  
 locationID 
 ) 
  
 client 
 , 
  
 err 
  
 := 
  
 parametermanager 
 . 
  NewClient 
 
 ( 
 ctx 
 , 
  
 option 
 . 
 WithEndpoint 
 ( 
 endpoint 
 )) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to create parametermanager client: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
  Close 
 
 () 
  
 // Construct the name of the create parameter version. 
  
 parent 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "projects/%s/locations/%s/parameters/%s" 
 , 
  
 projectID 
 , 
  
 locationID 
 , 
  
 parameterID 
 ) 
  
 payload 
  
 := 
  
 [] 
 byte 
 ( 
 fmt 
 . 
 Sprintf 
 ( 
 `{"db_host": "localhost","db_password": "__REF__(//secretmanager.googleapis.com/%s)"}` 
 , 
  
 secretID 
 )) 
  
 // Create a parameter version. 
  
 req 
  
 := 
  
& parametermanagerpb 
 . 
 CreateParameterVersionRequest 
 { 
  
 Parent 
 : 
  
 parent 
 , 
  
 ParameterVersionId 
 : 
  
 versionID 
 , 
  
 ParameterVersion 
 : 
  
& parametermanagerpb 
 . 
 ParameterVersion 
 { 
  
 Payload 
 : 
  
& parametermanagerpb 
 . 
 ParameterVersionPayload 
 { 
  
 Data 
 : 
  
 payload 
 , 
  
 }, 
  
 }, 
  
 } 
  
 version 
 , 
  
 err 
  
 := 
  
 client 
 . 
 CreateParameterVersion 
 ( 
 ctx 
 , 
  
 req 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to create parameter version: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Created regional parameter version with secret reference: %s\n" 
 , 
  
 version 
 . 
 Name 
 ) 
  
 return 
  
 nil 
 }

Java

To run this code, first set up a Java development environment and install the Parameter Manager Java SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 com.google.cloud.parametermanager.v1. ParameterManagerClient 
 
 ; 
 import 
  
 com.google.cloud.parametermanager.v1. ParameterManagerSettings 
 
 ; 
 import 
  
 com.google.cloud.parametermanager.v1. ParameterName 
 
 ; 
 import 
  
 com.google.cloud.parametermanager.v1. ParameterVersion 
 
 ; 
 import 
  
 com.google.cloud.parametermanager.v1. ParameterVersionPayload 
 
 ; 
 import 
  
 com.google.protobuf. ByteString 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 /** 
 * This class demonstrates how to create a regional parameter version with a JSON payload that 
 * includes a secret reference using the Parameter Manager SDK for GCP. 
 */ 
 public 
  
 class 
 CreateRegionalParamVersionWithSecret 
  
 { 
  
 public 
  
 static 
  
 void 
  
 main 
 ( 
 String 
 [] 
  
 args 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // TODO(developer): Replace these variables before running the sample. 
  
 String 
  
 projectId 
  
 = 
  
 "your-project-id" 
 ; 
  
 String 
  
 locationId 
  
 = 
  
 "your-location-id" 
 ; 
  
 String 
  
 parameterId 
  
 = 
  
 "your-parameter-id" 
 ; 
  
 String 
  
 versionId 
  
 = 
  
 "your-version-id" 
 ; 
  
 String 
  
 secretId 
  
 = 
  
 "projects/your-project-id/locations/your-location-id" 
  
 + 
  
 "/secrets/your-secret-id/versions/latest" 
 ; 
  
 // Call the method to create a regional parameter version with JSON payload that includes a 
  
 // secret reference. 
  
 createRegionalParamVersionWithSecret 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 parameterId 
 , 
  
 versionId 
 , 
  
 secretId 
 ); 
  
 } 
  
 // This is an example snippet that creates a regional parameter version with a JSON payload that 
  
 // includes a secret reference. 
  
 public 
  
 static 
  
  ParameterVersion 
 
  
 createRegionalParamVersionWithSecret 
 ( 
  
 String 
  
 projectId 
 , 
  
 String 
  
 locationId 
 , 
  
 String 
  
 parameterId 
 , 
  
 String 
  
 versionId 
 , 
  
 String 
  
 secretId 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // Endpoint to call the regional parameter manager server 
  
 String 
  
 apiEndpoint 
  
 = 
  
 String 
 . 
 format 
 ( 
 "parametermanager.%s.rep.googleapis.com:443" 
 , 
  
 locationId 
 ); 
  
  ParameterManagerSettings 
 
  
 parameterManagerSettings 
  
 = 
  
  ParameterManagerSettings 
 
 . 
 newBuilder 
 (). 
 setEndpoint 
 ( 
 apiEndpoint 
 ). 
 build 
 (); 
  
 // Initialize the client that will be used to send requests. This client only 
  
 // needs to be created once, and can be reused for multiple requests. 
  
 try 
  
 ( 
  ParameterManagerClient 
 
  
 client 
  
 = 
  
  ParameterManagerClient 
 
 . 
 create 
 ( 
 parameterManagerSettings 
 )) 
  
 { 
  
 // Build the parameter name. 
  
  ParameterName 
 
  
 parameterName 
  
 = 
  
  ParameterName 
 
 . 
 of 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 parameterId 
 ); 
  
 // Convert the JSON payload string to ByteString. 
  
 String 
  
 payload 
  
 = 
  
 String 
 . 
 format 
 ( 
  
 "{\"username\": \"test-user\"," 
  
 + 
  
 "\"password\": \"__REF__(//secretmanager.googleapis.com/%s)\"}" 
 , 
  
 secretId 
 ); 
  
  ByteString 
 
  
 byteStringPayload 
  
 = 
  
  ByteString 
 
 . 
  copyFromUtf8 
 
 ( 
 payload 
 ); 
  
 // Create the parameter version payload with the secret reference. 
  
  ParameterVersionPayload 
 
  
 parameterVersionPayload 
  
 = 
  
  ParameterVersionPayload 
 
 . 
 newBuilder 
 (). 
  setData 
 
 ( 
 byteStringPayload 
 ). 
 build 
 (); 
  
 // Create the parameter version with the JSON payload. 
  
  ParameterVersion 
 
  
 parameterVersion 
  
 = 
  
  ParameterVersion 
 
 . 
 newBuilder 
 (). 
 setPayload 
 ( 
 parameterVersionPayload 
 ). 
 build 
 (); 
  
 // Create the parameter version in the Parameter Manager. 
  
  ParameterVersion 
 
  
 createdParameterVersion 
  
 = 
  
 client 
 . 
 createParameterVersion 
 ( 
 parameterName 
 . 
  toString 
 
 (), 
  
 parameterVersion 
 , 
  
 versionId 
 ); 
  
 System 
 . 
 out 
 . 
 printf 
 ( 
  
 "Created regional parameter version: %s\n" 
 , 
  
 createdParameterVersion 
 . 
  getName 
 
 ()); 
  
 return 
  
 createdParameterVersion 
 ; 
  
 } 
  
 } 
 }

Node.js

To run this code, first set up a Node.js development environment and install the Parameter Manager Node.js SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  /** 
 * TODO(developer): Uncomment these variables before running the sample. 
 */ 
 // const projectId = 'YOUR_PROJECT_ID'; 
 // const locationId = 'us-central1'; 
 // const parameterId = 'YOUR_PARAMETER_ID'; 
 // const parameterVersionId = 'YOUR_PARAMETER_VERSION_ID'; 
 // const secretId = 'YOUR_SECRET_ID'; // For example projects/my-project/secrets/application-secret/version/latest 
 // Imports the Parameter Manager library 
 const 
  
 { 
 ParameterManagerClient 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/parametermanager 
' 
 ); 
 // Adding the endpoint to call the regional parameter manager server 
 const 
  
 options 
  
 = 
  
 { 
  
 apiEndpoint 
 : 
  
 `parametermanager. 
 ${ 
 locationId 
 } 
 .rep.googleapis.com` 
 , 
 }; 
 // Instantiates a client with regional endpoint 
 const 
  
 client 
  
 = 
  
 new 
  
  ParameterManagerClient 
 
 ( 
 options 
 ); 
 async 
  
 function 
  
 createRegionalParamVersionWithSecret 
 () 
  
 { 
  
 // Construct the parent resource name 
  
 const 
  
 parent 
  
 = 
  
 client 
 . 
  parameterPath 
 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 parameterId 
 ); 
  
 // Construct the payload JSON data with secret references 
  
 const 
  
 payloadData 
  
 = 
  
 { 
  
 db_user 
 : 
  
 'test_user' 
 , 
  
 db_password 
 : 
  
 `__REF__("//secretmanager.googleapis.com/ 
 ${ 
 secretId 
 } 
 ")` 
 , 
  
 }; 
  
 // Construct the parameter version 
  
 const 
  
 parameterVersion 
  
 = 
  
 { 
  
 payload 
 : 
  
 { 
  
 data 
 : 
  
 Buffer 
 . 
 from 
 ( 
  JSON 
 
 . 
 stringify 
 ( 
 payloadData 
 ), 
  
 'utf8' 
 ), 
  
 }, 
  
 }; 
  
 // Construct the request 
  
 const 
  
 request 
  
 = 
  
 { 
  
 parent 
 : 
  
 parent 
 , 
  
 parameterVersionId 
 : 
  
 parameterVersionId 
 , 
  
 parameterVersion 
 : 
  
 parameterVersion 
 , 
  
 }; 
  
 // Create the regional parameter version 
  
 const 
  
 [ 
 paramVersion 
 ] 
  
 = 
  
 await 
  
 client 
 . 
 createParameterVersion 
 ( 
 request 
 ); 
  
 console 
 . 
 log 
 ( 
  
 `Created regional parameter version with secret: 
 ${ 
 paramVersion 
 . 
 name 
 } 
 ` 
  
 ); 
  
 return 
  
 paramVersion 
 ; 
 } 
 return 
  
 await 
  
 createRegionalParamVersionWithSecret 
 ();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Parameter Manager PHP SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  // Import necessary classes for creating a parameter version. 
 use Google\Cloud\ParameterManager\V1\Client\ParameterManagerClient; 
 use Google\Cloud\ParameterManager\V1\CreateParameterVersionRequest; 
 use Google\Cloud\ParameterManager\V1\ParameterVersion; 
 use Google\Cloud\ParameterManager\V1\ParameterVersionPayload; 
 /** 
 * Creates a regional parameter version with an secret reference. 
 * 
 * @param string $projectId The Google Cloud Project ID (e.g. 'my-project') 
 * @param string $locationId The Parameter Location (e.g. 'us-central1') 
 * @param string $parameterId The Parameter ID (e.g. 'my-param') 
 * @param string $versionId The Version ID (e.g. 'my-param-version') 
 * @param string $secretId The ID of the secret to be referenced (e.g. 'projects/my-project/locations/us-central1/secrets/my-secret/versions/latest') 
 */ 
 function create_regional_param_version_with_secret(string $projectId, string $locationId, string $parameterId, string $versionId, string $secretId): void 
 { 
 // Specify regional endpoint. 
 $options = ['apiEndpoint' => "parametermanager.$locationId.rep.googleapis.com"]; 
 // Create a client for the Parameter Manager service. 
 $client = new ParameterManagerClient($options); 
 // Build the resource name of the parent object. 
 $parent = $client->parameterName($projectId, $locationId, $parameterId); 
 // Build payload. 
 $payload = json_encode([ 
 'username' => 'test-user', 
 'password' => sprintf('__REF__(//secretmanager.googleapis.com/%s)', $secretId) 
 ], JSON_UNESCAPED_SLASHES); 
 // Create a new ParameterVersionPayload object and set the payload with secret reference. 
 $parameterVersionPayload = new ParameterVersionPayload(); 
 $parameterVersionPayload->setData($payload); 
 // Create a new ParameterVersion object and set the payload. 
 $parameterVersion = new ParameterVersion(); 
 $parameterVersion->setPayload($parameterVersionPayload); 
 // Prepare the request with the parent and parameter version object. 
 $request = (new CreateParameterVersionRequest()) 
 ->setParent($parent) 
 ->setParameterVersionId($versionId) 
 ->setParameterVersion($parameterVersion); 
 // Call the API to create the parameter version. 
 $newParameterVersion = $client->createParameterVersion($request); 
 printf('Created regional parameter version: %s' . PHP_EOL, $newParameterVersion->getName()); 
 }

Python

To run this code, first set up a Python development environment and install the Parameter Manager Python SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  def 
  
 create_regional_param_version_with_secret 
 ( 
 project_id 
 : 
 str 
 , 
 location_id 
 : 
 str 
 , 
 parameter_id 
 : 
 str 
 , 
 version_id 
 : 
 str 
 , 
 secret_id 
 : 
 str 
 , 
 ) 
 - 
> parametermanager_v1 
 . 
 ParameterVersion 
 : 
  
 """ 
 Creates a new version of an existing parameter in the specified region 
 of the specified project using the Google Cloud Parameter Manager SDK. 
 The payload is specified as a JSON string and 
 includes a reference to a secret. 
 Args: 
 project_id (str): The ID of the project where the parameter is located. 
 location_id (str): The ID of the region where the parameter is located. 
 parameter_id (str): The ID of the parameter for 
 which the version is to be created. 
 version_id (str): The ID of the version to be created. 
 secret_id (str): The ID of the secret to be referenced. 
 Returns: 
 parametermanager_v1.ParameterVersion: An object representing the 
 newly created parameter version. 
 Example: 
 create_regional_param_version_with_secret( 
 "my-project", 
 "us-central1", 
 "my-regional-parameter", 
 "v1", 
 "projects/my-project/locations/us-central1/secrets/application-secret/versions/latest" 
 ) 
 """ 
 # Import the necessary library for Google Cloud Parameter Manager. 
 from 
  
 google.cloud 
  
 import 
  parametermanager_v1 
 
 import 
  
 json 
 # Create the Parameter Manager client with the regional endpoint. 
 api_endpoint 
 = 
 f 
 "parametermanager. 
 { 
 location_id 
 } 
 .rep.googleapis.com" 
 client 
 = 
  parametermanager_v1 
 
 . 
  ParameterManagerClient 
 
 ( 
 client_options 
 = 
 { 
 "api_endpoint" 
 : 
 api_endpoint 
 } 
 ) 
 # Build the resource name of the parameter. 
 parent 
 = 
 client 
 . 
  parameter_path 
 
 ( 
 project_id 
 , 
 location_id 
 , 
 parameter_id 
 ) 
 # Create the JSON payload with a secret reference. 
 payload_dict 
 = 
 { 
 "username" 
 : 
 "test-user" 
 , 
 "password" 
 : 
 f 
 "__REF__('//secretmanager.googleapis.com/ 
 { 
 secret_id 
 } 
 ')" 
 , 
 } 
 payload_json 
 = 
 json 
 . 
 dumps 
 ( 
 payload_dict 
 ) 
 # Define the parameter version creation request with the JSON payload. 
 request 
 = 
  parametermanager_v1 
 
 . 
  CreateParameterVersionRequest 
 
 ( 
 parent 
 = 
 parent 
 , 
 parameter_version_id 
 = 
 version_id 
 , 
 parameter_version 
 = 
  parametermanager_v1 
 
 . 
  ParameterVersion 
 
 ( 
 payload 
 = 
  parametermanager_v1 
 
 . 
  ParameterVersionPayload 
 
 ( 
 data 
 = 
 payload_json 
 . 
 encode 
 ( 
 "utf-8" 
 ) 
 ) 
 ), 
 ) 
 # Create the parameter version. 
 response 
 = 
 client 
 . 
  create_parameter_version 
 
 ( 
 request 
 = 
 request 
 ) 
 # Print the newly created parameter version name. 
 print 
 ( 
 f 
 "Created regional parameter version: 
 { 
 response 
 . 
 name 
 } 
 " 
 )

Ruby

To run this code, first set up a Ruby development environment and install the Parameter Manager Ruby SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  require 
  
 "google/cloud/parameter_manager" 
 ## 
 # Create a regional parameter version 
 # 
 # @param project_id [String] The Google Cloud project (e.g. "my-project") 
 # @param location_id [String] The location name (e.g. "us-central1") 
 # @param parameter_id [String] The parameter name (e.g. "my-parameter") 
 # @param version_id [String] The version name (e.g. "my-version") 
 # @param secret_id [String] The secret name 
 # (e.g. "projects/my-project/locations/us-central1/secrets/my-secret/versions/latest") 
 # 
 def 
  
 create_regional_param_version_with_secret 
  
 project_id 
 :, 
  
 location_id 
 :, 
  
 parameter_id 
 :, 
  
 version_id 
 :, 
  
 secret_id 
 : 
  
 # Endpoint for the regional parameter manager service. 
  
 api_endpoint 
  
 = 
  
 "parametermanager. 
 #{ 
 location_id 
 } 
 .rep.googleapis.com" 
  
 # Create the Parameter Manager client. 
  
 client 
  
 = 
  
 Google 
 :: 
 Cloud 
 :: 
  ParameterManager 
 
 . 
  parameter_manager 
 
  
 do 
  
 | 
 config 
 | 
  
 config 
 . 
 endpoint 
  
 = 
  
 api_endpoint 
  
 end 
  
 # Build the resource name of the parent project. 
  
 parent 
  
 = 
  
 client 
 . 
  parameter_path 
 
  
 project 
 : 
  
 project_id 
 , 
  
 location 
 : 
  
 location_id 
 , 
  
 parameter 
 : 
  
 parameter_id 
  
 payload 
  
 = 
  
 "{ 
 \" 
 username 
 \" 
 : 
 \" 
 test-user 
 \" 
 , 
 \" 
 password 
 \" 
 : 
 \" 
 __REF__(//secretmanager.googleapis.com/ 
 #{ 
 secret_id 
 } 
 ) 
 \" 
 }" 
  
 parameter_version 
  
 = 
  
 { 
  
 payload 
 : 
  
 { 
  
 data 
 : 
  
 payload 
  
 } 
  
 } 
  
 # Create the parameter version. 
  
 param_version 
  
 = 
  
 client 
 . 
 create_parameter_version 
  
 parent 
 : 
  
 parent 
 , 
  
 parameter_version_id 
 : 
  
 version_id 
 , 
  
 parameter_version 
 : 
  
 parameter_version 
  
 # Print the new parameter version name. 
  
 puts 
  
 "Created regional parameter version 
 #{ 
 param_version 
 . 
 name 
 } 
 " 
 end

Grant the Secret Manager Secret Accessor role to the parameter

To let a parameter access a secret stored in Secret Manager, grant the Secret Manager Secret Accessor role ( roles/secretmanager.secretAccessor ) to the parameter. This gives the parameter permission to read the secret's value. Parameters are resources with built-in identities , which means that you must grant the IAM role using the resource's principal identifier . Refer to the following example to grant the role using the Google Cloud CLI:

gcloud

Before using any of the command data below, make the following replacements:

PROJECT_ID : the ID of the project containing the secret
SECRET_ID : the ID of the secret or fully qualified identifier for the secret
PROJECT_NUMBER : the project number of the Google Cloud project where the parameter is stored
PARAMETER_UID : the system-generated unique ID of the parameter

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud  
secrets  
add-iam-policy-binding  
projects/ PROJECT_ID 
/secrets/ SECRET_ID 
  
--member = 
 "principal://parametermanager.googleapis.com/projects/ PROJECT_NUMBER 
/uid/locations/global/parameters/ PARAMETER_UID 
" 
  
--role = 
 "roles/secretmanager.secretAccessor"

Windows (PowerShell)

gcloud  
secrets  
add-iam-policy-binding  
projects/ PROJECT_ID 
/secrets/ SECRET_ID 
  
--member = 
 "principal://parametermanager.googleapis.com/projects/ PROJECT_NUMBER 
/uid/locations/global/parameters/ PARAMETER_UID 
" 
  
--role = 
 "roles/secretmanager.secretAccessor"

Windows (cmd.exe)

gcloud  
secrets  
add-iam-policy-binding  
projects/ PROJECT_ID 
/secrets/ SECRET_ID 
  
--member = 
 "principal://parametermanager.googleapis.com/projects/ PROJECT_NUMBER 
/uid/locations/global/parameters/ PARAMETER_UID 
" 
  
--role = 
 "roles/secretmanager.secretAccessor"

You should receive a response similar to the following:

Updated IAM policy for secret [db_password].
bindings:
- members:
  - principal://parametermanager.googleapis.com/projects/609765466568/uid/locations/global/parameters/3fe3492e-a0da-4447-8d6b-68b4594b7243
  role: roles/secretmanager.secretAccessor
etag: BwYkj3X1kGo=
version: 1

For information on rendering secret references when retrieving parameter payloads, see Render secrets referenced within a parameter version .

Reference secrets in parameters Stay organized with collections Save and categorize content based on your preferences.

Required roles

Create a parameter version with the secret reference

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

C#

Go

Java

Node.js

PHP

Python

Ruby

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

C#

Go

Java

Node.js

PHP

Python

Ruby

Grant the Secret Manager Secret Accessor role to the parameter

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

What's next

Reference secrets in parameters