Learn how to create and manage secrets using Cloud Code's Secret Managerintegration.

To follow step-by-step guidance for this task directly in the Cloud Shell Editor, clickGuide me:

Guide me

Before you begin

1. In the Google Cloud console, go to the project selector page.

   Go to project selector

2. Select or create a Google Cloud project.

   Roles required to select or create a project

   • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
   • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
   Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.
3. InstallGit so that Cloud Code can perform Git operations, like cloning a sample.
4. Install theCloud Code plugin if you haven't already.

Create your Cloud Run service

Use Cloud Shell Editor as your environment for creating your Cloud Run serviceand secret. The editor comes preloaded with the tools needed for clouddevelopment.

To create your service:

1. In the Cloud Code status bar, click the active project name.

   

2. In the Quick Pick menu that appears, select clickNew Application, andthen clickCloud Run Application.

3. From the list of Cloud Run samples, selectPython (Flask): Cloud Run.

4. Select a folder for your sample and then clickCreate New Application.

After Cloud Shell Editor loads your service in a new workspace, view its files intheexplorerview.

Create a secret

Secret Manager allows you tosecurely store, manage, and access secrets as binary blobs or text strings.Additionally, it manages your secrets, meaning you don't have to deal withvirtual machines or operating services.

To create a secret with Cloud Code's Secret Manager integration:

1. ClickSecretManager and give it a moment to load.
2. If prompted to authorize Cloud Shell to make Google Cloud API calls,clickAuthorize.
3. ClickaddCreateSecret.
4. If prompted, select your Google Cloud project from the dropdown selector.
5. If prompted, enable the Secret Manager API.

6. In theSecret Manager - Create Secret tab that appears, enter thefollowing in theName field:

   my-secret

7. In theSecret Value field, enter:

   Hello secret!

8. ClickCreate Secret and a message that your secret was successfullycreated appears.

Add a secret to your code

Secrets are great for storing configuration information such as databasepasswords, API keys, or TLS certificates needed by an application at runtime.

To add a secret to your code:

1. Open theCloudAPI view and select theSecret Manager API.

   This opens a Google Cloud API Detail tab withSecret Manager API as theheading.

2. In theInstall Client Library section, click thePython tab andclickplay_arrowRun in terminal.This installs thegoogle-cloud-secret-manager client library.

3. Openrequirements.txtand add the following line to the bottom of the file:

   google-cloud-secret-manager==VERSION_NUMBER

   You can find the version number in the console after you run theinstallation in the previous step. For example, the console might show:Successfully installed google-cloud-secret-manager-2.23.1

   Your changes are automatically saved.

4. To get the latest value of your secret, openapp.pyand copy and paste the following function:after the hello function:

   defaccess_secret_version(secret_version_id):"""Return the value of a secret's version"""fromgoogle.cloudimportsecretmanager# Create the Secret Manager client.client=secretmanager.SecretManagerServiceClient()# Access the secret version.response=client.access_secret_version(name=secret_version_id)# Return the decoded payload.returnresponse.payload.data.decode('UTF-8')

5. To call theaccess_secret_version function, replace themessage variablewith the following:

   message=access_secret_version("<SECRET_VERSION_ID>")

6. If you still have theSecret Manager - Create Secret tab open,file_copyCopy the ID.

   To get the ID of a secret version at any time, navigate toSecretManager > [SECRET_NAME] > Versions, hold thepointer over over your version, and clickCopy resource ID.

7. To add the version ID, replace the placeholder<SECRET_VERSION_ID>with your copied version ID.

Run on Cloud Run emulator

To test your new secret, run your Cloud Run service locally on the Cloud Run emulator.

1. Launch theCloudCode menu from the status bar.
2. To build and deploy your service to the emulator, selectRunon Cloud Run Emulator.
3. In the Run/Debug on Cloud Run Emulator tab that appears, clickRun.

4. When running the configuration for the first time, this process can take upto 5 minutes. TheOutputpanel displays the progress as your app is built and deployed.

5. After your app is built, launch your app by clicking the localhost link thatappears in yourOutputpanel. Your secret's value is displayed under the success graphic.

View and create a new secret version

Cloud Code's Secret Manager view gives you a quick look at your project'ssecrets, with actions for managing them.

Viewing the value of a secret version

1. Click theSecretManager view.
2. Expand your secret by clicking on it.
3. In theVersions folder, right-click the numbered version that you wantto view the value of and selectShow Version Value.

Note that you can't edit a secret version. To update a secret's value, you must create anewversion.

Create a new secret version

The value of a secret is stored in a secret version. A secret can have manyversions. This is helpful in situations where a secret changes. Updating asecret with a new version means you don't have to update your code.

1. Click theSecretManager view.
2. Right-click your secret's name and selectCreate Secret Version.
3. In theSecret Manager - Create Version tab that appears, enter a newvalue and clickCreate Version.
4. After theSecret Manager - Create Secret tab opens, clickfile_copyCopy top copy the ID.
5. To add the newer version ID, replace the current version that appears the messagevariable inapp.pywith the newer version ID that you copied.

If you always want your code to use the latest version,replace the version number at the end of your version ID withlatest.

View and manage secrets

Disable a secret version

Secret versions are enabled by default after creation, meaning they can beaccessed. A disabled secret is inaccessible, but you can always restore accessto it at any time.

To disable a secret version:

1. ClickCloud Code and then expand theSecret Manager section.
2. Expand your secret by clicking on it.
3. Under theVersions folder, right-click the numbered version you want todisable.
4. SelectDisable Version.

Destroy a secret version

When you destroy a secret version, it can't be accessed. Destroying a secretversion is permanent.

1. ClickCloud Code and then expand theSecret Manager section.
2. Expand your secret by clicking on it.
3. Under theVersions folder, right-click the version you want to destroy.
4. SelectDestroy Version.

Cleaning up

To delete just the cluster you created for this quickstart:

1. ClickCloud Code and then expand theKubernetes section.
2. Hold the pointer over your cluster name and then clickopen_in_newOpen in Google Cloud console.
3. ClickDelete and then clickDelete.

To delete your project (and associated resources, including any clusters):

1. Go to the Projects page in the Google Cloud console:

   Go to the Projects page

2. Select the project that you created for this quickstart and then clickDelete.

3. Type the project ID to confirm and then clickShut down.

   This shuts down the project and schedules it for deletion.