gcloud beta secrets create - create a new secret

gcloud beta secrets createSECRET[--data-file=PATH][--labels=[KEY=VALUE,…]][--location=LOCATION][--regional-kms-key-name=KMS-KEY-NAME][--set-annotations=[KEY=VALUE,…]][--tags=[KEY=VALUE,…]][--topics=[TOPICS,…]][--version-destroy-ttl=VERSION-DESTROY-TTL][--expire-time=EXPIRE-TIME    |--ttl=TTL][--next-rotation-time=NEXT_ROTATION_TIME--rotation-period=ROTATION_PERIOD][--replication-policy-file=REPLICATION-POLICY-FILE    |--kms-key-name=KMS-KEY-NAME--locations=[LOCATION,…]--replication-policy=POLICY][GCLOUD_WIDE_FLAG …]

gcloudbetasecretscreatemy-secret

Create a new secret named 'my-secret' with an automatic replication policy anddata from a file:

gcloudbetasecretscreatemy-secret--data-file=/tmp/secret

Create a new secret named 'my-secret' in 'us-central1' with data from a file:

gcloudbetasecretscreatemy-secret--data-file=/tmp/secret--replication-policy=user-managed--locations=us-central1

Create a new secret named 'my-secret' in 'us-central1' and 'us-east1' with thevalue "s3cr3t":

printf"s3cr3t"|gcloudbetasecretscreatemy-secret--data-file=---replication-policy=user-managed--locations=us-central1,us-east1

Create a new secret named 'my-secret' in 'us-central1' and 'us-east1' with thevalue "s3cr3t" in PowerShell (Note: PowerShell will add a newline to theresulting secret):

Write-Output"s3cr3t"|gcloudbetasecretscreatemy-secret--data-file=---replication-policy=user-managed--locations=us-central1,us-east1

Create an expiring secret with an automatic replication policy using a ttl:

gcloudbetasecretscreatemy-secret--ttl="600s"

Create an expiring secret with an automatic replication policy using anexpire-time:

gcloudbetasecretscreatemy-secret--expire-time="2030-01-01T08:15:30-05:00"

Create a secret with an automatic replication policy and a next rotation time:

gcloudbetasecretscreatemy-secret--next-rotation-time="2030-01-01T15:30:00-05:00"

Create a secret with an automatic replication policy and a rotation period:

gcloudbetasecretscreatemy-secret--next-rotation-time="2030-01-01T15:30:00-05:00"--rotation-period="7200s"

Create a secret with delayed secret version destroy enabled:

gcloudbetasecretscreatemy-secret--version-destroy-ttl="86400s"

Secret resource - The secret to create. This represents a Cloud resource. (NOTE)Some attributes are not given arguments in this group but can be set in otherways.

To set theproject attribute:

• provide the argumentSECRET on the command line with a fullyspecified name;
• provide the argument--project on the command line;
• set the propertycore/project.

This must be specified.

SECRET

ID of the secret or fully qualified identifier for the secret.

To set thesecret attribute:

• provide the argumentSECRET on the command line.

--data-file=PATH

File path from which to read secret data. Set this to "-" to read the secretdata from stdin.

--labels=[KEY=VALUE,…]

List of label KEY=VALUE pairs to add.

Keys must start with a lowercase character and contain only hyphens(-), underscores (_), lowercase characters, andnumbers. Values must contain only hyphens (-), underscores(_), lowercase characters, and numbers.

Location resource - The location to create secret. This represents a Cloudresource. (NOTE) Some attributes are not given arguments in this group but canbe set in other ways.

To set theproject attribute:

• provide the argument--location on the command line with a fullyspecified name;
• provide the argument--project on the command line;
• set the propertycore/project.

--location=LOCATION

ID of the location or fully qualified identifier for the location.

To set thelocation attribute:

• provide the argument--location on the command line.

--regional-kms-key-name=KMS-KEY-NAME

Regional KMS key with which to encrypt and decrypt the secret. Only valid forregional secrets.

Annotations

--set-annotations=[KEY=VALUE,…]

List of key-value pairs to set as Annotations. All existing Annotations will beremoved first.

--tags=[KEY=VALUE,…]

List of tags KEY=VALUE pairs to bind. Each item must be expressed as<tag-key-namespaced-name>=<tag-value-short-name>.

Example:123/environment=production,123/costCenter=marketing

--topics=[TOPICS,…]

List of Pub/Sub topics to configure on the secret.

--version-destroy-ttl=VERSION-DESTROY-TTL

Secret Version Time To Live (TTL) after destruction request. For secret withTTL>0, version destruction does not happen immediately on calling destroy;instead, the version goes to a disabled state and destruction happens after theTTL expires. See$gcloudtopic datetimes for information on duration formats.

Expiration.

At most one of these can be specified:

--expire-time=EXPIRE-TIME

Timestamp at which to automatically delete the secret.

--ttl=TTL

Duration of time (in seconds) from the running of the command until the secretis automatically deleted.

Rotation.

--next-rotation-time=NEXT_ROTATION_TIME

Timestamp at which to send rotation notification.

--rotation-period=ROTATION_PERIOD

Duration of time (in seconds) between rotation notifications.

Replication policy.

At most one of these can be specified:

--replication-policy-file=REPLICATION-POLICY-FILE

JSON or YAML file to use to read the replication policy. The file must conformtohttps://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets#replication.Setthis to "-" to read from stdin.

Inline replication arguments.

--kms-key-name=KMS-KEY-NAME

Global KMS key with which to encrypt and decrypt the secret. Only valid forsecrets with an automatic replication policy.

--locations=[LOCATION,…]

Comma-separated list of locations in which the secret should be replicated.

--replication-policy=POLICY

The type of replication policy to apply to this secret. Allowed values are"automatic" and "user-managed". If user-managed then --locations must also beprovided.

Run$gcloud help for details.