REST Resource: projects.locations.secrets

Resource: Secret
Methods

Resource: Secret

A Secret is a logical secret whose value and versions can be accessed.

A Secret is made up of zero or more SecretVersions that represent the secret data.

JSON representation

JSON representation
{ "name": string, "createTime": string, "labels": { string: string, ... }, "topics": [ { object (`Topic`) } ], "etag": string, "rotation": { object (`Rotation`) }, "versionAliases": { string: string, ... }, "annotations": { string: string, ... }, "versionDestroyTtl": string, "customerManagedEncryption": { object (`CustomerManagedEncryption`) }, // Union field `expiration` can be only one of the following: "expireTime": string, "ttl": string // End of list of possible types for union field `expiration`. }

{
  "name": string,
  "createTime": string,
  "labels": {
    string: string,
    ...
  },
  "topics": [
    {
      object (Topic)
    }
  ],
  "etag": string,
  "rotation": {
    object (Rotation)
  },
  "versionAliases": {
    string: string,
    ...
  },
  "annotations": {
    string: string,
    ...
  },
  "versionDestroyTtl": string,
  "customerManagedEncryption": {
    object (CustomerManagedEncryption)
  },

  // Union field expiration can be only one of the following:
  "expireTime": string,
  "ttl": string
  // End of list of possible types for union field expiration.
}

Fields
`name`	`string` Output only. The resource name of the `Secret` in the format `projects//locations//secrets/*`.
`createTime`	`string (Timestamp format)` Output only. The time at which the `Secret` was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
`labels`	`map (key: string, value: string)` The labels assigned to this Secret. Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: `[\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62}` Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}` No more than 64 labels can be assigned to a given resource. An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
`topics[]`	`object (Topic)` Optional. A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions.
`etag`	`string` Optional. Etag of the currently stored `Secret`.
`rotation`	`object (Rotation)` Optional. Rotation policy attached to the `Secret`. May be excluded if there is no rotation policy.
`versionAliases`	`map (key: string, value: string (int64 format))` Optional. Mapping from version alias to version name. A version alias is a string with a maximum length of 63 characters and can contain uppercase and lowercase letters, numerals, and the hyphen (`-`) and underscore ('_') characters. An alias string must start with a letter and cannot be the string 'latest' or 'NEW'. No more than 50 aliases can be assigned to a given secret. Version-Alias pairs will be viewable via secrets.get and modifiable via secrets.patch. Access by alias is only be supported on GetSecretVersion and AccessSecretVersion. An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
`annotations`	`map (key: string, value: string)` Optional. Custom metadata about the secret. Annotations are distinct from various forms of labels. Annotations exist to allow client tools to store their own state information without requiring a database. Annotation keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, begin and end with an alphanumeric character ([a-z0-9A-Z]), and may have dashes (-), underscores (_), dots (.), and alphanumerics in between these symbols. The total size of annotation keys and values must be less than 16KiB. An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
`versionDestroyTtl`	`string (Duration format)` Optional. Secret Version TTL after destruction request This is a part of the Delayed secret version destroy feature. For secret with TTL>0, version destruction doesn't happen immediately on calling destroy instead the version goes to a disabled state and destruction happens after the TTL expires. A duration in seconds with up to nine fractional digits, ending with '`s`'. Example: `"3.5s"`.
`customerManagedEncryption`	`object (CustomerManagedEncryption)` Optional. The customer-managed encryption configuration of the regionalized secrets. If no configuration is provided, Google-managed default encryption is used. Updates to the `Secret` encryption configuration only apply to `SecretVersions` added afterwards. They do not apply retroactively to existing `SecretVersions`.
Union field `expiration`. Expiration policy attached to the `Secret`. If specified the `Secret` and all `SecretVersions` will be automatically deleted at expiration. Expired secrets are irreversibly deleted. Expiration is not the recommended way to set time-based permissions. IAM Conditions is recommended for granting time-based permissions because the operation can be reversed. `expiration` can be only one of the following:
`expireTime`	`string (Timestamp format)` Optional. Timestamp in UTC when the `Secret` is scheduled to expire. This is always provided on output, regardless of what was sent on input. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
`ttl`	`string (Duration format)` Input only. The TTL for the `Secret`. A duration in seconds with up to nine fractional digits, ending with '`s`'. Example: `"3.5s"`.

JSON representation
{ // Union field `replication` can be only one of the following: "automatic": { object (`Automatic`) }, "userManaged": { object (`UserManaged`) } // End of list of possible types for union field `replication`. }

Fields
Union field `replication`. The replication policy for this secret. `replication` can be only one of the following:
`automatic`	`object (Automatic)` The `Secret` will automatically be replicated without any restrictions.
`userManaged`	`object (UserManaged)` The `Secret` will only be replicated into the locations specified.

JSON representation
{ "customerManagedEncryption": { object (`CustomerManagedEncryption`) } }

Fields
`customerManagedEncryption`	`object (CustomerManagedEncryption)` Optional. The customer-managed encryption configuration of the `Secret`. If no configuration is provided, Google-managed default encryption is used. Updates to the `Secret` encryption configuration only apply to `SecretVersions` added afterwards. They do not apply retroactively to existing `SecretVersions`.

CustomerManagedEncryption

Configuration for encrypting secret payloads using customer-managed encryption keys (CMEK).

JSON representation
{ "kmsKeyName": string }

Fields

Fields
`kmsKeyName`	`string` Required. The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads. For secrets using the `UserManaged` replication policy type, Cloud KMS CryptoKeys must reside in the same location as the [replica location][Secret.UserManaged.Replica.location]. For secrets using the `Automatic` replication policy type, Cloud KMS CryptoKeys must reside in `global`. The expected format is `projects//locations//keyRings//cryptoKeys/`.

kmsKeyName

string

Required. The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads.

For secrets using the UserManaged replication policy type, Cloud KMS CryptoKeys must reside in the same location as the [replica location][Secret.UserManaged.Replica.location].

For secrets using the Automatic replication policy type, Cloud KMS CryptoKeys must reside in global.

The expected format is projects/*/locations/*/keyRings/*/cryptoKeys/*.

JSON representation
{ "replicas": [ { object (`Replica`) } ] }

Fields
`replicas[]`	`object (Replica)` Required. The list of Replicas for this `Secret`. Cannot be empty.

JSON representation
{ "location": string, "customerManagedEncryption": { object (`CustomerManagedEncryption`) } }

Fields
`location`	`string` The canonical IDs of the location to replicate data. For example: `"us-east1"`.
`customerManagedEncryption`	`object (CustomerManagedEncryption)` Optional. The customer-managed encryption configuration of the [User-Managed Replica][Replication.UserManaged.Replica]. If no configuration is provided, Google-managed default encryption is used. Updates to the `Secret` encryption configuration only apply to `SecretVersions` added afterwards. They do not apply retroactively to existing `SecretVersions`.

Topic

A Pub/Sub topic which Secret Manager will publish to when control plane events occur on this secret.

JSON representation
{ "name": string }

Fields

Fields
`name`	`string` Identifier. The resource name of the Pub/Sub topic that will be published to, in the following format: `projects//topics/`. For publication to succeed, the Secret Manager service agent must have the `pubsub.topic.publish` permission on the topic. The Pub/Sub Publisher role (`roles/pubsub.publisher`) includes this permission.

name

string

Identifier. The resource name of the Pub/Sub topic that will be published to, in the following format: projects/*/topics/*. For publication to succeed, the Secret Manager service agent must have the pubsub.topic.publish permission on the topic. The Pub/Sub Publisher role (roles/pubsub.publisher) includes this permission.

Rotation

The rotation time and period for a Secret. At nextRotationTime, Secret Manager will send a Pub/Sub notification to the topics configured on the Secret. Secret.topics must be set to configure rotation.

JSON representation
{ "nextRotationTime": string, "rotationPeriod": string }

Fields

Fields
`nextRotationTime`	`string (Timestamp format)` Optional. Timestamp in UTC at which the `Secret` is scheduled to rotate. Cannot be set to less than 300s (5 min) in the future and at most 3153600000s (100 years). `nextRotationTime` MUST be set if `rotationPeriod` is set. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: `"2014-10-02T15:01:23Z"` and `"2014-10-02T15:01:23.045123456Z"`.
`rotationPeriod`	`string (Duration format)` Input only. The Duration between rotation notifications. Must be in seconds and at least 3600s (1h) and at most 3153600000s (100 years). If `rotationPeriod` is set, `nextRotationTime` must be set. `nextRotationTime` will be advanced by this period when the service automatically sends rotation notifications. A duration in seconds with up to nine fractional digits, ending with '`s`'. Example: `"3.5s"`.

nextRotationTime

string (Timestamp format)

Optional. Timestamp in UTC at which the Secret is scheduled to rotate. Cannot be set to less than 300s (5 min) in the future and at most 3153600000s (100 years).

nextRotationTime MUST be set if rotationPeriod is set.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

rotationPeriod

string (Duration format)

Input only. The Duration between rotation notifications. Must be in seconds and at least 3600s (1h) and at most 3153600000s (100 years).

If rotationPeriod is set, nextRotationTime must be set. nextRotationTime will be advanced by this period when the service automatically sends rotation notifications.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

Methods
`addVersion`	Creates a new `SecretVersion` containing secret data and attaches it to an existing `Secret`.
`create`	Creates a new `Secret` containing no `SecretVersions`.
`delete`	Deletes a `Secret`.
`get`	Gets metadata for a given `Secret`.
`getIamPolicy`	Gets the access control policy for a secret.
`list`	Lists `Secrets`.
`patch`	Updates metadata of an existing `Secret`.
`setIamPolicy`	Sets the access control policy on the specified secret.
`testIamPermissions`	Returns permissions that a caller has for the specified secret.

REST Resource: projects.locations.secrets

Resource: Secret

Replication

Automatic

CustomerManagedEncryption

UserManaged

Replica

Topic

Rotation

Methods

`addVersion`

`create`

`delete`

`get`

`getIamPolicy`

`list`

`patch`

`setIamPolicy`

`testIamPermissions`

REST Resource: projects.locations.secrets Stay organized with collections Save and categorize content based on your preferences.

Resource: Secret

Replication

Automatic

CustomerManagedEncryption

UserManaged

Replica

Topic

Rotation

Methods

REST Resource: projects.locations.secrets