Console
    Contact Us Start free

    REST Resource: projects.secrets

    Resource: Secret

    A Secret is a logical secret whose value and versions can be accessed.

    A Secret is made up of zero or more SecretVersions that represent the secret data.

    JSON representation 
     { 
 "name" 
 : 
 string 
 , 
 "replication" 
 : 
 { 
 object (  Replication 
 
) 
 } 
 , 
 "createTime" 
 : 
 string 
 , 
 "labels" 
 : 
 { 
 string 
 : 
 string 
 , 
 ... 
 } 
 , 
 "topics" 
 : 
 [ 
 { 
 object (  Topic 
 
) 
 } 
 ] 
 , 
 "etag" 
 : 
 string 
 , 
 "rotation" 
 : 
 { 
 object (  Rotation 
 
) 
 } 
 , 
 "versionAliases" 
 : 
 { 
 string 
 : 
 string 
 , 
 ... 
 } 
 , 
 "annotations" 
 : 
 { 
 string 
 : 
 string 
 , 
 ... 
 } 
 , 
 // Union field expiration 
can be only one of the following: 
 "expireTime" 
 : 
 string 
 , 
 "ttl" 
 : 
 string 
 // End of list of possible types for union field expiration 
. 
 }
    Fields
    name

    string

    Output only. The resource name of the Secret in the format projects/*/secrets/* .

    replication

    object ( Replication )

    Required. Immutable. The replication policy of the secret data attached to the Secret .

    The replication policy cannot be changed after the Secret has been created.

    createTime

    string ( Timestamp format)

    Output only. The time at which the Secret was created.

    A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z" .

    labels

    map (key: string, value: string)

    The labels assigned to this Secret.

    Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62}

    Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}\p{N}_-]{0,63}

    No more than 64 labels can be assigned to a given resource.

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" } .

    topics[]

    object ( Topic )

    Optional. A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions.

    etag

    string

    Optional. Etag of the currently stored Secret .

    rotation

    object ( Rotation )

    Optional. Rotation policy attached to the Secret . May be excluded if there is no rotation policy.

    versionAliases

    map (key: string, value: string ( int64 format))

    Optional. Mapping from version alias to version name.

    A version alias is a string with a maximum length of 63 characters and can contain uppercase and lowercase letters, numerals, and the hyphen ( - ) and underscore ('_') characters. An alias string must start with a letter and cannot be the string 'latest' or 'NEW'. No more than 50 aliases can be assigned to a given secret.

    Version-Alias pairs will be viewable via secrets.get and modifiable via secrets.patch. At launch Access by Allias will only be supported on GetSecretVersion and AccessSecretVersion.

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" } .

    annotations

    map (key: string, value: string)

    Optional. Custom metadata about the secret.

    Annotations are distinct from various forms of labels. Annotations exist to allow client tools to store their own state information without requiring a database.

    Annotation keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, begin and end with an alphanumeric character ([a-z0-9A-Z]), and may have dashes (-), underscores (_), dots (.), and alphanumerics in between these symbols.

    The total size of annotation keys and values must be less than 16KiB.

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" } .

    Union field expiration . Expiration policy attached to the Secret . If specified the Secret and all SecretVersions will be automatically deleted at expiration. Expired secrets are irreversibly deleted.

    Expiration is not the recommended way to set time-based permissions. IAM Conditions is recommended for granting time-based permissions because the operation can be reversed. expiration can be only one of the following:

    expireTime

    string ( Timestamp format)

    Optional. Timestamp in UTC when the Secret is scheduled to expire. This is always provided on output, regardless of what was sent on input.

    A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z" .

    ttl

    string ( Duration format)

    Input only. The TTL for the Secret .

    A duration in seconds with up to nine fractional digits, ending with ' s '. Example: "3.5s" .

    Replication

    A policy that defines the replication and encryption configuration of data.

    JSON representation 
     { 
 // Union field replication 
can be only one of the following: 
 "automatic" 
 : 
 { 
 object (  Automatic 
 
) 
 } 
 , 
 "userManaged" 
 : 
 { 
 object (  UserManaged 
 
) 
 } 
 // End of list of possible types for union field replication 
. 
 }
    Fields
    Union field replication . The replication policy for this secret. replication can be only one of the following:
    automatic

    object ( Automatic )

    The Secret will automatically be replicated without any restrictions.

    userManaged

    object ( UserManaged )

    The Secret will only be replicated into the locations specified.

    Automatic

    A replication policy that replicates the Secret payload without any restrictions.

    JSON representation 
     { 
 "customerManagedEncryption" 
 : 
 { 
 object (  CustomerManagedEncryption 
 
) 
 } 
 }
    Fields
    customerManagedEncryption

    object ( CustomerManagedEncryption )

    Optional. The customer-managed encryption configuration of the Secret . If no configuration is provided, Google-managed default encryption is used.

    Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions .

    CustomerManagedEncryption

    Configuration for encrypting secret payloads using customer-managed encryption keys (CMEK).

    JSON representation 
     { 
 "kmsKeyName" 
 : 
 string 
 }
    Fields
    kmsKeyName

    string

    Required. The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads.

    For secrets using the UserManaged replication policy type, Cloud KMS CryptoKeys must reside in the same location as the [replica location][Secret.UserManaged.Replica.location].

    For secrets using the Automatic replication policy type, Cloud KMS CryptoKeys must reside in global .

    The expected format is projects/*/locations/*/keyRings/*/cryptoKeys/* .

    UserManaged

    A replication policy that replicates the Secret payload into the locations specified in [Secret.replication.user_managed.replicas][]

    JSON representation 
     { 
 "replicas" 
 : 
 [ 
 { 
 object (  Replica 
 
) 
 } 
 ] 
 }
    Fields
    replicas[]

    object ( Replica )

    Required. The list of Replicas for this Secret .

    Cannot be empty.

    Replica

    Represents a Replica for this Secret .

    JSON representation 
     { 
 "location" 
 : 
 string 
 , 
 "customerManagedEncryption" 
 : 
 { 
 object (  CustomerManagedEncryption 
 
) 
 } 
 }
    Fields
    location

    string

    The canonical IDs of the location to replicate data. For example: "us-east1" .
    customerManagedEncryption

    object ( CustomerManagedEncryption )

    Optional. The customer-managed encryption configuration of the [User-Managed Replica][Replication.UserManaged.Replica]. If no configuration is provided, Google-managed default encryption is used.

    Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions .

    Topic

    A Pub/Sub topic which Secret Manager will publish to when control plane events occur on this secret.

    JSON representation 
     { 
 "name" 
 : 
 string 
 }
    Fields
    name

    string

    Required. The resource name of the Pub/Sub topic that will be published to, in the following format: projects/*/topics/* . For publication to succeed, the Secret Manager service agent must have the pubsub.topic.publish permission on the topic. The Pub/Sub Publisher role ( roles/pubsub.publisher ) includes this permission.

    Rotation

    The rotation time and period for a Secret . At nextRotationTime, Secret Manager will send a Pub/Sub notification to the topics configured on the Secret. Secret.topics must be set to configure rotation.

    JSON representation 
     { 
 "nextRotationTime" 
 : 
 string 
 , 
 "rotationPeriod" 
 : 
 string 
 }
    Fields
    nextRotationTime

    string ( Timestamp format)

    Optional. Timestamp in UTC at which the Secret is scheduled to rotate. Cannot be set to less than 300s (5 min) in the future and at most 3153600000s (100 years).

    nextRotationTime MUST be set if rotationPeriod is set.

    A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z" .
    rotationPeriod

    string ( Duration format)

    Input only. The Duration between rotation notifications. Must be in seconds and at least 3600s (1h) and at most 3153600000s (100 years).

    If rotationPeriod is set, nextRotationTime must be set. nextRotationTime will be advanced by this period when the service automatically sends rotation notifications.

    A duration in seconds with up to nine fractional digits, ending with ' s '. Example: "3.5s" .

    Methods

    addVersion

    		Creates a new SecretVersion containing secret data and attaches it to an existing Secret .

    create

    		Creates a new Secret containing no SecretVersions .

    delete

    		Deletes a Secret .

    get

    		Gets metadata for a given Secret .

    getIamPolicy

    		Gets the access control policy for a secret.

    list

    		Lists Secrets .

    patch

    		Updates metadata of an existing Secret .

    setIamPolicy

    		Sets the access control policy on the specified secret.

    testIamPermissions

    		Returns permissions that a caller has for the specified secret.
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: