This topic describes how to create a secret. A secret contains one or more secretversions, along with metadata such as labels and replication information. Theactual contents of a secret are stored in a secret version.
Console
-
Go to the Secret Manager page in the Google Cloud console.
Go to the Secret Manager page
-
On the Secret Manager page, click Create Secret.
-
On the Create secret page, under Name, enter a name for the secret (for example,
my-secret
). A secret name can contain uppercase and lowercase letters, numerals, hyphens, and underscores. The maximum allowed length for a name is 255 characters. -
Optional: To also add a secret version when creating the initial secret, in the Secret value field, enter a value for the secret (for example,
abcd1234
). The secret value can be in any format but must not be larger than 64 KiB. You can also upload a text file containing the secret value using the Upload file option. -
Click the Create secret button.
gcloud
To use Secret Manager on the command line, firstInstall or upgrade to version 378.0.0 or higher of the Google Cloud CLI. On Compute Engine or GKE, you mustauthenticate with the cloud-platform scope.
$ gcloud secrets create secret-id \ --replication-policy="automatic"
C#
To run this code, first set up a C# development environment andinstall the Secret Manager C# SDK. On Compute Engine or GKE, you mustauthenticate with the cloud-platform scope.
using Google.Api.Gax.ResourceNames;using Google.Cloud.SecretManager.V1;public class CreateSecretSample{ public Secret CreateSecret( string projectId = "my-project", string secretId = "my-secret") { // Create the client. SecretManagerServiceClient client = SecretManagerServiceClient.Create(); // Build the parent resource name. ProjectName projectName = new ProjectName(projectId); // Build the secret. Secret secret = new Secret { Replication = new Replication { Automatic = new Replication.Types.Automatic(), }, }; // Call the API. Secret createdSecret = client.CreateSecret(projectName, secretId, secret); return createdSecret; }}
Go
To run this code, first set up a Go development environment andinstall the Secret Manager Go SDK. On Compute Engine or GKE, you mustauthenticate with the cloud-platform scope.
import ("context""fmt""io"secretmanager "cloud.google.com/go/secretmanager/apiv1""cloud.google.com/go/secretmanager/apiv1/secretmanagerpb")// createSecret creates a new secret with the given name. A secret is a logical// wrapper around a collection of secret versions. Secret versions hold the// actual secret material.func createSecret(w io.Writer, parent, id string) error {// parent := "projects/my-project"// id := "my-secret"// Create the client.ctx := context.Background()client, err := secretmanager.NewClient(ctx)if err != nil {return fmt.Errorf("failed to create secretmanager client: %w", err)}defer client.Close()// Build the request.req := &secretmanagerpb.CreateSecretRequest{Parent: parent,SecretId: id,Secret: &secretmanagerpb.Secret{Replication: &secretmanagerpb.Replication{Replication: &secretmanagerpb.Replication_Automatic_{Automatic: &secretmanagerpb.Replication_Automatic{},},},},}// Call the API.result, err := client.CreateSecret(ctx, req)if err != nil {return fmt.Errorf("failed to create secret: %w", err)}fmt.Fprintf(w, "Created secret: %s\n", result.Name)return nil}
Java
To run this code, first set up a Java development environment andinstall the Secret Manager Java SDK. On Compute Engine or GKE, you mustauthenticate with the cloud-platform scope.
import com.google.cloud.secretmanager.v1.ProjectName;import com.google.cloud.secretmanager.v1.Replication;import com.google.cloud.secretmanager.v1.Secret;import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;import java.io.IOException;public class CreateSecret { public static void createSecret() throws IOException { // TODO(developer): Replace these variables before running the sample. String projectId = "your-project-id"; String secretId = "your-secret-id"; createSecret(projectId, secretId); } // Create a new secret with automatic replication. public static void createSecret(String projectId, String secretId) throws IOException { // Initialize the client that will be used to send requests. This client only needs to be // created once, and can be reused for multiple requests. After completing all of your requests, // call the "close" method on the client to safely clean up any remaining background resources. try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) { // Build the parent name from the project. ProjectName projectName = ProjectName.of(projectId); // Build the secret to create. Secret secret = Secret.newBuilder() .setReplication( Replication.newBuilder() .setAutomatic(Replication.Automatic.newBuilder().build()) .build()) .build(); // Create the secret. Secret createdSecret = client.createSecret(projectName, secretId, secret); System.out.printf("Created secret %s\n", createdSecret.getName()); } }}
Node.js
To run this code, first set up a Node.js development environment andinstall the Secret Manager Node.js SDK. On Compute Engine or GKE, you mustauthenticate with the cloud-platform scope.
/** * TODO(developer): Uncomment these variables before running the sample. */// const parent = 'projects/my-project';// const secretId = 'my-secret';// Imports the Secret Manager libraryconst {SecretManagerServiceClient} = require('@google-cloud/secret-manager');// Instantiates a clientconst client = new SecretManagerServiceClient();async function createSecret() { const [secret] = await client.createSecret({ parent: parent, secretId: secretId, secret: { replication: { automatic: {}, }, }, }); console.log(`Created secret ${secret.name}`);}createSecret();
PHP
To run this code, first learn about using PHP on Google Cloud andinstall the Secret Manager PHP SDK. On Compute Engine or GKE, you mustauthenticate with the cloud-platform scope.
// Import the Secret Manager client library.use Google\Cloud\SecretManager\V1\CreateSecretRequest;use Google\Cloud\SecretManager\V1\Replication;use Google\Cloud\SecretManager\V1\Replication\Automatic;use Google\Cloud\SecretManager\V1\Secret;use Google\Cloud\SecretManager\V1\Client\SecretManagerServiceClient;/** * @param string $projectId Your Google Cloud Project ID (e.g. 'my-project') * @param string $secretId Your secret ID (e.g. 'my-secret') */function create_secret(string $projectId, string $secretId): void{ // Create the Secret Manager client. $client = new SecretManagerServiceClient(); // Build the resource name of the parent project. $parent = $client->projectName($projectId); $secret = new Secret([ 'replication' => new Replication([ 'automatic' => new Automatic(), ]), ]); // Build the request. $request = CreateSecretRequest::build($parent, $secretId, $secret); // Create the secret. $newSecret = $client->createSecret($request); // Print the new secret name. printf('Created secret: %s', $newSecret->getName());}
Python
To run this code, first set up a Python development environment andinstall the Secret Manager Python SDK. On Compute Engine or GKE, you mustauthenticate with the cloud-platform scope.
def create_secret( project_id: str, secret_id: str, ttl: Optional[str] = None) -> secretmanager.Secret: """ Create a new secret with the given name. A secret is a logical wrapper around a collection of secret versions. Secret versions hold the actual secret material. Args: project_id (str): The project ID where the secret is to be created. secret_id (str): The ID to assign to the new secret. This ID must be unique within the project. ttl (Optional[str]): An optional string that specifies the secret's time-to-live in seconds with format (e.g., "900s" for 15 minutes). If specified, the secret versions will be automatically deleted upon reaching the end of the TTL period. Returns: secretmanager.Secret: An object representing the newly created secret, containing details like the secret's name, replication settings, and optionally its TTL. Example: # Create a secret with automatic replication and no TTL new_secret = create_secret("my-project", "my-new-secret") # Create a secret with a TTL of 30 days new_secret_with_ttl = create_secret("my-project", "my-timed-secret", "7776000s") """ # Import the Secret Manager client library. from google.cloud import secretmanager # Create the Secret Manager client. client = secretmanager.SecretManagerServiceClient() # Build the resource name of the parent project. parent = f"projects/{project_id}" # Create the secret. response = client.create_secret( request={ "parent": parent, "secret_id": secret_id, "secret": {"replication": {"automatic": {}}, "ttl": ttl}, } ) # Print the new secret name. print(f"Created secret: {response.name}")
Ruby
To run this code, first set up a Ruby development environment andinstall the Secret Manager Ruby SDK. On Compute Engine or GKE, you mustauthenticate with the cloud-platform scope.
# project_id = "YOUR-GOOGLE-CLOUD-PROJECT" # (e.g. "my-project")# secret_id = "YOUR-SECRET-ID" # (e.g. "my-secret")# Require the Secret Manager client library.require "google/cloud/secret_manager"# Create a Secret Manager client.client = Google::Cloud::SecretManager.secret_manager_service# Build the resource name of the parent project.parent = client.project_path project: project_id# Create the secret.secret = client.create_secret( parent: parent, secret_id: secret_id, secret: { replication: { automatic: {} } })# Print the new secret name.puts "Created secret: #{secret.name}"
API
These examples use curl to demonstrate using the API. You can generate access tokens with gcloud auth print-access-token. On Compute Engine or GKE, you mustauthenticate with the cloud-platform scope.
$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets?secretId=secret-id" \ --request "POST" \ --header "authorization: Bearer $(gcloud auth print-access-token)" \ --header "content-type: application/json" \ --data "{\"replication\": {\"automatic\": {}}}"
Secret Manager automatically versions secret data using secret versions, and most operations like access, destroy, disable, and enable take place on a secret version.With Secret Manager, you can pin a secret to specific versions like 42
or floating aliases like latest
. Learn how to Add a secret version.
To access the secret data from a particular secret version for successful authentication, see Access a secret version.