Create and access a secret using Secret Manager

Learn how to create and access secrets using Secret Manager on Google Cloud.

To follow step-by-step guidance for this task directly in the Google Cloud console, click Guide me:

Guide me

Before you begin

Enable the Secret Manager API, once per project.
Assign the Secret Manager Admin role (roles/secretmanager.admin) on the project, folder, or organization.
Authenticate to the Secret Manager API using one of the following ways:
- If you're using client libraries to access the Secret Manager API, set up Application Default Credentials.
- If you're using the Google Cloud CLI to access the Secret Manager API, use your Google Cloud CLI credentials to authenticate.
- To authenticate a REST call, use either Google Cloud CLI credentials or Application Default Credentials.

Create a secret and access a secret version

The following examples demonstrate creating a secret and accessing a secret version's contents.

Console

To create the secret and the secret version:

Go to the Secret Manager page in the Google Cloud console.

Go to the Secret Manager page
On the Secret Manager page, click Create Secret.
On the Create secret page, under Name, enter my-secret.
In the Secret value field, enter my super secret data.
Click the Create secret button.

To access the contents of the secret version:

Go to the Secret Manager page in the Google Cloud console.

Go to the Secret Manager page
On the Secret Manager page, click on my-secret.
On the Secret details page, in the Versions table, locate version 1.
In the Actions column, click View more.
Click View secret value from the menu.
A dialog appears that shows the secret value. Click Done to close the dialog.

gcloud

To use Secret Manager on the command line, first Install or upgrade to version 378.0.0 or higher of the Google Cloud CLI. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

To create a secret and store a string as the contents of the first secret version:

$ echo -n "my super secret data" | gcloud secrets create my-secret \
    --replication-policy="replication-policy" \
    --data-file=-

Where replication-policy is one of automatic or user-managed.

To access the contents of a specific secret version:

$ gcloud secrets versions access 1 --secret="my-secret"

To access the contents of the latest secret version:

$ gcloud secrets versions access latest --secret="my-secret"

API

These examples use curl to demonstrate using the API. You can generate access tokens with gcloud auth print-access-token. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

To create the secret and store a string as the contents of a secret version:

$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets?secretId=my-secret" \
    --request "POST" \
    --header "authorization: Bearer $(gcloud auth print-access-token)" \
    --header "content-type: application/json" \
    --data "{\"replication\": {\"automatic\": {}}}"

To access the secret version's contents:

$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets/my-secret/versions/1:access" \
    --request "GET" \
    --header "authorization: Bearer $(gcloud auth print-access-token)" \
    --header "content-type: application/json"

What's next

Learn about editing a secret.
Learn about managing access to secrets.
Learn about assigning an alias to a secret version.
Learn about setting up notifications on a secret.
Learn about following best practices.

Before you begin

Create a secret and access a secret version

Console

gcloud

C#

Go

Java

Node.js

PHP

Python

Ruby

API

What's next