gcloud secrets update
- NAME
- gcloud secrets update - update a secret's metadata
- SYNOPSIS
gcloud secrets updateSECRET[--etag=ETAG][--location=LOCATION][--update-labels=[KEY=VALUE,…]][--add-topics=[ADD-TOPICS,…] |--clear-topics|--remove-topics=[REMOVE-TOPICS,…]][--clear-annotations|--remove-annotations=[KEY,…] |--update-annotations=[KEY=VALUE,…]][--clear-labels|--remove-labels=[KEY,…]][--clear-version-aliases|--remove-version-aliases=[KEY,…] |--update-version-aliases=[KEY=VALUE,…]][--expire-time=EXPIRE-TIME|--remove-expiration|--ttl=TTL][--next-rotation-time=NEXT_ROTATION_TIME--remove-next-rotation-time--remove-rotation-period--remove-rotation-schedule--rotation-period=ROTATION_PERIOD][--regional-kms-key-name=REGIONAL-KMS-KEY-NAME|--remove-regional-kms-key-name][--remove-version-destroy-ttl|--version-destroy-ttl=VERSION-DESTROY-TTL][GCLOUD_WIDE_FLAG …]
- DESCRIPTION
- Update a secret's metadata (e.g. labels). This command will return an error ifgiven a secret that does not exist.
- EXAMPLES
- Update the label of a secret named
my-secret.gcloudsecretsupdatemy-secret--update-labels=foo=barUpdate the label of a secret using an etag.
gcloudsecretsupdatemy-secret--update-labels=foo=bar--etag=123Update a secret to have a next-rotation-time:
gcloudsecretsupdatemy-secret--next-rotation-time="2030-01-01T15:30:00-05:00"Update a secret to have a next-rotation-time and rotation-period:
gcloudsecretsupdatemy-secret--next-rotation-time="2030-01-01T15:30:00-05:00"--rotation-period="7200s"Update a secret to remove the next-rotation-time:
gcloudsecretsupdatemy-secret--remove-next-rotation-timeUpdate a secret to clear rotation policy:
gcloudsecretsupdatemy-secret--remove-rotation-scheduleUpdate version destroy ttl of a secret:
gcloudsecretsupdatemy-secret--version-destroy-ttl="86400s"Disable delayed secret version destroy:
gcloudsecretsupdatemy-secret--remove-version-destroy-ttl - POSITIONAL ARGUMENTS
- Secret resource - The secret to update. This represents a Cloud resource. (NOTE)Some attributes are not given arguments in this group but can be set in otherways.
To set the
projectattribute:- provide the argument
SECRETon the command line with a fullyspecified name; - provide the argument
--projecton the command line; - set the property
core/project.
This must be specified.
SECRET- ID of the secret or fully qualified identifier for the secret.
To set the
secretattribute:- provide the argument
SECRETon the command line.
- provide the argument
- provide the argument
- Secret resource - The secret to update. This represents a Cloud resource. (NOTE)Some attributes are not given arguments in this group but can be set in otherways.
- FLAGS
--etag=ETAG- Current entity tag (ETag) of the secret. If specified, the secret is updatedonly if the ETag provided matches the current secret's ETag.
- Location resource - The location to update secret. This represents a Cloudresource. (NOTE) Some attributes are not given arguments in this group but canbe set in other ways.
To set the
projectattribute:- provide the argument
--locationon the command line with a fullyspecified name; - provide the argument
--projecton the command line; - set the property
core/project.
--location=LOCATION- ID of the location or fully qualified identifier for the location.
To set the
locationattribute:- provide the argument
--locationon the command line.
- provide the argument
- provide the argument
--update-labels=[KEY=VALUE,…]- List of label KEY=VALUE pairs to update. If a label exists, its value ismodified. Otherwise, a new label is created.
Keys must start with a lowercase character and contain only hyphens(
-), underscores (_), lowercase characters, andnumbers. Values must contain only hyphens (-), underscores(_), lowercase characters, and numbers. - Topics.
At most one of these can be specified:
--add-topics=[ADD-TOPICS,…]- List of Pub/Sub topics to add to the secret.
--clear-topics- Clear all Pub/Sub topics from the secret.
--remove-topics=[REMOVE-TOPICS,…]- List of Pub/Sub topics to remove from the secret.
- Annotations
At most one of these can be specified:
--clear-annotations- Remove all Annotations.
--remove-annotations=[KEY,…]- List of Annotations to be removed.
--update-annotations=[KEY=VALUE,…]- List of key-value pairs to set as Annotations.
- At most one of these can be specified:
--clear-labels- Remove all labels. If
--update-labelsis also specified then--clear-labelsis applied first.For example, to remove all labels:
gcloudsecretsupdate--clear-labelsTo remove all existing labels and create two new labels,
foobazgcloudsecretsupdate--clear-labels--update-labelsfoo=bar,baz=qux --remove-labels=[KEY,…]- List of label keys to remove. If a label does not exist it is silently ignored.If
--update-labelsis also specified then--update-labelsis applied first.
- Version Aliases
At most one of these can be specified:
--clear-version-aliases- Remove all Version Aliases.
--remove-version-aliases=[KEY,…]- List of Version Aliases to be removed.
--update-version-aliases=[KEY=VALUE,…]- List of key-value pairs to set as Version Aliases.
- Expiration.
At most one of these can be specified:
--expire-time=EXPIRE-TIME- Timestamp at which to automatically delete the secret.
--remove-expiration- If set, removes scheduled expiration from secret (if it had one).
--ttl=TTL- Duration of time (in seconds) from the running of the command until the secretis automatically deleted.
- Rotation.
--next-rotation-time=NEXT_ROTATION_TIME- Timestamp at which to send rotation notification.
--remove-next-rotation-time- Remove timestamp at which to send rotation notification.
--remove-rotation-period- If set, removes the rotation period, cancelling all rotations except for thenext one.
--remove-rotation-schedule- If set, removes rotation policy from a secret.
--rotation-period=ROTATION_PERIOD- Duration of time (in seconds) between rotation notifications.
- regional kms key.
At most one of these can be specified:
--regional-kms-key-name=REGIONAL-KMS-KEY-NAME- regional kms key name for regional secret.
--remove-regional-kms-key-name- If set, removes the regional kms key.
- Version destroy ttl.
At most one of these can be specified:
--remove-version-destroy-ttl- If set, removes the version destroy TTL from the secret.
--version-destroy-ttl=VERSION-DESTROY-TTL- Secret Version TTL after destruction request. For secret with TTL>0, versiondestruction does not happen immediately on calling destroy; instead, the versiongoes to a disabled state and destruction happens after the TTL expires. See
$gcloud topicdatetimesfor information on duration formats.
- GCLOUD WIDE FLAGS
- These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$gcloud helpfor details. - NOTES
- This variant is also available:
gcloudbetasecretsupdate
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-05-07 UTC.