rpc AccessSecretVersion(AccessSecretVersionRequest) returns (AccessSecretVersionResponse)

Accesses aSecretVersion. This call returns the secret data.

projects/*/secrets/*/versions/latest is an alias to the most recently createdSecretVersion.

Authorization scopes

Requires the following OAuth scope:

• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc AddSecretVersion(AddSecretVersionRequest) returns (SecretVersion)

Creates a newSecretVersion containing secret data and attaches it to an existingSecret.

Authorization scopes

Requires the following OAuth scope:

• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc CreateSecret(CreateSecretRequest) returns (Secret)

Creates a newSecret containing noSecretVersions.

Authorization scopes

Requires the following OAuth scope:

• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc DeleteSecret(DeleteSecretRequest) returns (Empty)

Deletes aSecret.

Authorization scopes

Requires the following OAuth scope:

• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc DestroySecretVersion(DestroySecretVersionRequest) returns (SecretVersion)

Destroys aSecretVersion.

Sets thestate of theSecretVersion toDESTROYED and irrevocably destroys the secret data.

Authorization scopes

Requires the following OAuth scope:

• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc DisableSecretVersion(DisableSecretVersionRequest) returns (SecretVersion)

Disables aSecretVersion.

Sets thestate of theSecretVersion toDISABLED.

Authorization scopes

Requires the following OAuth scope:

• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc EnableSecretVersion(EnableSecretVersionRequest) returns (SecretVersion)

Enables aSecretVersion.

Sets thestate of theSecretVersion toENABLED.

Authorization scopes

Requires the following OAuth scope:

• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc GetIamPolicy(GetIamPolicyRequest) returns (Policy)

Gets the access control policy for a secret. Returns empty policy if the secret exists and does not have a policy set.

Authorization scopes

Requires the following OAuth scope:

• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc GetSecret(GetSecretRequest) returns (Secret)

Gets metadata for a givenSecret.

Authorization scopes

Requires the following OAuth scope:

• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc GetSecretVersion(GetSecretVersionRequest) returns (SecretVersion)

Gets metadata for aSecretVersion.

projects/*/secrets/*/versions/latest is an alias to the most recently createdSecretVersion.

Authorization scopes

Requires the following OAuth scope:

• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc ListSecretVersions(ListSecretVersionsRequest) returns (ListSecretVersionsResponse)

ListsSecretVersions. This call does not return secret data.

Authorization scopes

Requires the following OAuth scope:

• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc ListSecrets(ListSecretsRequest) returns (ListSecretsResponse)

ListsSecrets.

Authorization scopes

Requires the following OAuth scope:

• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc SetIamPolicy(SetIamPolicyRequest) returns (Policy)

Sets the access control policy on the specified secret. Replaces any existing policy.

Permissions onSecretVersions are enforced according to the policy set on the associatedSecret.

Authorization scopes

Requires the following OAuth scope:

• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc TestIamPermissions(TestIamPermissionsRequest) returns (TestIamPermissionsResponse)

Returns permissions that a caller has for the specified secret. If the secret does not exist, this call returns an empty set of permissions, not a NOT_FOUND error.

Note: This operation is designed to be used for building permission-aware UIs and command-line tools, not for authorization checking. This operation may "fail open" without warning.

Authorization scopes

Requires the following OAuth scope:

• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

rpc UpdateSecret(UpdateSecretRequest) returns (Secret)

Updates metadata of an existingSecret.

Authorization scopes

Requires the following OAuth scope:

• https://www.googleapis.com/auth/cloud-platform

For more information, see theAuthentication Overview.

string

Required. The resource name of theSecretVersion in the formatprojects/*/secrets/*/versions/* orprojects/*/locations/*/secrets/*/versions/*.

projects/*/secrets/*/versions/latest orprojects/*/locations/*/secrets/*/versions/latest is an alias to the most recently createdSecretVersion.

Authorization requires the followingIAM permission on the specified resourcename:

• secretmanager.versions.access

string

The resource name of theSecretVersion in the formatprojects/*/secrets/*/versions/* orprojects/*/locations/*/secrets/*/versions/*.

SecretPayload

Secret payload

string

Required. The resource name of theSecret to associate with theSecretVersion in the formatprojects/*/secrets/* orprojects/*/locations/*/secrets/*.

Authorization requires the followingIAM permission on the specified resourceparent:

• secretmanager.versions.add

SecretPayload

Required. The secret payload of theSecretVersion.

string

Required. The resource name of the project to associate with theSecret, in the formatprojects/* orprojects/*/locations/*.

Authorization requires the followingIAM permission on the specified resourceparent:

• secretmanager.secrets.create

string

Required. This must be unique within the project.

A secret ID is a string with a maximum length of 255 characters and can contain uppercase and lowercase letters, numerals, and the hyphen (-) and underscore (_) characters.

Secret

Required. ASecret with initial field values.

string

Required. The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads.

For secrets using theUserManaged replication policy type, Cloud KMS CryptoKeys must reside in the same location as the [replica location][Secret.UserManaged.Replica.location].

For secrets using theAutomatic replication policy type, Cloud KMS CryptoKeys must reside inglobal.

The expected format isprojects/*/locations/*/keyRings/*/cryptoKeys/*.

string

Required. The resource name of the Cloud KMS CryptoKeyVersion used to encrypt the secret payload, in the following format:projects/*/locations/*/keyRings/*/cryptoKeys/*/versions/*.

string

Required. The resource name of theSecret to delete in the formatprojects/*/secrets/*.

Authorization requires the followingIAM permission on the specified resourcename:

• secretmanager.secrets.delete

string

Optional. Etag of theSecret. The request succeeds if it matches the etag of the currently stored secret object. If the etag is omitted, the request succeeds.

string

Required. The resource name of theSecretVersion to destroy in the formatprojects/*/secrets/*/versions/* orprojects/*/locations/*/secrets/*/versions/*.

Authorization requires the followingIAM permission on the specified resourcename:

• secretmanager.versions.destroy

string

Optional. Etag of theSecretVersion. The request succeeds if it matches the etag of the currently stored secret version object. If the etag is omitted, the request succeeds.

string

Required. The resource name of theSecretVersion to disable in the formatprojects/*/secrets/*/versions/* orprojects/*/locations/*/secrets/*/versions/*.

Authorization requires the followingIAM permission on the specified resourcename:

• secretmanager.secrets.disable

string

Optional. Etag of theSecretVersion. The request succeeds if it matches the etag of the currently stored secret version object. If the etag is omitted, the request succeeds.

string

Required. The resource name of theSecretVersion to enable in the formatprojects/*/secrets/*/versions/* orprojects/*/locations/*/secrets/*/versions/*.

Authorization requires the followingIAM permission on the specified resourcename:

• secretmanager.secrets.enable

string

Optional. Etag of theSecretVersion. The request succeeds if it matches the etag of the currently stored secret version object. If the etag is omitted, the request succeeds.

string

Required. The resource name of theSecret, in the formatprojects/*/secrets/* orprojects/*/locations/*/secrets/*.

Authorization requires the followingIAM permission on the specified resourcename:

• secretmanager.secrets.get

string

Required. The resource name of theSecretVersion in the formatprojects/*/secrets/*/versions/* orprojects/*/locations/*/secrets/*/versions/*.

projects/*/secrets/*/versions/latest orprojects/*/locations/*/secrets/*/versions/latest is an alias to the most recently createdSecretVersion.

Authorization requires the followingIAM permission on the specified resourcename:

• secretmanager.versions.get

string

Required. The resource name of theSecret associated with theSecretVersions to list, in the formatprojects/*/secrets/* orprojects/*/locations/*/secrets/*.

Authorization requires the followingIAM permission on the specified resourceparent:

• secretmanager.versions.list

int32

Optional. The maximum number of results to be returned in a single page. If set to 0, the server decides the number of results to return. If the number is greater than 25000, it is capped at 25000.

string

Optional. Pagination token, returned earlier via ListSecretVersionsResponse.next_page_token][].

string

Optional. Filter string, adhering to the rules inList-operation filtering. List only secret versions matching the filter. If filter is empty, all secret versions are listed.

SecretVersion

The list ofSecretVersions sorted in reverse by create_time (newest first).

string

A token to retrieve the next page of results. Pass this value inListSecretVersionsRequest.page_token to retrieve the next page.

int32

The total number ofSecretVersions but 0 when theListSecretsRequest.filter field is set.

string

Required. The resource name of the project associated with theSecrets, in the formatprojects/* orprojects/*/locations/*

Authorization requires the followingIAM permission on the specified resourceparent:

• secretmanager.secrets.list

int32

Optional. The maximum number of results to be returned in a single page. If set to 0, the server decides the number of results to return. If the number is greater than 25000, it is capped at 25000.

string

Optional. Pagination token, returned earlier viaListSecretsResponse.next_page_token.

string

Optional. Filter string, adhering to the rules inList-operation filtering. List only secrets matching the filter. If filter is empty, all secrets are listed.

Secret

The list ofSecrets sorted in reverse by create_time (newest first).

string

A token to retrieve the next page of results. Pass this value inListSecretsRequest.page_token to retrieve the next page.

int32

The total number ofSecrets but 0 when theListSecretsRequest.filter field is set.

Automatic

TheSecret will automatically be replicated without any restrictions.

UserManaged

TheSecret will only be replicated into the locations specified.

CustomerManagedEncryption

Optional. The customer-managed encryption configuration of theSecret. If no configuration is provided, Google-managed default encryption is used.

Updates to theSecret encryption configuration only apply toSecretVersions added afterwards. They do not apply retroactively to existingSecretVersions.

Replica

Required. The list of Replicas for thisSecret.

Cannot be empty.

string

The canonical IDs of the location to replicate data. For example:"us-east1".

CustomerManagedEncryption

Optional. The customer-managed encryption configuration of the [User-Managed Replica][Replication.UserManaged.Replica]. If no configuration is provided, Google-managed default encryption is used.

Updates to theSecret encryption configuration only apply toSecretVersions added afterwards. They do not apply retroactively to existingSecretVersions.

AutomaticStatus

Describes the replication status of aSecretVersion with automatic replication.

Only populated if the parentSecret has an automatic replication policy.

UserManagedStatus

Describes the replication status of aSecretVersion with user-managed replication.

Only populated if the parentSecret has a user-managed replication policy.

CustomerManagedEncryptionStatus

Output only. The customer-managed encryption status of theSecretVersion. Only populated if customer-managed encryption is used.

ReplicaStatus

Output only. The list of replica statuses for theSecretVersion.

string

Output only. The canonical ID of the replica location. For example:"us-east1".

CustomerManagedEncryptionStatus

Output only. The customer-managed encryption status of theSecretVersion. Only populated if customer-managed encryption is used.

Timestamp

Optional. Timestamp in UTC at which theSecret is scheduled to rotate. Cannot be set to less than 300s (5 min) in the future and at most 3153600000s (100 years).

next_rotation_time MUST be set ifrotation_period is set.

Duration

Input only. The Duration between rotation notifications. Must be in seconds and at least 3600s (1h) and at most 3153600000s (100 years).

Ifrotation_period is set,next_rotation_time must be set.next_rotation_time will be advanced by this period when the service automatically sends rotation notifications.

string

Output only. The resource name of theSecret in the formatprojects/*/secrets/*.

Replication

Optional. Immutable. The replication policy of the secret data attached to theSecret.

The replication policy cannot be changed after the Secret has been created.

Timestamp

Output only. The time at which theSecret was created.

map<string, string>

The labels assigned to this Secret.

Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression:[\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62}

Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression:[\p{Ll}\p{Lo}\p{N}_-]{0,63}

No more than 64 labels can be assigned to a given resource.

Topic

Optional. A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions.

string

Optional. Etag of the currently storedSecret.

Rotation

Optional. Rotation policy attached to theSecret. May be excluded if there is no rotation policy.

map<string, int64>

Optional. Mapping from version alias to version name.

A version alias is a string with a maximum length of 63 characters and can contain uppercase and lowercase letters, numerals, and the hyphen (-) and underscore ('_') characters. An alias string must start with a letter and cannot be the string 'latest' or 'NEW'. No more than 50 aliases can be assigned to a given secret.

Version-Alias pairs will be viewable via GetSecret and modifiable via UpdateSecret. Access by alias is only be supported on GetSecretVersion and AccessSecretVersion.

map<string, string>

Optional. Custom metadata about the secret.

Annotations are distinct from various forms of labels. Annotations exist to allow client tools to store their own state information without requiring a database.

Annotation keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, begin and end with an alphanumeric character ([a-z0-9A-Z]), and may have dashes (-), underscores (_), dots (.), and alphanumerics in between these symbols.

The total size of annotation keys and values must be less than 16KiB.

Duration

Optional. Secret Version TTL after destruction request

This is a part of the Delayed secret version destroy feature. For secret with TTL>0, version destruction doesn't happen immediately on calling destroy instead the version goes to a disabled state and destruction happens after the TTL expires.

CustomerManagedEncryption

Optional. The customer-managed encryption configuration of the regionalized secrets. If no configuration is provided, Google-managed default encryption is used.

Updates to theSecret encryption configuration only apply toSecretVersions added afterwards. They do not apply retroactively to existingSecretVersions.

Union fieldexpiration. Expiration policy attached to theSecret. If specified theSecret and allSecretVersions will be automatically deleted at expiration. Expired secrets are irreversibly deleted.

Expiration isnot the recommended way to set time-based permissions.IAM Conditions is recommended for granting time-based permissions because the operation can be reversed.expiration can be only one of the following:

Timestamp

Optional. Timestamp in UTC when theSecret is scheduled to expire. This is always provided on output, regardless of what was sent on input.

Duration

Input only. The TTL for theSecret.

bytes

The secret data. Must be no larger than 64KiB.

int64

Optional. If specified,SecretManagerService will verify the integrity of the receiveddata onSecretManagerService.AddSecretVersion calls using the crc32c checksum and store it to include in futureSecretManagerService.AccessSecretVersion responses. If a checksum is not provided in theSecretManagerService.AddSecretVersion request, theSecretManagerService will generate and store one for you.

The CRC32C value is encoded as a Int64 for compatibility, and can be safely downconverted to uint32 in languages that support this type.https://cloud.google.com/apis/design/design_patterns#integer_types

string

Output only. The resource name of theSecretVersion in the formatprojects/*/secrets/*/versions/*.

SecretVersion IDs in aSecret start at 1 and are incremented for each subsequent version of the secret.

Timestamp

Output only. The time at which theSecretVersion was created.

Timestamp

Output only. The time thisSecretVersion was destroyed. Only present ifstate isDESTROYED.

State

Output only. The current state of theSecretVersion.

ReplicationStatus

The replication status of theSecretVersion.

string

Output only. Etag of the currently storedSecretVersion.

bool

Output only. True if payload checksum specified inSecretPayload object has been received bySecretManagerService onSecretManagerService.AddSecretVersion.

Timestamp

Optional. Output only. Scheduled destroy time for secret version. This is a part of the Delayed secret version destroy feature. For a Secret with a valid version destroy TTL, when a secert version is destroyed, version is moved to disabled state and it is scheduled for destruction Version is destroyed only after the scheduled_destroy_time.

CustomerManagedEncryptionStatus

Output only. The customer-managed encryption status of theSecretVersion. Only populated if customer-managed encryption is used andSecret is a regionalized secret.

string

Identifier. The resource name of the Pub/Sub topic that will be published to, in the following format:projects/*/topics/*. For publication to succeed, the Secret Manager service agent must have thepubsub.topic.publish permission on the topic. The Pub/Sub Publisher role (roles/pubsub.publisher) includes this permission.

Secret

Required.Secret with updated field values.

Authorization requires the followingIAM permission on the specified resourcesecret:

• secretmanager.secrets.update

FieldMask

Required. Specifies the fields to be updated.