Render secrets referenced within a parameter version

Parameter versions can contain references to secrets created in Secret Manager. This reference doesn't reveal the actual secret value. When your application needs the secret, it retrieves the parameter. Instead of getting the plain-text secret, it gets the reference. The application then uses the reference to dynamically fetch the secret value from Secret Manager at runtime. This ensures that the secret is only accessed and exposed in memory when needed, reducing the risk of the secret being compromised.

This page describes how to retrieve a parameter version and then render the secret that the version references.

Required roles

To get the permissions that you need to render secret within a parameter version , ask your administrator to grant you the Parameter Manager Parameter Accessor ( roles/parametermanager.parameterAccessor ) IAM role on the parameter, project, folder, or organization. For more information about granting roles, see Manage access to projects, folders, and organizations .

You might also be able to get the required permissions through custom roles or other predefined roles .

Render the secret referenced within a parameter version

To render the secret referenced within a parameter version, use one of the following methods:

Global parameters

Console

In the Google Cloud console, go to the Secret Manager page.

Go to Secret Manager
Click Parameter Manager to go to the Parameter Manager page. You'll see the list of parameters for that project.
Click the parameter name to access its versions. The parameter details page opens with the Versions tab in focus where you can see all the versions belonging to the selected parameter.
Select the parameter version with the secret reference.
Click the Actions menu associated with that version, and then click Render .

A new page is displayed with the payload and the rendered value of the parameter version.

gcloud

Before using any of the command data below, make the following replacements:

PARAMETER_VERSION_ID : the ID of the parameter version
PARAMETER_ID : the name of the parameter
LOCATION : the Google Cloud location of the parameter

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud  
parametermanager  
parameters  
versions  
render  
 PARAMETER_VERSION_ID 
  
--parameter = 
 PARAMETER_ID 
  
--location = 
global

Windows (PowerShell)

gcloud  
parametermanager  
parameters  
versions  
render  
 PARAMETER_VERSION_ID 
  
--parameter = 
 PARAMETER_ID 
  
--location = 
global

Windows (cmd.exe)

gcloud  
parametermanager  
parameters  
versions  
render  
 PARAMETER_VERSION_ID 
  
--parameter = 
 PARAMETER_ID 
  
--location = 
global

You should receive a response similar to the following:

parameterVersion: projects/production-1/locations/global/parameters/db_password_secret_ref/versions/v4
payload:
  data: ZGJfcGFzc3dvcmQ6IF9fUkVGX18oLy9zZWNyZXRtYW5hZ2VyLmdvb2dsZWFwaXMuY29tL3Byb2plY3RzL3BtLWNlcC1wcm9kL3NlY3JldHMvZHVyYWJsZS1zZWNyZXQvdmVyc2lvbnMvMSk=
renderedPayload: ZGJfcGFzc3dvcmQ6IHRlc3Qtc2VjcmV0Cg==

REST

Before using any of the request data, make the following replacements:

PROJECT_ID : the Google Cloud project ID
PARAMETER_ID : the name of the parameter
PARAMETER_VERSION_ID : the ID of the parameter version

HTTP method and URL:

GET https://parametermanager.googleapis.com/v1/projects/ PROJECT_ID 
/locations/global/parameters/ PARAMETER_ID 
/versions/ PARAMETER_VERSION_ID 
:render

Request JSON body:

{}

To send your request, choose one of these options:

curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell , which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list .

Save the request body in a file named request.json , and execute the following command:

curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://parametermanager.googleapis.com/v1/projects/ PROJECT_ID 
/locations/global/parameters/ PARAMETER_ID 
/versions/ PARAMETER_VERSION_ID 
:render"

PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list .

Save the request body in a file named request.json , and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method GET `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://parametermanager.googleapis.com/v1/projects/ PROJECT_ID 
/locations/global/parameters/ PARAMETER_ID 
/versions/ PARAMETER_VERSION_ID 
:render" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "name": "projects/production-1/locations/global/parameters/db_password_secret_ref/versions/v2",
    "createTime": "2024-10-15T08:39:05.191747694Z",
    "updateTime": "2024-10-15T08:39:05.530311092Z",
    "payload": {
      "data": "ZGJfcGFzc3dvcmQ6IF9fUkVGX18oLy9zZWNyZXRtYW5hZ2VyLmdvb2dsZWFwaXMuY29tL3Byb2plY3RzL3BtLWNlcC1wcm9kL3NlY3JldHMvZHVyYWJsZS1zZWNyZXQvdmVyc2lvbnMvMSkK"
    },
    "renderedPayload": "ZGJfcGFzc3dvcmQ6IHRlc3Qtc2VjcmV0Cgo="
}

C#

To run this code, first set up a C# development environment and install the Parameter Manager C# SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  using 
  
  Google.Cloud.ParameterManager.V1 
 
 ; 
 using 
  
 System.Text 
 ; 
 public 
  
 class 
  
 RenderParameterVersionSample 
 { 
  
 /// <summary> 
  
 /// This function renders a parameter version using the Parameter Manager SDK for GCP. 
  
 /// </summary> 
  
 /// <param name="projectId">The ID of the project where the parameter is located.</param> 
  
 /// <param name="parameterId">The ID of the parameter for which the version is to be rendered.</param> 
  
 /// <param name="versionId">The ID of the version to be rendered.</param> 
  
 /// <returns>The rendered parameter version data as a string.</returns> 
  
 public 
  
 string 
  
 RenderParameterVersion 
 ( 
  
 string 
  
 projectId 
 , 
  
 string 
  
 parameterId 
 , 
  
 string 
  
 versionId 
 ) 
  
 { 
  
 // Create the client. 
  
  ParameterManagerClient 
 
  
 client 
  
 = 
  
  ParameterManagerClient 
 
 . 
  Create 
 
 (); 
  
 // Build the resource name for the parameter version. 
  
  ParameterVersionName 
 
  
 parameterVersionName 
  
 = 
  
 new 
  
  ParameterVersionName 
 
 ( 
 projectId 
 , 
  
 "global" 
 , 
  
 parameterId 
 , 
  
 versionId 
 ); 
  
 // Call the API to render the parameter version. 
  
  RenderParameterVersionResponse 
 
  
 renderParameterVersionResponse 
  
 = 
  
 client 
 . 
  RenderParameterVersion 
 
 ( 
 parameterVersionName 
 ); 
  
 // Decode the base64 encoded data. 
  
 string 
  
 decodedData 
  
 = 
  
 Encoding 
 . 
 UTF8 
 . 
 GetString 
 ( 
 renderParameterVersionResponse 
 . 
  RenderedPayload 
 
 . 
 ToByteArray 
 ()); 
  
 // Print the rendered parameter version data. 
  
 Console 
 . 
 WriteLine 
 ( 
 $"Rendered parameter version payload: {decodedData}" 
 ); 
  
 // Return the rendered parameter version data. 
  
 return 
  
 decodedData 
 ; 
  
 } 
 }

Go

To run this code, first set up a Go development environment and install the Parameter Manager Go SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 parametermanager 
  
 "cloud.google.com/go/parametermanager/apiv1" 
  
 parametermanagerpb 
  
 "cloud.google.com/go/parametermanager/apiv1/parametermanagerpb" 
 ) 
 // renderParamVersion renders a parameter version using the Parameter Manager SDK for GCP. 
 // 
 // w: The io.Writer object used to write the output. 
 // projectID: The ID of the project where the parameter is located. 
 // parameterID: The ID of the parameter for which the version details is to be rendered. 
 // versionID: The ID of the version to be rendered. 
 // 
 // The function returns an error if the parameter version rendering fails. 
 func 
  
 renderParamVersion 
 ( 
 w 
  
 io 
 . 
 Writer 
 , 
  
 projectID 
 , 
  
 parameterID 
 , 
  
 versionID 
  
 string 
 ) 
  
 error 
  
 { 
  
 // Create a context and a Parameter Manager client. 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 client 
 , 
  
 err 
  
 := 
  
 parametermanager 
 . 
  NewClient 
 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to create Parameter Manager client: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
  Close 
 
 () 
  
 // Construct the name of the parameter version to get render data. 
  
 name 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "projects/%s/locations/global/parameters/%s/versions/%s" 
 , 
  
 projectID 
 , 
  
 parameterID 
 , 
  
 versionID 
 ) 
  
 // Build the request to render a parameter version. 
  
 req 
  
 := 
  
& parametermanagerpb 
 . 
 RenderParameterVersionRequest 
 { 
  
 Name 
 : 
  
 name 
 , 
  
 } 
  
 // Call the API to render a parameter version. 
  
 rendered 
 , 
  
 err 
  
 := 
  
 client 
 . 
 RenderParameterVersion 
 ( 
 ctx 
 , 
  
 req 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to render parameter version: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Rendered parameter version: %s\n" 
 , 
  
 rendered 
 . 
 ParameterVersion 
 ) 
  
 // If the parameter contains secret references, they will be resolved 
  
 // and the actual secret values will be included in the rendered output. 
  
 // Be cautious with logging or displaying this information. 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Rendered payload: %s\n" 
 , 
  
 rendered 
 . 
 RenderedPayload 
 ) 
  
 return 
  
 nil 
 }

Java

To run this code, first set up a Java development environment and install the Parameter Manager Java SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 com.google.cloud.parametermanager.v1. ParameterManagerClient 
 
 ; 
 import 
  
 com.google.cloud.parametermanager.v1. ParameterVersionName 
 
 ; 
 import 
  
 com.google.cloud.parametermanager.v1. RenderParameterVersionResponse 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 /** 
 * This class demonstrates how to render a parameter version using the Parameter Manager SDK for 
 * GCP. 
 */ 
 public 
  
 class 
 RenderParamVersion 
  
 { 
  
 public 
  
 static 
  
 void 
  
 main 
 ( 
 String 
 [] 
  
 args 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // TODO(developer): Replace these variables before running the sample. 
  
 String 
  
 projectId 
  
 = 
  
 "your-project-id" 
 ; 
  
 String 
  
 parameterId 
  
 = 
  
 "your-parameter-id" 
 ; 
  
 String 
  
 versionId 
  
 = 
  
 "your-version-id" 
 ; 
  
 // Call the method to render a parameter version. 
  
 renderParamVersion 
 ( 
 projectId 
 , 
  
 parameterId 
 , 
  
 versionId 
 ); 
  
 } 
  
 // This is an example snippet to render a parameter version. 
  
 public 
  
 static 
  
  RenderParameterVersionResponse 
 
  
 renderParamVersion 
 ( 
  
 String 
  
 projectId 
 , 
  
 String 
  
 parameterId 
 , 
  
 String 
  
 versionId 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // Initialize the client that will be used to send requests. This client only 
  
 // needs to be created once, and can be reused for multiple requests. 
  
 try 
  
 ( 
  ParameterManagerClient 
 
  
 client 
  
 = 
  
  ParameterManagerClient 
 
 . 
 create 
 ()) 
  
 { 
  
 String 
  
 locationId 
  
 = 
  
 "global" 
 ; 
  
 // Build the parameter version name. 
  
  ParameterVersionName 
 
  
 parameterVersionName 
  
 = 
  
  ParameterVersionName 
 
 . 
 of 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 parameterId 
 , 
  
 versionId 
 ); 
  
 // Render the parameter version. 
  
  RenderParameterVersionResponse 
 
  
 response 
  
 = 
  
 client 
 . 
 renderParameterVersion 
 ( 
 parameterVersionName 
 . 
  toString 
 
 ()); 
  
 System 
 . 
 out 
 . 
 printf 
 ( 
  
 "Rendered parameter version payload: %s\n" 
 , 
  
 response 
 . 
  getRenderedPayload 
 
 (). 
 toStringUtf8 
 ()); 
  
 return 
  
 response 
 ; 
  
 } 
  
 } 
 }

Node.js

To run this code, first set up a Node.js development environment and install the Parameter Manager Node.js SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  /** 
 * TODO(developer): Uncomment these variables before running the sample. 
 */ 
 // const projectId = 'YOUR_PROJECT_ID'; 
 // const parameterId = 'YOUR_PARAMETER_ID'; 
 // const parameterVersionId = 'YOUR_PARAMETER_VERSION_ID'; 
 // Imports the Parameter Manager library 
 const 
  
 { 
 ParameterManagerClient 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/parametermanager 
' 
 ); 
 // Instantiates a client 
 const 
  
 client 
  
 = 
  
 new 
  
  ParameterManagerClient 
 
 (); 
 async 
  
 function 
  
 renderParamVersion 
 () 
  
 { 
  
 // Construct the parameter version name 
  
 const 
  
 name 
  
 = 
  
 client 
 . 
  parameterVersionPath 
 
 ( 
  
 projectId 
 , 
  
 'global' 
 , 
  
 parameterId 
 , 
  
 parameterVersionId 
  
 ); 
  
 // Construct the request 
  
 const 
  
 request 
  
 = 
  
 { 
  
 name 
 : 
  
 name 
 , 
  
 }; 
  
 // Render the parameter version 
  
 const 
  
 [ 
 parameterVersion 
 ] 
  
 = 
  
 await 
  
 client 
 . 
 renderParameterVersion 
 ( 
 request 
 ); 
  
 console 
 . 
 log 
 ( 
  
 `Rendered parameter version: 
 ${ 
 parameterVersion 
 . 
 parameterVersion 
 } 
 ` 
  
 ); 
  
 // If the parameter contains secret references, they will be resolved 
  
 // and the actual secret values will be included in the rendered output. 
  
 // Be cautious with logging or displaying this information. 
  
 console 
 . 
 log 
 ( 
  
 'Rendered payload: ' 
 , 
  
 parameterVersion 
 . 
 renderedPayload 
 . 
 toString 
 ( 
 'utf-8' 
 ) 
  
 ); 
  
 return 
  
 parameterVersion 
 ; 
 } 
 return 
  
 await 
  
 renderParamVersion 
 ();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Parameter Manager PHP SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  // Import necessary classes for render a parameter version. 
 use Google\Cloud\ParameterManager\V1\Client\ParameterManagerClient; 
 use Google\Cloud\ParameterManager\V1\RenderParameterVersionRequest; 
 /** 
 * Renders a parameter version using the Parameter Manager SDK for GCP. 
 * 
 * @param string $projectId The Google Cloud Project ID (e.g. 'my-project') 
 * @param string $parameterId The Parameter ID (e.g. 'my-param') 
 * @param string $versionId The Version ID (e.g. 'my-param-version') 
 */ 
 function render_param_version(string $projectId, string $parameterId, string $versionId): void 
 { 
 // Create a client for the Parameter Manager service. 
 $client = new ParameterManagerClient(); 
 // Build the resource name of the parameter version. 
 $parameterVersionName = $client->parameterVersionName($projectId, 'global', $parameterId, $versionId); 
 // Prepare the request to render the parameter version. 
 $request = (new RenderParameterVersionRequest())->setName($parameterVersionName); 
 // Retrieve the render parameter version using the client. 
 $parameterVersion = $client->renderParameterVersion($request); 
 // Print the retrieved parameter version details. 
 printf('Rendered parameter version payload: %s' . PHP_EOL, $parameterVersion->getRenderedPayload()); 
 }

Python

To run this code, first set up a Python development environment and install the Parameter Manager Python SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  def 
  
 render_param_version 
 ( 
 project_id 
 : 
 str 
 , 
 parameter_id 
 : 
 str 
 , 
 version_id 
 : 
 str 
 ) 
 - 
> parametermanager_v1 
 . 
 RenderParameterVersionResponse 
 : 
  
 """ 
 Retrieves and renders the details of a specific version of an 
 existing parameter in the global location of the specified project 
 using the Google Cloud Parameter Manager SDK. 
 Args: 
 project_id (str): The ID of the project where the parameter is located. 
 parameter_id (str): The ID of the parameter for 
 which version details are to be rendered. 
 version_id (str): The ID of the version to be rendered. 
 Returns: 
 parametermanager_v1.RenderParameterVersionResponse: An object 
 representing the rendered parameter version. 
 Example: 
 render_param_version( 
 "my-project", 
 "my-global-parameter", 
 "v1" 
 ) 
 """ 
 # Import the necessary library for Google Cloud Parameter Manager. 
 from 
  
 google.cloud 
  
 import 
 parametermanager_v1 
 # Create the Parameter Manager client. 
 client 
 = 
 parametermanager_v1 
 . 
 ParameterManagerClient 
 () 
 # Build the resource name of the parameter version. 
 name 
 = 
 client 
 . 
 parameter_version_path 
 ( 
 project_id 
 , 
 "global" 
 , 
 parameter_id 
 , 
 version_id 
 ) 
 # Define the request to render the parameter version. 
 request 
 = 
 parametermanager_v1 
 . 
 RenderParameterVersionRequest 
 ( 
 name 
 = 
 name 
 ) 
 # Get the rendered parameter version details. 
 response 
 = 
 client 
 . 
 render_parameter_version 
 ( 
 request 
 = 
 request 
 ) 
 # Print the rendered parameter version payload. 
 print 
 ( 
 f 
 "Rendered parameter version payload: " 
 f 
 " 
 { 
 response 
 . 
 rendered_payload 
 . 
 decode 
 ( 
 'utf-8' 
 ) 
 } 
 " 
 )

Ruby

To run this code, first set up a Ruby development environment and install the Parameter Manager Ruby SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  require 
  
 "google/cloud/parameter_manager" 
 ## 
 # Render a parameter version 
 # 
 # @param project_id [String] The Google Cloud project (e.g. "my-project") 
 # @param parameter_id [String] The parameter name (e.g. "my-parameter") 
 # @param version_id [String] The version name (e.g. "my-version") 
 # 
 def 
  
 render_param_version 
  
 project_id 
 :, 
  
 parameter_id 
 :, 
  
 version_id 
 : 
  
 # Create a Parameter Manager client. 
  
 client 
  
 = 
  
 Google 
 :: 
 Cloud 
 :: 
  ParameterManager 
 
 . 
  parameter_manager 
 
  
 # Build the resource name of the parent project. 
  
 name 
  
 = 
  
 client 
 . 
  parameter_version_path 
 
  
 project 
 : 
  
 project_id 
 , 
  
 location 
 : 
  
 "global" 
 , 
  
 parameter 
 : 
  
 parameter_id 
 , 
  
 parameter_version 
 : 
  
 version_id 
  
 # Retrieve the parameter version. 
  
 param_version 
  
 = 
  
 client 
 . 
 render_parameter_version 
  
 name 
 : 
  
 name 
  
 # Print the retrieved render parameter version name. 
  
 puts 
  
 "Rendered parameter version payload: 
 #{ 
 param_version 
 . 
  rendered_payload 
 
 } 
 " 
 end

Regional parameters

Console

In the Google Cloud console, go to the Secret Manager page.

Go to Secret Manager
Click Parameter Manager to go to the Parameter Manager page. You'll see the list of parameters for that project.
Click the parameter name to access its versions. The parameter details page opens with the Versions tab in focus where you can see all the versions belonging to the selected parameter.
Select the parameter version with the secret reference.
Click the Actions menu associated with that version, and then click Render .

A new page is displayed with the payload and the rendered value of the parameter version.

gcloud

Before using any of the command data below, make the following replacements:

PARAMETER_VERSION_ID : the ID of the parameter version
PARAMETER_ID : the name of the parameter
LOCATION : the Google Cloud location of the parameter

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud  
parametermanager  
parameters  
versions  
render  
 PARAMETER_VERSION_ID 
  
--parameter = 
 PARAMETER_ID 
  
--location = 
 LOCATION

Windows (PowerShell)

gcloud  
parametermanager  
parameters  
versions  
render  
 PARAMETER_VERSION_ID 
  
--parameter = 
 PARAMETER_ID 
  
--location = 
 LOCATION

Windows (cmd.exe)

gcloud  
parametermanager  
parameters  
versions  
render  
 PARAMETER_VERSION_ID 
  
--parameter = 
 PARAMETER_ID 
  
--location = 
 LOCATION

You should receive a response similar to the following:

parameterVersion: projects/production-1/locations/us-central1/parameters/db_password_secret_ref/versions/v4
payload:
  data: ZGJfcGFzc3dvcmQ6IF9fUkVGX18oLy9zZWNyZXRtYW5hZ2VyLmdvb2dsZWFwaXMuY29tL3Byb2plY3RzL3BtLWNlcC1wcm9kL2xvY2F0aW9ucy91cy1jZW50cmFsMS9zZWNyZXRzL2R1cmFibGUtc2VjcmV0L3ZlcnNpb25zLzEpCg==
renderedPayload: ZGJfcGFzc3dvcmQ6IHRlc3Qtc2VjcmV0Cgo=

REST

Before using any of the request data, make the following replacements:

LOCATION : the Google Cloud location of the parameter
PROJECT_ID : the Google Cloud project ID
PARAMETER_ID : the name of the parameter
PARAMETER_VERSION_ID : the ID of the parameter version

HTTP method and URL:

GET https://parametermanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/parameters/ PARAMETER_ID 
/versions/ PARAMETER_VERSION_ID 
:render

Request JSON body:

{}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json , and execute the following command:

curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://parametermanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/parameters/ PARAMETER_ID 
/versions/ PARAMETER_VERSION_ID 
:render"

PowerShell

Save the request body in a file named request.json , and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method GET `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://parametermanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/parameters/ PARAMETER_ID 
/versions/ PARAMETER_VERSION_ID 
:render" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "parameterVersion": "pprojects/production-1/locations/us-central1/parameters/db_password_secret_ref/versions/v3",
  "payload": {
    "data": "ZGJfcGFzc3dvcmQ6IF9fUkVGX18oLy9zZWNyZXRtYW5hZ2VyLmdvb2dsZWFwaXMuY29tL3Byb2plY3RzL3BtLWNlcC1wcm9kL2xvY2F0aW9ucy91cy1jZW50cmFsMS9zZWNyZXRzL2R1cmFibGUtc2VjcmV0L3ZlcnNpb25zLzEpCg=="
  },
  "renderedPayload": "ZGJfcGFzc3dvcmQ6IHRlc3Qtc2VjcmV0Cgo="
}

C#

To run this code, first set up a C# development environment and install the Parameter Manager C# SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  using 
  
  Google.Cloud.ParameterManager.V1 
 
 ; 
 using 
  
 System.Text 
 ; 
 public 
  
 class 
  
 RenderRegionalParameterVersionSample 
 { 
  
 /// <summary> 
  
 /// This function renders a regional parameter version using the Parameter Manager SDK for GCP. 
  
 /// </summary> 
  
 /// <param name="projectId">The ID of the project where the parameter is located.</param> 
  
 /// <param name="locationId">The ID of the region where the parameter is located.</param> 
  
 /// <param name="parameterId">The ID of the parameter for which the version is to be rendered.</param> 
  
 /// <param name="versionId">The ID of the version to be rendered.</param> 
  
 /// <returns>The rendered parameter version data as a string.</returns> 
  
 public 
  
 string 
  
 RenderRegionalParameterVersion 
 ( 
  
 string 
  
 projectId 
 , 
  
 string 
  
 locationId 
 , 
  
 string 
  
 parameterId 
 , 
  
 string 
  
 versionId 
 ) 
  
 { 
  
 // Define the regional endpoint 
  
 string 
  
 regionalEndpoint 
  
 = 
  
 $"parametermanager.{locationId}.rep.googleapis.com" 
 ; 
  
 // Create the client with the regional endpoint 
  
  ParameterManagerClient 
 
  
 client 
  
 = 
  
 new 
  
  ParameterManagerClientBuilder 
 
  
 { 
  
 Endpoint 
  
 = 
  
 regionalEndpoint 
  
 }. 
  Build 
 
 (); 
  
 // Build the resource name for the parameter version in the specified regional locationId 
  
  ParameterVersionName 
 
  
 parameterVersionName 
  
 = 
  
 new 
  
  ParameterVersionName 
 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 parameterId 
 , 
  
 versionId 
 ); 
  
 // Call the API to render the parameter version 
  
  RenderParameterVersionResponse 
 
  
 renderParameterVersionResponse 
  
 = 
  
 client 
 . 
  RenderParameterVersion 
 
 ( 
 parameterVersionName 
 ); 
  
 // Decode the base64 encoded data 
  
 string 
  
 decodedData 
  
 = 
  
 Encoding 
 . 
 UTF8 
 . 
 GetString 
 ( 
 renderParameterVersionResponse 
 . 
  RenderedPayload 
 
 . 
 ToByteArray 
 ()); 
  
 // Print the rendered parameter version data 
  
 Console 
 . 
 WriteLine 
 ( 
 $"Rendered regional parameter version payload: {decodedData}" 
 ); 
  
 // Return the rendered parameter version data 
  
 return 
  
 decodedData 
 ; 
  
 } 
 }

Go

To run this code, first set up a Go development environment and install the Parameter Manager Go SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 parametermanager 
  
 "cloud.google.com/go/parametermanager/apiv1" 
  
 parametermanagerpb 
  
 "cloud.google.com/go/parametermanager/apiv1/parametermanagerpb" 
  
 "google.golang.org/api/option" 
 ) 
 // renderRegionalParamVersion renders a regional parameter version using the Parameter Manager SDK for GCP. 
 // 
 // w: The io.Writer object used to write the output. 
 // projectID: The ID of the project where the parameter is located. 
 // locationID: The ID of the region where the parameter is located. 
 // parameterID: The ID of the parameter for which the version is to be rendered. 
 // versionID: The ID of the version to be rendered. 
 // 
 // The function returns an error if the parameter version render retrieval fails. 
 func 
  
 renderRegionalParamVersion 
 ( 
 w 
  
 io 
 . 
 Writer 
 , 
  
 projectID 
 , 
  
 locationID 
 , 
  
 parameterID 
 , 
  
 versionID 
  
 string 
 ) 
  
 error 
  
 { 
  
 // Create a new context. 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 // Create a Parameter Manager client. 
  
 endpoint 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "parametermanager.%s.rep.googleapis.com:443" 
 , 
  
 locationID 
 ) 
  
 client 
 , 
  
 err 
  
 := 
  
 parametermanager 
 . 
  NewClient 
 
 ( 
 ctx 
 , 
  
 option 
 . 
 WithEndpoint 
 ( 
 endpoint 
 )) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to create Parameter Manager client: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
  Close 
 
 () 
  
 // Construct the name of the parameter version to render. 
  
 name 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "projects/%s/locations/%s/parameters/%s/versions/%s" 
 , 
  
 projectID 
 , 
  
 locationID 
 , 
  
 parameterID 
 , 
  
 versionID 
 ) 
  
 // Build the request to render the parameter version. 
  
 req 
  
 := 
  
& parametermanagerpb 
 . 
 RenderParameterVersionRequest 
 { 
  
 Name 
 : 
  
 name 
 , 
  
 } 
  
 // Call the API to render the parameter version. 
  
 rendered 
 , 
  
 err 
  
 := 
  
 client 
 . 
 RenderParameterVersion 
 ( 
 ctx 
 , 
  
 req 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to render parameter version: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Rendered regional parameter version: %s\n" 
 , 
  
 rendered 
 . 
 ParameterVersion 
 ) 
  
 // If the parameter contains secret references, they will be resolved 
  
 // and the actual secret values will be included in the rendered output. 
  
 // Be cautious with logging or displaying this information. 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Rendered payload: %s\n" 
 , 
  
 rendered 
 . 
 RenderedPayload 
 ) 
  
 return 
  
 nil 
 }

Java

To run this code, first set up a Java development environment and install the Parameter Manager Java SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  import 
  
 com.google.cloud.parametermanager.v1. ParameterManagerClient 
 
 ; 
 import 
  
 com.google.cloud.parametermanager.v1. ParameterManagerSettings 
 
 ; 
 import 
  
 com.google.cloud.parametermanager.v1. ParameterVersionName 
 
 ; 
 import 
  
 com.google.cloud.parametermanager.v1. RenderParameterVersionResponse 
 
 ; 
 import 
  
 java.io.IOException 
 ; 
 /** 
 * This class demonstrates how to render a regional parameter version using the Parameter Manager 
 * SDK for GCP. 
 */ 
 public 
  
 class 
 RenderRegionalParamVersion 
  
 { 
  
 public 
  
 static 
  
 void 
  
 main 
 ( 
 String 
 [] 
  
 args 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // TODO(developer): Replace these variables before running the sample. 
  
 String 
  
 projectId 
  
 = 
  
 "your-project-id" 
 ; 
  
 String 
  
 locationId 
  
 = 
  
 "your-location-id" 
 ; 
  
 String 
  
 parameterId 
  
 = 
  
 "your-parameter-id" 
 ; 
  
 String 
  
 versionId 
  
 = 
  
 "your-version-id" 
 ; 
  
 // Call the method to render a regional parameter version. 
  
 renderRegionalParamVersion 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 parameterId 
 , 
  
 versionId 
 ); 
  
 } 
  
 // This is an example snippet to render a regional parameter version. 
  
 public 
  
 static 
  
  RenderParameterVersionResponse 
 
  
 renderRegionalParamVersion 
 ( 
  
 String 
  
 projectId 
 , 
  
 String 
  
 locationId 
 , 
  
 String 
  
 parameterId 
 , 
  
 String 
  
 versionId 
 ) 
  
 throws 
  
 IOException 
  
 { 
  
 // Endpoint to call the regional parameter manager server 
  
 String 
  
 apiEndpoint 
  
 = 
  
 String 
 . 
 format 
 ( 
 "parametermanager.%s.rep.googleapis.com:443" 
 , 
  
 locationId 
 ); 
  
  ParameterManagerSettings 
 
  
 parameterManagerSettings 
  
 = 
  
  ParameterManagerSettings 
 
 . 
 newBuilder 
 (). 
 setEndpoint 
 ( 
 apiEndpoint 
 ). 
 build 
 (); 
  
 // Initialize the client that will be used to send requests. This client only 
  
 // needs to be created once, and can be reused for multiple requests. 
  
 try 
  
 ( 
  ParameterManagerClient 
 
  
 client 
  
 = 
  
  ParameterManagerClient 
 
 . 
 create 
 ( 
 parameterManagerSettings 
 )) 
  
 { 
  
 // Build the parameter version name. 
  
  ParameterVersionName 
 
  
 parameterVersionName 
  
 = 
  
  ParameterVersionName 
 
 . 
 of 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 parameterId 
 , 
  
 versionId 
 ); 
  
 // Render the parameter version. 
  
  RenderParameterVersionResponse 
 
  
 response 
  
 = 
  
 client 
 . 
 renderParameterVersion 
 ( 
 parameterVersionName 
 . 
  toString 
 
 ()); 
  
 System 
 . 
 out 
 . 
 printf 
 ( 
  
 "Rendered regional parameter version payload: %s\n" 
 , 
  
 response 
 . 
  getRenderedPayload 
 
 (). 
 toStringUtf8 
 ()); 
  
 return 
  
 response 
 ; 
  
 } 
  
 } 
 }

Node.js

To run this code, first set up a Node.js development environment and install the Parameter Manager Node.js SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  /** 
 * TODO(developer): Uncomment these variables before running the sample. 
 */ 
 // const projectId = 'YOUR_PROJECT_ID'; 
 // const locationId = 'us-central1'; 
 // const parameterId = 'YOUR_PARAMETER_ID'; 
 // const parameterVersionId = 'YOUR_PARAMETER_VERSION_ID'; 
 // Imports the Parameter Manager library 
 const 
  
 { 
 ParameterManagerClient 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/parametermanager 
' 
 ); 
 // Adding the endpoint to call the regional parameter manager server 
 const 
  
 options 
  
 = 
  
 { 
  
 apiEndpoint 
 : 
  
 `parametermanager. 
 ${ 
 locationId 
 } 
 .rep.googleapis.com` 
 , 
 }; 
 // Instantiates a client with regional endpoint 
 const 
  
 client 
  
 = 
  
 new 
  
  ParameterManagerClient 
 
 ( 
 options 
 ); 
 async 
  
 function 
  
 renderRegionalParamVersion 
 () 
  
 { 
  
 // Construct the parameter version name 
  
 const 
  
 name 
  
 = 
  
 client 
 . 
  parameterVersionPath 
 
 ( 
  
 projectId 
 , 
  
 locationId 
 , 
  
 parameterId 
 , 
  
 parameterVersionId 
  
 ); 
  
 // Construct the request 
  
 const 
  
 request 
  
 = 
  
 { 
  
 name 
 : 
  
 name 
 , 
  
 }; 
  
 // Render the parameter version 
  
 const 
  
 [ 
 paramVersions 
 ] 
  
 = 
  
 await 
  
 client 
 . 
 renderParameterVersion 
 ( 
 request 
 ); 
  
 console 
 . 
 log 
 ( 
  
 `Rendered regional parameter version: 
 ${ 
 paramVersions 
 . 
 parameterVersion 
 } 
 ` 
  
 ); 
  
 // If the parameter contains secret references, they will be resolved 
  
 // and the actual secret values will be included in the rendered output. 
  
 // Be cautious with logging or displaying this information. 
  
 console 
 . 
 log 
 ( 
  
 'Rendered payload: ' 
 , 
  
 paramVersions 
 . 
 renderedPayload 
 . 
 toString 
 ( 
 'utf-8' 
 ) 
  
 ); 
  
 return 
  
 paramVersions 
 ; 
 } 
 return 
  
 await 
  
 renderRegionalParamVersion 
 ();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Parameter Manager PHP SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  // Import necessary classes for render a parameter version. 
 use Google\Cloud\ParameterManager\V1\Client\ParameterManagerClient; 
 use Google\Cloud\ParameterManager\V1\RenderParameterVersionRequest; 
 /** 
 * Renders a regional parameter version using the Parameter Manager SDK for GCP. 
 * 
 * @param string $projectId The Google Cloud Project ID (e.g. 'my-project') 
 * @param string $locationId The Parameter Location (e.g. 'us-central1') 
 * @param string $parameterId The Parameter ID (e.g. 'my-param') 
 * @param string $versionId The Version ID (e.g. 'my-param-version') 
 */ 
 function render_regional_param_version(string $projectId, string $locationId, string $parameterId, string $versionId): void 
 { 
 // Specify regional endpoint. 
 $options = ['apiEndpoint' => "parametermanager.$locationId.rep.googleapis.com"]; 
 // Create a client for the Parameter Manager service. 
 $client = new ParameterManagerClient($options); 
 // Build the resource name of the parameter version. 
 $parameterVersionName = $client->parameterVersionName($projectId, $locationId, $parameterId, $versionId); 
 // Prepare the request to render the parameter version. 
 $request = (new RenderParameterVersionRequest())->setName($parameterVersionName); 
 // Retrieve the render parameter version using the client. 
 $parameterVersion = $client->renderParameterVersion($request); 
 // Print the retrieved parameter version details. 
 printf('Rendered regional parameter version payload: %s' . PHP_EOL, $parameterVersion->getRenderedPayload()); 
 }

Python

To run this code, first set up a Python development environment and install the Parameter Manager Python SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  def 
  
 render_regional_param_version 
 ( 
 project_id 
 : 
 str 
 , 
 location_id 
 : 
 str 
 , 
 parameter_id 
 : 
 str 
 , 
 version_id 
 : 
 str 
 ) 
 - 
> parametermanager_v1 
 . 
 RenderParameterVersionResponse 
 : 
  
 """ 
 Retrieves and renders the details of a specific version of an 
 existing parameter in the specified region of the specified project 
 using the Google Cloud Parameter Manager SDK. 
 Args: 
 project_id (str): The ID of the project where the parameter is located. 
 location_id (str): The ID of the region where the parameter is located. 
 parameter_id (str): The ID of the parameter for 
 which version details are to be rendered. 
 version_id (str): The ID of the version to be rendered. 
 Returns: 
 parametermanager_v1.RenderParameterVersionResponse: An object 
 representing the rendered parameter version. 
 Example: 
 render_regional_param_version( 
 "my-project", 
 "us-central1", 
 "my-regional-parameter", 
 "v1" 
 ) 
 """ 
 # Import the necessary library for Google Cloud Parameter Manager. 
 from 
  
 google.cloud 
  
 import 
  parametermanager_v1 
 
 # Create the Parameter Manager client with the regional endpoint. 
 api_endpoint 
 = 
 f 
 "parametermanager. 
 { 
 location_id 
 } 
 .rep.googleapis.com" 
 client 
 = 
  parametermanager_v1 
 
 . 
  ParameterManagerClient 
 
 ( 
 client_options 
 = 
 { 
 "api_endpoint" 
 : 
 api_endpoint 
 } 
 ) 
 # Build the resource name of the parameter version. 
 name 
 = 
 client 
 . 
  parameter_version_path 
 
 ( 
 project_id 
 , 
 location_id 
 , 
 parameter_id 
 , 
 version_id 
 ) 
 # Define the request to render the parameter version. 
 request 
 = 
  parametermanager_v1 
 
 . 
  RenderParameterVersionRequest 
 
 ( 
 name 
 = 
 name 
 ) 
 # Get the rendered parameter version details. 
 response 
 = 
 client 
 . 
  render_parameter_version 
 
 ( 
 request 
 = 
 request 
 ) 
 # Print the response payload. 
 print 
 ( 
 f 
 "Rendered regional parameter version payload: " 
 f 
 " 
 { 
 response 
 . 
 rendered_payload 
 . 
 decode 
 ( 
 'utf-8' 
 ) 
 } 
 " 
 )

Ruby

To run this code, first set up a Ruby development environment and install the Parameter Manager Ruby SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

  require 
  
 "google/cloud/parameter_manager" 
 ## 
 # Render a regional parameter version 
 # 
 # @param project_id [String] The Google Cloud project (e.g. "my-project") 
 # @param location_id [String] The location name (e.g. "us-central1") 
 # @param parameter_id [String] The parameter name (e.g. "my-parameter") 
 # @param version_id [String] The version name (e.g. "my-version") 
 # 
 def 
  
 render_regional_param_version 
  
 project_id 
 :, 
  
 location_id 
 :, 
  
 parameter_id 
 :, 
  
 version_id 
 : 
  
 # Endpoint for the regional parameter manager service. 
  
 api_endpoint 
  
 = 
  
 "parametermanager. 
 #{ 
 location_id 
 } 
 .rep.googleapis.com" 
  
 # Create the Parameter Manager client. 
  
 client 
  
 = 
  
 Google 
 :: 
 Cloud 
 :: 
  ParameterManager 
 
 . 
  parameter_manager 
 
  
 do 
  
 | 
 config 
 | 
  
 config 
 . 
 endpoint 
  
 = 
  
 api_endpoint 
  
 end 
  
 # Build the resource name of the parent project. 
  
 name 
  
 = 
  
 client 
 . 
  parameter_version_path 
 
  
 project 
 : 
  
 project_id 
 , 
  
 location 
 : 
  
 location_id 
 , 
  
 parameter 
 : 
  
 parameter_id 
 , 
  
 parameter_version 
 : 
  
 version_id 
  
 # Retrieve the parameter version. 
  
 param_version 
  
 = 
  
 client 
 . 
 render_parameter_version 
  
 name 
 : 
  
 name 
  
 # Print the retrieved render parameter version name. 
  
 puts 
  
 "Rendered regional parameter version payload: 
 #{ 
 param_version 
 . 
  rendered_payload 
 
 } 
 " 
 end

This method returns the parameter version metadata as well as the following two values:

Payload: the raw, unprocessed parameter payload. This payload can have many key-value pairs, some of which might contain secrets. The data field within it holds a Base64-encoded string. If you decode this string, you'll find that the raw payload contains references ( REF(...)) to locations where the secrets are stored. Note that each parameter version can contain up to 15 secret references.
Rendered Payload: the key-value pairs with actual secret values as a Base64-encoded string. Decode this string to fetch the parameter payload with rendered secret values.

Render secrets referenced within a parameter version Stay organized with collections Save and categorize content based on your preferences.

Required roles

Render the secret referenced within a parameter version

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

C#

Go

Java

Node.js

PHP

Python

Ruby

Console

gcloud

Linux, macOS, or Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

C#

Go

Java

Node.js

PHP

Python

Ruby

What's next

Render secrets referenced within a parameter version