	In Browser
	StumbleUpon
	del.icio.us
	Google
	Google Buzz
	reddit
	LinkedIn

	Facebook
	Twitter
	Linkedin
	E-Mail

Cloud Platforms > Google Cloud Platform (GCP) > Secret Manager

Secret Manager

Author: Venkata Sudhakar

Google Cloud Secret Manager is a fully managed service for storing, accessing, and managing sensitive data such as API keys, passwords, database credentials, TLS certificates, and private keys. It provides a central, secure location for secrets with versioning, audit logging, and fine-grained access control using Cloud IAM.

Secret Manager stores secrets as encrypted byte strings and automatically replicates them across multiple regions for high availability. Every access to a secret is logged in Cloud Audit Logs, giving you a complete audit trail of who accessed which secret and when. You can set fine-grained access control at the secret level - granting specific service accounts read access to only the secrets they need, following the principle of least privilege.

The below example shows how to create a secret, add a secret version, and access it using the gcloud CLI.

It gives the following output,

Created secret [db-password].
Created version [1] of secret [db-password].

MySecretP@ssw0rd123

NAME  STATE    CREATED
1     enabled  2024-01-15T10:30:00Z

The below example shows how to access a secret from a Python application at runtime, which is the recommended pattern for applications running on GCP - never hardcode secrets in source code or environment variables.

# Install: pip install google-cloud-secret-manager
from google.cloud import secretmanager

client = secretmanager.SecretManagerServiceClient()

# Example 1: Access the latest version of a secret
def get_secret(project_id, secret_id):
    name = f"projects/{project_id}/secrets/{secret_id}/versions/latest"
    response = client.access_secret_version(request={"name": name})
    return response.payload.data.decode("UTF-8")

db_password = get_secret("my-project", "db-password")
print("Secret accessed successfully")
print("Length:", len(db_password), "chars")

# Example 2: Create a new secret programmatically
def create_secret(project_id, secret_id, secret_value):
    parent = f"projects/{project_id}"
    # Create the secret
    secret = client.create_secret(
        request={
            "parent": parent,
            "secret_id": secret_id,
            "secret": {"replication": {"automatic": {}}},
        }
    )
    # Add the secret version
    client.add_secret_version(
        request={
            "parent": secret.name,
            "payload": {"data": secret_value.encode("UTF-8")},
        }
    )
    print(f"Secret {secret_id} created and version added.")
    return secret.name

create_secret("my-project", "api-key", "sk-abc123def456")

It gives the following output,

Secret accessed successfully
Length: 19 chars
Secret api-key created and version added.

Best Practices for Secret Manager:

Rotate secrets regularly - Add new versions and disable old ones. Applications should always fetch the latest version at startup, not cache secrets forever.

Use IAM bindings at secret level - Grant the roles/secretmanager.secretAccessor role to specific service accounts for only the secrets they need.

Never commit secrets to code - Replace all hardcoded credentials, .env files, and config files with Secret Manager API calls.

Send your comments, suggestions or queries regarding this site to [email protected].