secrets

Creates, updates, deletes, gets or lists a secrets resource.

Overview

Name	`secrets`
Type	Resource
Id	`google.secretmanager.secrets`

Fields

The following fields are returned by SELECT queries:

get
list

Successful response

Name	Datatype	Description
`name`	`string`	Output only. The resource name of the Secret in the format `projects//secrets/`.
`annotations`	`object`	Optional. Custom metadata about the secret. Annotations are distinct from various forms of labels. Annotations exist to allow client tools to store their own state information without requiring a database. Annotation keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, begin and end with an alphanumeric character ([a-z0-9A-Z]), and may have dashes (-), underscores (_), dots (.), and alphanumerics in between these symbols. The total size of annotation keys and values must be less than 16KiB.
`createTime`	`string (google-datetime)`	Output only. The time at which the Secret was created.
`customerManagedEncryption`	`object`	Optional. The customer-managed encryption configuration of the regionalized secrets. If no configuration is provided, Google-managed default encryption is used. Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions. (id: CustomerManagedEncryption)
`etag`	`string`	Optional. Etag of the currently stored Secret.
`expireTime`	`string (google-datetime)`	Optional. Timestamp in UTC when the Secret is scheduled to expire. This is always provided on output, regardless of what was sent on input.
`labels`	`object`	The labels assigned to this Secret. Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: `\p{Ll}\p{Lo}{0,62}` Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}` No more than 64 labels can be assigned to a given resource.
`replication`	`object`	Optional. Immutable. The replication policy of the secret data attached to the Secret. The replication policy cannot be changed after the Secret has been created. (id: Replication)
`rotation`	`object`	Optional. Rotation policy attached to the Secret. May be excluded if there is no rotation policy. (id: Rotation)
`tags`	`object`	Optional. Input only. Immutable. Mapping of Tag keys/values directly bound to this resource. For example: "123/environment": "production", "123/costCenter": "marketing" Tags are used to organize and group resources. Tags can be used to control policy evaluation for the resource.
`topics`	`array`	Optional. A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions.
`ttl`	`string (google-duration)`	Input only. The TTL for the Secret.
`versionAliases`	`object`	Optional. Mapping from version alias to version name. A version alias is a string with a maximum length of 63 characters and can contain uppercase and lowercase letters, numerals, and the hyphen (`-`) and underscore ('_') characters. An alias string must start with a letter and cannot be the string 'latest' or 'NEW'. No more than 50 aliases can be assigned to a given secret. Version-Alias pairs will be viewable via GetSecret and modifiable via UpdateSecret. Access by alias is only be supported on GetSecretVersion and AccessSecretVersion.
`versionDestroyTtl`	`string (google-duration)`	Optional. Secret Version TTL after destruction request This is a part of the Delayed secret version destroy feature. For secret with TTL>0, version destruction doesn't happen immediately on calling destroy instead the version goes to a disabled state and destruction happens after the TTL expires.

Successful response

Name	Datatype	Description
`name`	`string`	Output only. The resource name of the Secret in the format `projects//secrets/`.
`annotations`	`object`	Optional. Custom metadata about the secret. Annotations are distinct from various forms of labels. Annotations exist to allow client tools to store their own state information without requiring a database. Annotation keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, begin and end with an alphanumeric character ([a-z0-9A-Z]), and may have dashes (-), underscores (_), dots (.), and alphanumerics in between these symbols. The total size of annotation keys and values must be less than 16KiB.
`createTime`	`string (google-datetime)`	Output only. The time at which the Secret was created.
`customerManagedEncryption`	`object`	Optional. The customer-managed encryption configuration of the regionalized secrets. If no configuration is provided, Google-managed default encryption is used. Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions. (id: CustomerManagedEncryption)
`etag`	`string`	Optional. Etag of the currently stored Secret.
`expireTime`	`string (google-datetime)`	Optional. Timestamp in UTC when the Secret is scheduled to expire. This is always provided on output, regardless of what was sent on input.
`labels`	`object`	The labels assigned to this Secret. Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: `\p{Ll}\p{Lo}{0,62}` Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}` No more than 64 labels can be assigned to a given resource.
`replication`	`object`	Optional. Immutable. The replication policy of the secret data attached to the Secret. The replication policy cannot be changed after the Secret has been created. (id: Replication)
`rotation`	`object`	Optional. Rotation policy attached to the Secret. May be excluded if there is no rotation policy. (id: Rotation)
`tags`	`object`	Optional. Input only. Immutable. Mapping of Tag keys/values directly bound to this resource. For example: "123/environment": "production", "123/costCenter": "marketing" Tags are used to organize and group resources. Tags can be used to control policy evaluation for the resource.
`topics`	`array`	Optional. A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions.
`ttl`	`string (google-duration)`	Input only. The TTL for the Secret.
`versionAliases`	`object`	Optional. Mapping from version alias to version name. A version alias is a string with a maximum length of 63 characters and can contain uppercase and lowercase letters, numerals, and the hyphen (`-`) and underscore ('_') characters. An alias string must start with a letter and cannot be the string 'latest' or 'NEW'. No more than 50 aliases can be assigned to a given secret. Version-Alias pairs will be viewable via GetSecret and modifiable via UpdateSecret. Access by alias is only be supported on GetSecretVersion and AccessSecretVersion.
`versionDestroyTtl`	`string (google-duration)`	Optional. Secret Version TTL after destruction request This is a part of the Delayed secret version destroy feature. For secret with TTL>0, version destruction doesn't happen immediately on calling destroy instead the version goes to a disabled state and destruction happens after the TTL expires.

Methods

The following methods are available for this resource:

Name	Accessible by	Required Params	Optional Params	Description
`get`	`select`	`projectsId`, `secretsId`		Gets metadata for a given Secret.
`list`	`select`	`projectsId`	`pageSize`, `pageToken`, `filter`	Lists Secrets.
`create`	`insert`	`projectsId`	`secretId`	Creates a new Secret containing no SecretVersions.
`patch`	`update`	`projectsId`, `secretsId`	`updateMask`	Updates metadata of an existing Secret.
`delete`	`delete`	`projectsId`, `secretsId`	`etag`	Deletes a Secret.

Parameters

Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.

Name	Datatype	Description
`projectsId`	`string`
`secretsId`	`string`
`etag`	`string`
`filter`	`string`
`pageSize`	`integer (int32)`
`pageToken`	`string`
`secretId`	`string`
`updateMask`	`string (google-fieldmask)`

`SELECT` examples

get
list

Gets metadata for a given Secret.

SELECT
name,
annotations,
createTime,
customerManagedEncryption,
etag,
expireTime,
labels,
replication,
rotation,
tags,
topics,
ttl,
versionAliases,
versionDestroyTtl
FROM google.secretmanager.secrets
WHERE projectsId = '{{ projectsId }}' -- required
AND secretsId = '{{ secretsId }}' -- required;

Lists Secrets.

SELECT
name,
annotations,
createTime,
customerManagedEncryption,
etag,
expireTime,
labels,
replication,
rotation,
tags,
topics,
ttl,
versionAliases,
versionDestroyTtl
FROM google.secretmanager.secrets
WHERE projectsId = '{{ projectsId }}' -- required
AND pageSize = '{{ pageSize }}'
AND pageToken = '{{ pageToken }}'
AND filter = '{{ filter }}';

`INSERT` examples

create
Manifest

Creates a new Secret containing no SecretVersions.

INSERT INTO google.secretmanager.secrets (
data__replication,
data__labels,
data__topics,
data__expireTime,
data__ttl,
data__etag,
data__rotation,
data__versionAliases,
data__annotations,
data__versionDestroyTtl,
data__customerManagedEncryption,
data__tags,
projectsId,
secretId
)
SELECT 
'{{ replication }}',
'{{ labels }}',
'{{ topics }}',
'{{ expireTime }}',
'{{ ttl }}',
'{{ etag }}',
'{{ rotation }}',
'{{ versionAliases }}',
'{{ annotations }}',
'{{ versionDestroyTtl }}',
'{{ customerManagedEncryption }}',
'{{ tags }}',
'{{ projectsId }}',
'{{ secretId }}'
RETURNING
name,
annotations,
createTime,
customerManagedEncryption,
etag,
expireTime,
labels,
replication,
rotation,
tags,
topics,
ttl,
versionAliases,
versionDestroyTtl
;

# Description fields are for documentation purposes
- name: secrets
  props:
    - name: projectsId
      value: string
      description: Required parameter for the secrets resource.
    - name: replication
      value: object
      description: >
        Optional. Immutable. The replication policy of the secret data attached to the Secret. The replication policy cannot be changed after the Secret has been created.
        
    - name: labels
      value: object
      description: >
        The labels assigned to this Secret. Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: `\p{Ll}\p{Lo}{0,62}` Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}` No more than 64 labels can be assigned to a given resource.
        
    - name: topics
      value: array
      description: >
        Optional. A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions.
        
    - name: expireTime
      value: string
      description: >
        Optional. Timestamp in UTC when the Secret is scheduled to expire. This is always provided on output, regardless of what was sent on input.
        
    - name: ttl
      value: string
      description: >
        Input only. The TTL for the Secret.
        
    - name: etag
      value: string
      description: >
        Optional. Etag of the currently stored Secret.
        
    - name: rotation
      value: object
      description: >
        Optional. Rotation policy attached to the Secret. May be excluded if there is no rotation policy.
        
    - name: versionAliases
      value: object
      description: >
        Optional. Mapping from version alias to version name. A version alias is a string with a maximum length of 63 characters and can contain uppercase and lowercase letters, numerals, and the hyphen (`-`) and underscore ('_') characters. An alias string must start with a letter and cannot be the string 'latest' or 'NEW'. No more than 50 aliases can be assigned to a given secret. Version-Alias pairs will be viewable via GetSecret and modifiable via UpdateSecret. Access by alias is only be supported on GetSecretVersion and AccessSecretVersion.
        
    - name: annotations
      value: object
      description: >
        Optional. Custom metadata about the secret. Annotations are distinct from various forms of labels. Annotations exist to allow client tools to store their own state information without requiring a database. Annotation keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, begin and end with an alphanumeric character ([a-z0-9A-Z]), and may have dashes (-), underscores (_), dots (.), and alphanumerics in between these symbols. The total size of annotation keys and values must be less than 16KiB.
        
    - name: versionDestroyTtl
      value: string
      description: >
        Optional. Secret Version TTL after destruction request This is a part of the Delayed secret version destroy feature. For secret with TTL>0, version destruction doesn't happen immediately on calling destroy instead the version goes to a disabled state and destruction happens after the TTL expires.
        
    - name: customerManagedEncryption
      value: object
      description: >
        Optional. The customer-managed encryption configuration of the regionalized secrets. If no configuration is provided, Google-managed default encryption is used. Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions.
        
    - name: tags
      value: object
      description: >
        Optional. Input only. Immutable. Mapping of Tag keys/values directly bound to this resource. For example: "123/environment": "production", "123/costCenter": "marketing" Tags are used to organize and group resources. Tags can be used to control policy evaluation for the resource.
        
    - name: secretId
      value: string

`UPDATE` examples

patch

Updates metadata of an existing Secret.

UPDATE google.secretmanager.secrets
SET 
data__replication = '{{ replication }}',
data__labels = '{{ labels }}',
data__topics = '{{ topics }}',
data__expireTime = '{{ expireTime }}',
data__ttl = '{{ ttl }}',
data__etag = '{{ etag }}',
data__rotation = '{{ rotation }}',
data__versionAliases = '{{ versionAliases }}',
data__annotations = '{{ annotations }}',
data__versionDestroyTtl = '{{ versionDestroyTtl }}',
data__customerManagedEncryption = '{{ customerManagedEncryption }}',
data__tags = '{{ tags }}'
WHERE 
projectsId = '{{ projectsId }}' --required
AND secretsId = '{{ secretsId }}' --required
AND updateMask = '{{ updateMask}}'
RETURNING
name,
annotations,
createTime,
customerManagedEncryption,
etag,
expireTime,
labels,
replication,
rotation,
tags,
topics,
ttl,
versionAliases,
versionDestroyTtl;

`DELETE` examples

delete

Deletes a Secret.

DELETE FROM google.secretmanager.secrets
WHERE projectsId = '{{ projectsId }}' --required
AND secretsId = '{{ secretsId }}' --required
AND etag = '{{ etag }}';

Overview​

Fields​

Methods​

Parameters​

SELECT examples​

INSERT examples​

UPDATE examples​

DELETE examples​