Console
    Contact Us Start free

    Package google.cloud.secretmanager.v1

    Index

    SecretManagerService

    Secret Manager Service

    Manages secrets and operations using those secrets. Implements a REST model with the following objects:

    AccessSecretVersion

    rpc AccessSecretVersion( AccessSecretVersionRequest ) returns ( AccessSecretVersionResponse )

    Accesses a SecretVersion . This call returns the secret data.

    projects/*/secrets/*/versions/latest is an alias to the most recently created SecretVersion .

    Authorization scopes

    Requires the following OAuth scope:

    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    AddSecretVersion

    rpc AddSecretVersion( AddSecretVersionRequest ) returns ( SecretVersion )

    Creates a new SecretVersion containing secret data and attaches it to an existing Secret .

    Authorization scopes

    Requires the following OAuth scope:

    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    CreateSecret

    rpc CreateSecret( CreateSecretRequest ) returns ( Secret )

    Creates a new Secret containing no SecretVersions .

    Authorization scopes

    Requires the following OAuth scope:

    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    DeleteSecret

    rpc DeleteSecret( DeleteSecretRequest ) returns ( Empty )

    Deletes a Secret .

    Authorization scopes

    Requires the following OAuth scope:

    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    DestroySecretVersion

    rpc DestroySecretVersion( DestroySecretVersionRequest ) returns ( SecretVersion )

    Destroys a SecretVersion .

    Sets the state of the SecretVersion to DESTROYED and irrevocably destroys the secret data.

    Authorization scopes

    Requires the following OAuth scope:

    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    DisableSecretVersion

    rpc DisableSecretVersion( DisableSecretVersionRequest ) returns ( SecretVersion )

    Disables a SecretVersion .

    Sets the state of the SecretVersion to DISABLED .

    Authorization scopes

    Requires the following OAuth scope:

    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    EnableSecretVersion

    rpc EnableSecretVersion( EnableSecretVersionRequest ) returns ( SecretVersion )

    Enables a SecretVersion .

    Sets the state of the SecretVersion to ENABLED .

    Authorization scopes

    Requires the following OAuth scope:

    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    GetIamPolicy

    rpc GetIamPolicy( GetIamPolicyRequest ) returns ( Policy )

    Gets the access control policy for a secret. Returns empty policy if the secret exists and does not have a policy set.

    Authorization scopes

    Requires the following OAuth scope:

    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    GetSecret

    rpc GetSecret( GetSecretRequest ) returns ( Secret )

    Gets metadata for a given Secret .

    Authorization scopes

    Requires the following OAuth scope:

    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    GetSecretVersion

    rpc GetSecretVersion( GetSecretVersionRequest ) returns ( SecretVersion )

    Gets metadata for a SecretVersion .

    projects/*/secrets/*/versions/latest is an alias to the most recently created SecretVersion .

    Authorization scopes

    Requires the following OAuth scope:

    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    ListSecretVersions

    rpc ListSecretVersions( ListSecretVersionsRequest ) returns ( ListSecretVersionsResponse )

    Lists SecretVersions . This call does not return secret data.

    Authorization scopes

    Requires the following OAuth scope:

    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    ListSecrets

    rpc ListSecrets( ListSecretsRequest ) returns ( ListSecretsResponse )

    Lists Secrets .

    Authorization scopes

    Requires the following OAuth scope:

    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    SetIamPolicy

    rpc SetIamPolicy( SetIamPolicyRequest ) returns ( Policy )

    Sets the access control policy on the specified secret. Replaces any existing policy.

    Permissions on SecretVersions are enforced according to the policy set on the associated Secret .

    Authorization scopes

    Requires the following OAuth scope:

    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    TestIamPermissions

    rpc TestIamPermissions( TestIamPermissionsRequest ) returns ( TestIamPermissionsResponse )

    Returns permissions that a caller has for the specified secret. If the secret does not exist, this call returns an empty set of permissions, not a NOT_FOUND error.

    Note: This operation is designed to be used for building permission-aware UIs and command-line tools, not for authorization checking. This operation may "fail open" without warning.

    Authorization scopes

    Requires the following OAuth scope:

    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    UpdateSecret

    rpc UpdateSecret( UpdateSecretRequest ) returns ( Secret )

    Updates metadata of an existing Secret .

    Authorization scopes

    Requires the following OAuth scope:

    • https://www.googleapis.com/auth/cloud-platform

    For more information, see the Authentication Overview .

    AccessSecretVersionRequest

    Request message for SecretManagerService.AccessSecretVersion .

    Fields
    name

    string

    Required. The resource name of the SecretVersion in the format projects/*/secrets/*/versions/* or projects/*/locations/*/secrets/*/versions/* .

    projects/*/secrets/*/versions/latest or projects/*/locations/*/secrets/*/versions/latest is an alias to the most recently created SecretVersion .

    Authorization requires the following IAM permission on the specified resource name :

    • secretmanager.versions.access

    AccessSecretVersionResponse

    Response message for SecretManagerService.AccessSecretVersion .

    Fields
    name

    string

    The resource name of the SecretVersion in the format projects/*/secrets/*/versions/* or projects/*/locations/*/secrets/*/versions/* .
    payload

    SecretPayload

    Secret payload

    AddSecretVersionRequest

    Request message for SecretManagerService.AddSecretVersion .

    Fields
    parent

    string

    Required. The resource name of the Secret to associate with the SecretVersion in the format projects/*/secrets/* or projects/*/locations/*/secrets/* .

    Authorization requires the following IAM permission on the specified resource parent :

    • secretmanager.versions.add
    payload

    SecretPayload

    Required. The secret payload of the SecretVersion .

    CreateSecretRequest

    Request message for SecretManagerService.CreateSecret .

    Fields
    parent

    string

    Required. The resource name of the project to associate with the Secret , in the format projects/* or projects/*/locations/* .

    Authorization requires the following IAM permission on the specified resource parent :

    • secretmanager.secrets.create
    secret_id

    string

    Required. This must be unique within the project.

    A secret ID is a string with a maximum length of 255 characters and can contain uppercase and lowercase letters, numerals, and the hyphen ( - ) and underscore ( _ ) characters.

    secret

    Secret

    Required. A Secret with initial field values.

    CustomerManagedEncryption

    Configuration for encrypting secret payloads using customer-managed encryption keys (CMEK).

    Fields
    kms_key_name

    string

    Required. The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads.

    For secrets using the UserManaged replication policy type, Cloud KMS CryptoKeys must reside in the same location as the [replica location][Secret.UserManaged.Replica.location].

    For secrets using the Automatic replication policy type, Cloud KMS CryptoKeys must reside in global .

    The expected format is projects/*/locations/*/keyRings/*/cryptoKeys/* .

    CustomerManagedEncryptionStatus

    Describes the status of customer-managed encryption.

    Fields
    kms_key_version_name

    string

    Required. The resource name of the Cloud KMS CryptoKeyVersion used to encrypt the secret payload, in the following format: projects/*/locations/*/keyRings/*/cryptoKeys/*/versions/* .

    DeleteSecretRequest

    Request message for SecretManagerService.DeleteSecret .

    Fields
    name

    string

    Required. The resource name of the Secret to delete in the format projects/*/secrets/* .

    Authorization requires the following IAM permission on the specified resource name :

    • secretmanager.secrets.delete
    etag

    string

    Optional. Etag of the Secret . The request succeeds if it matches the etag of the currently stored secret object. If the etag is omitted, the request succeeds.

    DestroySecretVersionRequest

    Request message for SecretManagerService.DestroySecretVersion .

    Fields
    name

    string

    Required. The resource name of the SecretVersion to destroy in the format projects/*/secrets/*/versions/* or projects/*/locations/*/secrets/*/versions/* .

    Authorization requires the following IAM permission on the specified resource name :

    • secretmanager.versions.destroy
    etag

    string

    Optional. Etag of the SecretVersion . The request succeeds if it matches the etag of the currently stored secret version object. If the etag is omitted, the request succeeds.

    DisableSecretVersionRequest

    Request message for SecretManagerService.DisableSecretVersion .

    Fields
    name

    string

    Required. The resource name of the SecretVersion to disable in the format projects/*/secrets/*/versions/* or projects/*/locations/*/secrets/*/versions/* .

    Authorization requires the following IAM permission on the specified resource name :

    • secretmanager.secrets.disable
    etag

    string

    Optional. Etag of the SecretVersion . The request succeeds if it matches the etag of the currently stored secret version object. If the etag is omitted, the request succeeds.

    EnableSecretVersionRequest

    Request message for SecretManagerService.EnableSecretVersion .

    Fields
    name

    string

    Required. The resource name of the SecretVersion to enable in the format projects/*/secrets/*/versions/* or projects/*/locations/*/secrets/*/versions/* .

    Authorization requires the following IAM permission on the specified resource name :

    • secretmanager.secrets.enable
    etag

    string

    Optional. Etag of the SecretVersion . The request succeeds if it matches the etag of the currently stored secret version object. If the etag is omitted, the request succeeds.

    GetSecretRequest

    Request message for SecretManagerService.GetSecret .

    Fields
    name

    string

    Required. The resource name of the Secret , in the format projects/*/secrets/* or projects/*/locations/*/secrets/* .

    Authorization requires the following IAM permission on the specified resource name :

    • secretmanager.secrets.get

    GetSecretVersionRequest

    Request message for SecretManagerService.GetSecretVersion .

    Fields
    name

    string

    Required. The resource name of the SecretVersion in the format projects/*/secrets/*/versions/* or projects/*/locations/*/secrets/*/versions/* .

    projects/*/secrets/*/versions/latest or projects/*/locations/*/secrets/*/versions/latest is an alias to the most recently created SecretVersion .

    Authorization requires the following IAM permission on the specified resource name :

    • secretmanager.versions.get

    ListSecretVersionsRequest

    Request message for SecretManagerService.ListSecretVersions .

    Fields
    parent

    string

    Required. The resource name of the Secret associated with the SecretVersions to list, in the format projects/*/secrets/* or projects/*/locations/*/secrets/* .

    Authorization requires the following IAM permission on the specified resource parent :

    • secretmanager.versions.list
    page_size

    int32

    Optional. The maximum number of results to be returned in a single page. If set to 0, the server decides the number of results to return. If the number is greater than 25000, it is capped at 25000.

    page_token

    string

    Optional. Pagination token, returned earlier via ListSecretVersionsResponse.next_page_token][].

    filter

    string

    Optional. Filter string, adhering to the rules in List-operation filtering . List only secret versions matching the filter. If filter is empty, all secret versions are listed.

    ListSecretVersionsResponse

    Response message for SecretManagerService.ListSecretVersions .

    Fields
    versions[]

    SecretVersion

    The list of SecretVersions sorted in reverse by create_time (newest first).
    next_page_token

    string

    A token to retrieve the next page of results. Pass this value in ListSecretVersionsRequest.page_token to retrieve the next page.
    total_size

    int32

    The total number of SecretVersions but 0 when the ListSecretsRequest.filter field is set.

    ListSecretsRequest

    Request message for SecretManagerService.ListSecrets .

    Fields
    parent

    string

    Required. The resource name of the project associated with the Secrets , in the format projects/* or projects/*/locations/*

    Authorization requires the following IAM permission on the specified resource parent :

    • secretmanager.secrets.list
    page_size

    int32

    Optional. The maximum number of results to be returned in a single page. If set to 0, the server decides the number of results to return. If the number is greater than 25000, it is capped at 25000.

    page_token

    string

    Optional. Pagination token, returned earlier via ListSecretsResponse.next_page_token .

    filter

    string

    Optional. Filter string, adhering to the rules in List-operation filtering . List only secrets matching the filter. If filter is empty, all secrets are listed.

    ListSecretsResponse

    Response message for SecretManagerService.ListSecrets .

    Fields
    secrets[]

    Secret

    The list of Secrets sorted in reverse by create_time (newest first).
    next_page_token

    string

    A token to retrieve the next page of results. Pass this value in ListSecretsRequest.page_token to retrieve the next page.
    total_size

    int32

    The total number of Secrets but 0 when the ListSecretsRequest.filter field is set.

    Replication

    A policy that defines the replication and encryption configuration of data.

    Fields
    Union field replication . The replication policy for this secret. replication can be only one of the following:
    automatic

    Automatic

    The Secret will automatically be replicated without any restrictions.

    user_managed

    UserManaged

    The Secret will only be replicated into the locations specified.

    Automatic

    A replication policy that replicates the Secret payload without any restrictions.

    Fields
    customer_managed_encryption

    CustomerManagedEncryption

    Optional. The customer-managed encryption configuration of the Secret . If no configuration is provided, Google-managed default encryption is used.

    Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions .

    UserManaged

    A replication policy that replicates the Secret payload into the locations specified in [Secret.replication.user_managed.replicas][]

    Fields
    replicas[]

    Replica

    Required. The list of Replicas for this Secret .

    Cannot be empty.

    Replica

    Represents a Replica for this Secret .

    Fields
    location

    string

    The canonical IDs of the location to replicate data. For example: "us-east1" .
    customer_managed_encryption

    CustomerManagedEncryption

    Optional. The customer-managed encryption configuration of the [User-Managed Replica][Replication.UserManaged.Replica]. If no configuration is provided, Google-managed default encryption is used.

    Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions .

    ReplicationStatus

    The replication status of a SecretVersion .

    Fields
    Union field replication_status . The replication status of the SecretVersion . replication_status can be only one of the following:
    automatic

    AutomaticStatus

    Describes the replication status of a SecretVersion with automatic replication.

    Only populated if the parent Secret has an automatic replication policy.

    user_managed

    UserManagedStatus

    Describes the replication status of a SecretVersion with user-managed replication.

    Only populated if the parent Secret has a user-managed replication policy.

    AutomaticStatus

    The replication status of a SecretVersion using automatic replication.

    Only populated if the parent Secret has an automatic replication policy.

    Fields
    customer_managed_encryption

    CustomerManagedEncryptionStatus

    Output only. The customer-managed encryption status of the SecretVersion . Only populated if customer-managed encryption is used.

    UserManagedStatus

    The replication status of a SecretVersion using user-managed replication.

    Only populated if the parent Secret has a user-managed replication policy.

    Fields
    replicas[]

    ReplicaStatus

    Output only. The list of replica statuses for the SecretVersion .

    ReplicaStatus

    Describes the status of a user-managed replica for the SecretVersion .

    Fields
    location

    string

    Output only. The canonical ID of the replica location. For example: "us-east1" .
    customer_managed_encryption

    CustomerManagedEncryptionStatus

    Output only. The customer-managed encryption status of the SecretVersion . Only populated if customer-managed encryption is used.

    Rotation

    The rotation time and period for a Secret . At next_rotation_time, Secret Manager will send a Pub/Sub notification to the topics configured on the Secret. Secret.topics must be set to configure rotation.

    Fields
    next_rotation_time

    Timestamp

    Optional. Timestamp in UTC at which the Secret is scheduled to rotate. Cannot be set to less than 300s (5 min) in the future and at most 3153600000s (100 years).

    next_rotation_time MUST be set if rotation_period is set.
    rotation_period

    Duration

    Input only. The Duration between rotation notifications. Must be in seconds and at least 3600s (1h) and at most 3153600000s (100 years).

    If rotation_period is set, next_rotation_time must be set. next_rotation_time will be advanced by this period when the service automatically sends rotation notifications.

    Secret

    A Secret is a logical secret whose value and versions can be accessed.

    A Secret is made up of zero or more SecretVersions that represent the secret data.

    Fields
    name

    string

    Output only. The resource name of the Secret in the format projects/*/secrets/* .

    replication

    Replication

    Optional. Immutable. The replication policy of the secret data attached to the Secret .

    The replication policy cannot be changed after the Secret has been created.

    create_time

    Timestamp

    Output only. The time at which the Secret was created.

    labels

    map<string, string>

    The labels assigned to this Secret.

    Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62}

    Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}\p{N}_-]{0,63}

    No more than 64 labels can be assigned to a given resource.

    topics[]

    Topic

    Optional. A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions.

    etag

    string

    Optional. Etag of the currently stored Secret .

    rotation

    Rotation

    Optional. Rotation policy attached to the Secret . May be excluded if there is no rotation policy.

    version_aliases

    map<string, int64>

    Optional. Mapping from version alias to version name.

    A version alias is a string with a maximum length of 63 characters and can contain uppercase and lowercase letters, numerals, and the hyphen ( - ) and underscore ('_') characters. An alias string must start with a letter and cannot be the string 'latest' or 'NEW'. No more than 50 aliases can be assigned to a given secret.

    Version-Alias pairs will be viewable via GetSecret and modifiable via UpdateSecret. Access by alias is only be supported on GetSecretVersion and AccessSecretVersion.

    annotations

    map<string, string>

    Optional. Custom metadata about the secret.

    Annotations are distinct from various forms of labels. Annotations exist to allow client tools to store their own state information without requiring a database.

    Annotation keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, begin and end with an alphanumeric character ([a-z0-9A-Z]), and may have dashes (-), underscores (_), dots (.), and alphanumerics in between these symbols.

    The total size of annotation keys and values must be less than 16KiB.

    version_destroy_ttl

    Duration

    Optional. Secret Version TTL after destruction request

    This is a part of the Delayed secret version destroy feature. For secret with TTL>0, version destruction doesn't happen immediately on calling destroy instead the version goes to a disabled state and destruction happens after the TTL expires.

    customer_managed_encryption

    CustomerManagedEncryption

    Optional. The customer-managed encryption configuration of the regionalized secrets. If no configuration is provided, Google-managed default encryption is used.

    Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions .

    Union field expiration . Expiration policy attached to the Secret . If specified the Secret and all SecretVersions will be automatically deleted at expiration. Expired secrets are irreversibly deleted.

    Expiration is not the recommended way to set time-based permissions. IAM Conditions is recommended for granting time-based permissions because the operation can be reversed. expiration can be only one of the following:

    expire_time

    Timestamp

    Optional. Timestamp in UTC when the Secret is scheduled to expire. This is always provided on output, regardless of what was sent on input.

    ttl

    Duration

    Input only. The TTL for the Secret .

    SecretPayload

    A secret payload resource in the Secret Manager API. This contains the sensitive secret payload that is associated with a SecretVersion .

    Fields
    data

    bytes

    The secret data. Must be no larger than 64KiB.
    data_crc32c

    int64

    Optional. If specified, SecretManagerService will verify the integrity of the received data on SecretManagerService.AddSecretVersion calls using the crc32c checksum and store it to include in future SecretManagerService.AccessSecretVersion responses. If a checksum is not provided in the SecretManagerService.AddSecretVersion request, the SecretManagerService will generate and store one for you.

    The CRC32C value is encoded as a Int64 for compatibility, and can be safely downconverted to uint32 in languages that support this type. https://cloud.google.com/apis/design/design_patterns#integer_types

    SecretVersion

    A secret version resource in the Secret Manager API.

    Fields
    name

    string

    Output only. The resource name of the SecretVersion in the format projects/*/secrets/*/versions/* .

    SecretVersion IDs in a Secret start at 1 and are incremented for each subsequent version of the secret.
    create_time

    Timestamp

    Output only. The time at which the SecretVersion was created.
    destroy_time

    Timestamp

    Output only. The time this SecretVersion was destroyed. Only present if state is DESTROYED .
    state

    State

    Output only. The current state of the SecretVersion .
    replication_status

    ReplicationStatus

    The replication status of the SecretVersion .
    etag

    string

    Output only. Etag of the currently stored SecretVersion .
    client_specified_payload_checksum

    bool

    Output only. True if payload checksum specified in SecretPayload object has been received by SecretManagerService on SecretManagerService.AddSecretVersion .
    scheduled_destroy_time

    Timestamp

    Optional. Output only. Scheduled destroy time for secret version. This is a part of the Delayed secret version destroy feature. For a Secret with a valid version destroy TTL, when a secert version is destroyed, version is moved to disabled state and it is scheduled for destruction Version is destroyed only after the scheduled_destroy_time.
    customer_managed_encryption

    CustomerManagedEncryptionStatus

    Output only. The customer-managed encryption status of the SecretVersion . Only populated if customer-managed encryption is used and Secret is a regionalized secret.

    State

    The state of a SecretVersion , indicating if it can be accessed.

    Enums
    STATE_UNSPECIFIED Not specified. This value is unused and invalid.
    ENABLED The SecretVersion may be accessed.
    DISABLED The SecretVersion may not be accessed, but the secret data is still available and can be placed back into the ENABLED state.
    DESTROYED The SecretVersion is destroyed and the secret data is no longer stored. A version may not leave this state once entered.

    Topic

    A Pub/Sub topic which Secret Manager will publish to when control plane events occur on this secret.

    Fields
    name

    string

    Identifier. The resource name of the Pub/Sub topic that will be published to, in the following format: projects/*/topics/* . For publication to succeed, the Secret Manager service agent must have the pubsub.topic.publish permission on the topic. The Pub/Sub Publisher role ( roles/pubsub.publisher ) includes this permission.

    UpdateSecretRequest

    Request message for SecretManagerService.UpdateSecret .

    Fields
    secret

    Secret

    Required. Secret with updated field values.

    Authorization requires the following IAM permission on the specified resource secret :

    • secretmanager.secrets.update
    update_mask

    FieldMask

    Required. Specifies the fields to be updated.
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: