Console
    Contact Us Start free

    Access a regional secret version

    This page describes how to access a secret version. Accessing a secret version returns the secret contents and additional metadata about the secret version. To access a secret version using the Google Cloud CLI or the Secret Manager API, you must specify either its version ID or its alias , if assigned. You can also access the latest version of a secret by specifying latest as the version id.

    Required roles

    To get the permissions that you need to access a secret version, ask your administrator to grant you the Secret Manager Secret Accessor ( roles/secretmanager.secretAccessor ) IAM role on a secret. For more information about granting roles, see Manage access to projects, folders, and organizations .

    You might also be able to get the required permissions through custom roles or other predefined roles .

    Access a secret version

    To access a secret, use one of the following methods:

    Console

    1. In the Google Cloud console, go to the Secret Manager page.

      Go to Secret Manager

    2. On the Secret Manager page, click the Regional secrets tab, and then click a secret to access its versions.

    3. On the secret details page, in the Versions tab, select the secret version that you want to access.

    4. Click the Actions menu associated with the secret version, and then click View secret value .

    5. A dialog appears displaying the value of the secret version. Click Done to exit the dialog.

    gcloud

    Access a secret version

    Before using any of the command data below, make the following replacements:

    • VERSION_ID : the resource name of the secret version
    • SECRET_ID : the ID of the secret
    • LOCATION : the Google Cloud location of the secret

    Execute the following command:

    Linux, macOS, or Cloud Shell

    gcloud  
secrets  
versions  
access  
 VERSION_ID 
  
--secret = 
 SECRET_ID 
  
--location = 
 LOCATION

    Windows (PowerShell)

    gcloud  
secrets  
versions  
access  
 VERSION_ID 
  
--secret = 
 SECRET_ID 
  
--location = 
 LOCATION

    Windows (cmd.exe)

    gcloud  
secrets  
versions  
access  
 VERSION_ID 
  
--secret = 
 SECRET_ID 
  
--location = 
 LOCATION

    Access a binary secret version

    To write raw bytes to a file use --out-file flag:

    Before using any of the command data below, make the following replacements:

    • VERSION_ID : the ID of the secret version
    • SECRET_ID : the ID of the secret
    • LOCATION : the Google Cloud location of the secret
    • PATH_TO_SECRET : the full path (including file name) where you want to save the retrieved secret value

    Execute the following command:

    Linux, macOS, or Cloud Shell

    gcloud  
secrets  
versions  
access  
 VERSION_ID 
  
--secret = 
 SECRET_ID 
  
--location = 
 LOCATION 
  
--out-file = 
 " PATH_TO_SECRET 
"

    Windows (PowerShell)

    gcloud  
secrets  
versions  
access  
 VERSION_ID 
  
--secret = 
 SECRET_ID 
  
--location = 
 LOCATION 
  
--out-file = 
 " PATH_TO_SECRET 
"

    Windows (cmd.exe)

    gcloud  
secrets  
versions  
access  
 VERSION_ID 
  
--secret = 
 SECRET_ID 
  
--location = 
 LOCATION 
  
--out-file = 
 " PATH_TO_SECRET 
"

    Get the raw bytes

    To get the raw bytes, have Cloud SDK print the response as base64-encoded and decode:

    Before using any of the command data below, make the following replacements:

    • VERSION_ID : the ID of the secret version
    • SECRET_ID : the ID of the secret
    • LOCATION : the Google Cloud location of the secret

    Execute the following command:

    Linux, macOS, or Cloud Shell

    gcloud  
secrets  
versions  
access  
 VERSION_ID 
  
--secret = 
 SECRET_ID 
  
--location = 
 LOCATION 
  
--format = 
 'get(payload.data)' 
  
 | 
  
tr  
 '_-' 
  
 '/+' 
  
 | 
  
base64  
-d

    Windows (PowerShell)

    gcloud  
secrets  
versions  
access  
 VERSION_ID 
  
--secret = 
 SECRET_ID 
  
--location = 
 LOCATION 
  
--format = 
 'get(payload.data)' 
  
 | 
  
tr  
 '_-' 
  
 '/+' 
  
 | 
  
base64  
-d

    Windows (cmd.exe)

    gcloud  
secrets  
versions  
access  
 VERSION_ID 
  
--secret = 
 SECRET_ID 
  
--location = 
 LOCATION 
  
--format = 
 'get(payload.data)' 
  
 | 
  
tr  
 '_-' 
  
 '/+' 
  
 | 
  
base64  
-d

    The response contains the secret version.

    REST

    Access a secret version

    Before using any of the request data, make the following replacements:

    • LOCATION : the Google Cloud location of the secret
    • PROJECT_ID : the Google Cloud project ID
    • SECRET_ID : the ID of the secret
    • VERSION_ID : the ID of the secret version

    HTTP method and URL:

    GET https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets/ SECRET_ID 
/versions/ VERSION_ID 
:access

    Request JSON body:

    {}

    To send your request, choose one of these options:

    curl

    Save the request body in a file named request.json , and execute the following command:

    curl -X GET \
    -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    -H "Content-Type: application/json; charset=utf-8" \
    -d @request.json \
    "https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets/ SECRET_ID 
/versions/ VERSION_ID 
:access"

    PowerShell

    Save the request body in a file named request.json , and execute the following command:

    $cred = gcloud auth print-access-token
    $headers = @{ "Authorization" = "Bearer $cred" }

    Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets/ SECRET_ID 
/versions/ VERSION_ID 
:access" | Select-Object -Expand Content

    You should receive a JSON response similar to the following:

    {
  "name": "projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets/ SECRET_ID 
/versions/ VERSION_ID 
",
  "payload": {
    "data": "c2VDcjN0Cg==",
    "dataCrc32c": "3131222104"
  }
}

    Extract the secret using the jq tool

    The response payload.data is the base64-encoded contents of the secret version. The following command is an example of extracting the secret using the jq tool.

     $ 
curl "https://secretmanager. LOCATION 
.rep.googleapis.com/v1/projects/ PROJECT_ID 
/locations/ LOCATION 
/secrets/ SECRET_ID 
/versions/ VERSION_ID 
:access" \
      --request "GET" \
      --header "authorization: Bearer $(gcloud auth print-access-token)" \
      --header "content-type: application/json" \
      | jq -r ".payload.data" | base64 --decode

    Go

    To run this code, first set up a Go development environment and install the Secret Manager Go SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

      import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "hash/crc32" 
  
 "io" 
  
 secretmanager 
  
 "cloud.google.com/go/secretmanager/apiv1" 
  
 "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb" 
  
 "google.golang.org/api/option" 
 ) 
 // accessSecretVersion accesses the payload for the given secret version if one 
 // exists. The version can be a version number as a string (e.g. "5") or an 
 // alias (e.g. "latest"). 
 func 
  
 AccessRegionalSecretVersion 
 ( 
 w 
  
 io 
 . 
 Writer 
 , 
  
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 , 
  
 versionId 
  
 string 
 ) 
  
 error 
  
 { 
  
 // name := "projects/my-project/locations/my-location/secrets/my-secret/versions/5" 
  
 // name := "projects/my-project/locations/my-location/secrets/my-secret/versions/latest" 
  
 // Create the client. 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 // Endpoint to call the regional secret manager sever 
  
 endpoint 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "secretmanager.%s.rep.googleapis.com:443" 
 , 
  
 locationId 
 ) 
  
 client 
 , 
  
 err 
  
 := 
  
 secretmanager 
 . 
  NewClient 
 
 ( 
 ctx 
 , 
  
 option 
 . 
 WithEndpoint 
 ( 
 endpoint 
 )) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to create secretmanager client: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
  Close 
 
 () 
  
 name 
  
 := 
  
 fmt 
 . 
 Sprintf 
 ( 
 "projects/%s/locations/%s/secrets/%s/versions/%s" 
 , 
  
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 , 
  
 versionId 
 ) 
  
 // Build the request. 
  
 req 
  
 := 
  
& secretmanagerpb 
 . 
 AccessSecretVersionRequest 
 { 
  
 Name 
 : 
  
 name 
 , 
  
 } 
  
 // Call the API. 
  
 result 
 , 
  
 err 
  
 := 
  
 client 
 . 
 AccessSecretVersion 
 ( 
 ctx 
 , 
  
 req 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "failed to access regional secret version: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 // Verify the data checksum. 
  
 crc32c 
  
 := 
  
 crc32 
 . 
 MakeTable 
 ( 
 crc32 
 . 
 Castagnoli 
 ) 
  
 checksum 
  
 := 
  
 int64 
 ( 
 crc32 
 . 
 Checksum 
 ( 
 result 
 . 
 Payload 
 . 
 Data 
 , 
  
 crc32c 
 )) 
  
 if 
  
 checksum 
  
 != 
  
 * 
 result 
 . 
 Payload 
 . 
 DataCrc32C 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "Data corruption detected." 
 ) 
  
 } 
  
 // WARNING: Do not print the secret in a production environment - this snippet 
  
 // is showing how to access the secret material. 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Plaintext: %s\n" 
 , 
  
 string 
 ( 
 result 
 . 
 Payload 
 . 
 Data 
 )) 
  
 return 
  
 nil 
 }

    Java

    To run this code, first set up a Java development environment and install the Secret Manager Java SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

      import 
  
 com.google.cloud.secretmanager.v1. AccessSecretVersionResponse 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretManagerServiceClient 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretManagerServiceSettings 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretPayload 
 
 ; 
 import 
  
 com.google.cloud.secretmanager.v1. SecretVersionName 
 
 ; 
 import 
  
 java.util.zip.CRC32C 
 ; 
 import 
  
 java.util.zip.Checksum 
 ; 
 public 
  
 class 
 AccessRegionalSecretVersion 
  
 { 
  
 public 
  
 static 
  
 void 
  
 main 
 ( 
 String 
 [] 
  
 args 
 ) 
 throws 
  
 Exception 
  
 { 
  
 // TODO(developer): Replace these variables before running the sample. 
  
 // Your GCP project ID. 
  
 String 
  
 projectId 
  
 = 
  
 "your-project-id" 
 ; 
  
 // Location of the secret. 
  
 String 
  
 locationId 
  
 = 
  
 "your-location-id" 
 ; 
  
 // Resource ID of the secret. 
  
 String 
  
 secretId 
  
 = 
  
 "your-secret-id" 
 ; 
  
 // Version of the Secret ID you want to access. 
  
 String 
  
 versionId 
  
 = 
  
 "your-version-id" 
 ; 
  
 accessRegionalSecretVersion 
 ( 
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 , 
  
 versionId 
 ); 
  
 } 
  
 // Access the payload for the given secret version if one exists. The version 
  
 // can be a version number as a string (e.g. "5") or an alias (e.g. "latest"). 
  
 public 
  
 static 
  
  SecretPayload 
 
  
 accessRegionalSecretVersion 
 ( 
  
 String 
  
 projectId 
 , 
  
 String 
  
 locationId 
 , 
  
 String 
  
 secretId 
 , 
  
 String 
  
 versionId 
 ) 
  
 throws 
  
 Exception 
  
 { 
  
 // Endpoint to call the regional secret manager sever 
  
 String 
  
 apiEndpoint 
  
 = 
  
 String 
 . 
 format 
 ( 
 "secretmanager.%s.rep.googleapis.com:443" 
 , 
  
 locationId 
 ); 
  
  SecretManagerServiceSettings 
 
  
 secretManagerServiceSettings 
  
 = 
  
  SecretManagerServiceSettings 
 
 . 
 newBuilder 
 (). 
 setEndpoint 
 ( 
 apiEndpoint 
 ). 
 build 
 (); 
  
 // Initialize client that will be used to send requests. This client only needs to be created 
  
 // once, and can be reused for multiple requests. 
  
 try 
  
 ( 
  SecretManagerServiceClient 
 
  
 client 
  
 = 
  
  
  SecretManagerServiceClient 
 
 . 
 create 
 ( 
 secretManagerServiceSettings 
 )) 
  
 { 
  
  SecretVersionName 
 
  
 secretVersionName 
  
 = 
  
  
  SecretVersionName 
 
 . 
  ofProjectLocationSecretSecretVersionName 
 
 ( 
  
 projectId 
 , 
  
 locationId 
 , 
  
 secretId 
 , 
  
 versionId 
 ); 
  
 // Access the secret version. 
  
  AccessSecretVersionResponse 
 
  
 response 
  
 = 
  
 client 
 . 
 accessSecretVersion 
 ( 
 secretVersionName 
 ); 
  
 // Verify checksum. The used library is available in Java 9+. 
  
 // For Java 8, use: 
  
 // https://github.com/google/guava/blob/e62d6a0456420d295089a9c319b7593a3eae4a83/guava/src/com/google/common/hash/Hashing.java#L395 
  
 byte 
 [] 
  
 data 
  
 = 
  
 response 
 . 
  getPayload 
 
 (). 
 getData 
 (). 
 toByteArray 
 (); 
  
 Checksum 
  
 checksum 
  
 = 
  
 new 
  
 CRC32C 
 (); 
  
 checksum 
 . 
 update 
 ( 
 data 
 , 
  
 0 
 , 
  
 data 
 . 
 length 
 ); 
  
 if 
  
 ( 
 response 
 . 
  getPayload 
 
 (). 
 getDataCrc32C 
 () 
  
 != 
  
 checksum 
 . 
 getValue 
 ()) 
  
 { 
  
 System 
 . 
 out 
 . 
 printf 
 ( 
 "Data corruption detected." 
 ); 
  
 throw 
  
 new 
  
 Exception 
 ( 
 "Data corruption detected." 
 ); 
  
 } 
  
 // Print the secret payload. 
  
 // 
  
 // WARNING: Do not print the secret in a production environment - this 
  
 // snippet is showing how to access the secret material. 
  
 // String payload = response.getPayload().getData().toStringUtf8(); 
  
 // System.out.printf("Plaintext: %s\n", payload); 
  
 return 
  
 response 
 . 
  getPayload 
 
 (); 
  
 } 
  
 } 
 }

    Node.js

    To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

      /** 
 * TODO(developer): Uncomment these variables before running the sample. 
 */ 
 // const projectId = 'my-project'; 
 // const locationId = 'location-id'; 
 // const secretId = 'my-secret' 
 // const version = 'secret-version'; 
 const 
  
 name 
  
 = 
  
 `projects/ 
 ${ 
 projectId 
 } 
 /locations/ 
 ${ 
 locationId 
 } 
 /secrets/ 
 ${ 
 secretId 
 } 
 /versions/ 
 ${ 
 version 
 } 
 ` 
 ; 
 // Imports the Secret Manager library 
 const 
  
 { 
 SecretManagerServiceClient 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/secret-manager 
' 
 ); 
 // Adding the endpoint to call the regional secret manager sever 
 const 
  
 options 
  
 = 
  
 {}; 
 options 
 . 
 apiEndpoint 
  
 = 
  
 `secretmanager. 
 ${ 
 locationId 
 } 
 .rep.googleapis.com` 
 ; 
 // Instantiates a client 
 const 
  
 client 
  
 = 
  
 new 
  
  SecretManagerServiceClient 
 
 ( 
 options 
 ); 
 async 
  
 function 
  
 accessRegionalSecretVersion 
 () 
  
 { 
  
 const 
  
 [ 
 version 
 ] 
  
 = 
  
 await 
  
 client 
 . 
 accessSecretVersion 
 ({ 
  
 name 
 : 
  
 name 
 , 
  
 }); 
  
 // Extract the payload as a string. 
  
 const 
  
 payload 
  
 = 
  
 version 
 . 
 payload 
 . 
 data 
 . 
 toString 
 (); 
  
 // WARNING: Do not print the secret in a production environment - this 
  
 // snippet is showing how to access the secret material. 
  
 console 
 . 
 info 
 ( 
 `Payload: 
 ${ 
 payload 
 } 
 ` 
 ); 
 } 
 accessRegionalSecretVersion 
 ();

    Python

    To run this code, first set up a Python development environment and install the Secret Manager Python SDK . On Compute Engine or GKE, you must authenticate with the cloud-platform scope .

      from 
  
 google.cloud 
  
 import 
  secretmanager_v1 
 
 import 
  
 google_crc32c 
 def 
  
 access_regional_secret_version 
 ( 
 project_id 
 : 
 str 
 , 
 location_id 
 : 
 str 
 , 
 secret_id 
 : 
 str 
 , 
 version_id 
 : 
 str 
 , 
 ) 
 - 
> secretmanager_v1 
 . 
 AccessSecretVersionResponse 
 : 
  
 """ 
 Access the payload for the given secret version if one exists. The version 
 can be a version number as a string (e.g. "5") or an alias (e.g. "latest"). 
 """ 
 # Endpoint to call the regional secret manager sever. 
 api_endpoint 
 = 
 f 
 "secretmanager. 
 { 
 location_id 
 } 
 .rep.googleapis.com" 
 # Create the Secret Manager client. 
 client 
 = 
  secretmanager_v1 
 
 . 
  SecretManagerServiceClient 
 
 ( 
 client_options 
 = 
 { 
 "api_endpoint" 
 : 
 api_endpoint 
 }, 
 ) 
 # Build the resource name of the secret version. 
 name 
 = 
 f 
 "projects/ 
 { 
 project_id 
 } 
 /locations/ 
 { 
 location_id 
 } 
 /secrets/ 
 { 
 secret_id 
 } 
 /versions/ 
 { 
 version_id 
 } 
 " 
 # Access the secret version. 
 response 
 = 
 client 
 . 
  access_secret_version 
 
 ( 
 request 
 = 
 { 
 "name" 
 : 
 name 
 }) 
 # Verify payload checksum. 
 crc32c 
 = 
 google_crc32c 
 . 
 Checksum 
 () 
 crc32c 
 . 
 update 
 ( 
 response 
 . 
 payload 
 . 
 data 
 ) 
 if 
 response 
 . 
 payload 
 . 
 data_crc32c 
 != 
 int 
 ( 
 crc32c 
 . 
 hexdigest 
 (), 
 16 
 ): 
 print 
 ( 
 "Data corruption detected." 
 ) 
 return 
 response 
 # Print the secret payload. 
 # 
 # WARNING: Do not print the secret in a production environment - this 
 # snippet is showing how to access the secret material. 
 payload 
 = 
 response 
 . 
 payload 
 . 
 data 
 . 
 decode 
 ( 
 "UTF-8" 
 ) 
 print 
 ( 
 f 
 "Plaintext: 
 { 
 payload 
 } 
 " 
 ) 
 return 
 response

    Resource consistency

    In Secret Manager, adding a secret version and then immediately accessing that secret version by version number is a strongly consistent operation.

    Other operations within Secret Manager are eventually consistent. Eventually consistent operations typically converge within minutes, but may take a few hours.

    Propagating IAM permissions is eventually consistent. This means granting or revoking access to secrets may not take effect immediately. For more information, see Access change propagation .

    What's next
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: