or run

tessl search
Log in

Version

Workspace
tessl
Visibility
Public
Created
Last updated
Describes
golangpkg:golang/cloud.google.com/go/secretmanager@v1.16.0
tile.json

tessl/golang-cloud-google-com--go--secretmanager

tessl install tessl/golang-cloud-google-com--go--secretmanager@1.16.1

Go Client Library for Google Cloud Secret Manager API - stores sensitive data such as API keys, passwords, and certificates

index.mddocs/

Google Cloud Secret Manager Go Client

Google Cloud Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data. The Secret Manager Go client library provides a simple interface to store, manage, and access secrets on Google Cloud Platform.

Package Information

  • Package Name: cloud.google.com/go/secretmanager
  • Package Type: golang
  • Language: Go
  • Installation: go get cloud.google.com/go/secretmanager@v1.16.0

Core Imports

The Secret Manager library consists of two main packages:

import (
    secretmanager "cloud.google.com/go/secretmanager/apiv1"
    secretmanagerpb "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb"
)

For IAM operations, you may also need:

import (
    iampb "cloud.google.com/go/iam/apiv1/iampb"
)

For location operations:

import (
    locationpb "google.golang.org/genproto/googleapis/cloud/location"
)

Basic Usage

Creating a client and accessing a secret:

package main

import (
    "context"
    "fmt"
    "log"

    secretmanager "cloud.google.com/go/secretmanager/apiv1"
    secretmanagerpb "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb"
)

func main() {
    ctx := context.Background()

    // Create the Secret Manager client
    client, err := secretmanager.NewClient(ctx)
    if err != nil {
        log.Fatalf("failed to create client: %v", err)
    }
    defer client.Close()

    // Create a new secret
    createSecretReq := &secretmanagerpb.CreateSecretRequest{
        Parent:   "projects/my-project",
        SecretId: "my-secret",
        Secret: &secretmanagerpb.Secret{
            Replication: &secretmanagerpb.Replication{
                Replication: &secretmanagerpb.Replication_Automatic_{
                    Automatic: &secretmanagerpb.Replication_Automatic{},
                },
            },
        },
    }
    secret, err := client.CreateSecret(ctx, createSecretReq)
    if err != nil {
        log.Fatalf("failed to create secret: %v", err)
    }
    fmt.Printf("Created secret: %s\n", secret.Name)

    // Add a secret version with payload data
    addVersionReq := &secretmanagerpb.AddSecretVersionRequest{
        Parent: secret.Name,
        Payload: &secretmanagerpb.SecretPayload{
            Data: []byte("my-secret-data"),
        },
    }
    version, err := client.AddSecretVersion(ctx, addVersionReq)
    if err != nil {
        log.Fatalf("failed to add secret version: %v", err)
    }
    fmt.Printf("Added secret version: %s\n", version.Name)

    // Access the secret version to retrieve the payload
    accessReq := &secretmanagerpb.AccessSecretVersionRequest{
        Name: version.Name,
    }
    result, err := client.AccessSecretVersion(ctx, accessReq)
    if err != nil {
        log.Fatalf("failed to access secret version: %v", err)
    }
    fmt.Printf("Secret data: %s\n", result.Payload.Data)
}

Capabilities

Client Creation and Configuration

Create and configure Secret Manager clients with support for gRPC and REST protocols.

func NewClient(ctx context.Context, opts ...option.ClientOption) (*Client, error)
func NewRESTClient(ctx context.Context, opts ...option.ClientOption) (*Client, error)
func DefaultAuthScopes() []string

The Client type provides all Secret Manager operations. Clients are safe for concurrent use and should be reused rather than created per operation.

Client Creation and Configuration

Secret Management Operations

Create, read, update, delete, and list secrets. Secrets are containers for secret versions.

func (c *Client) CreateSecret(ctx context.Context, req *secretmanagerpb.CreateSecretRequest, opts ...gax.CallOption) (*secretmanagerpb.Secret, error)
func (c *Client) GetSecret(ctx context.Context, req *secretmanagerpb.GetSecretRequest, opts ...gax.CallOption) (*secretmanagerpb.Secret, error)
func (c *Client) UpdateSecret(ctx context.Context, req *secretmanagerpb.UpdateSecretRequest, opts ...gax.CallOption) (*secretmanagerpb.Secret, error)
func (c *Client) DeleteSecret(ctx context.Context, req *secretmanagerpb.DeleteSecretRequest, opts ...gax.CallOption) error
func (c *Client) ListSecrets(ctx context.Context, req *secretmanagerpb.ListSecretsRequest, opts ...gax.CallOption) *SecretIterator

Secrets support labels, annotations, expiration policies, rotation policies, and replication configurations.

Secret Management Operations

Secret Version Operations

Add, access, enable, disable, and destroy secret versions. Secret versions contain the actual secret data.

func (c *Client) AddSecretVersion(ctx context.Context, req *secretmanagerpb.AddSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.SecretVersion, error)
func (c *Client) AccessSecretVersion(ctx context.Context, req *secretmanagerpb.AccessSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.AccessSecretVersionResponse, error)
func (c *Client) GetSecretVersion(ctx context.Context, req *secretmanagerpb.GetSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.SecretVersion, error)
func (c *Client) EnableSecretVersion(ctx context.Context, req *secretmanagerpb.EnableSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.SecretVersion, error)
func (c *Client) DisableSecretVersion(ctx context.Context, req *secretmanagerpb.DisableSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.SecretVersion, error)
func (c *Client) DestroySecretVersion(ctx context.Context, req *secretmanagerpb.DestroySecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.SecretVersion, error)
func (c *Client) ListSecretVersions(ctx context.Context, req *secretmanagerpb.ListSecretVersionsRequest, opts ...gax.CallOption) *SecretVersionIterator

Secret Version Operations

IAM and Access Control

Manage Identity and Access Management policies for secrets to control who can access them.

func (c *Client) SetIamPolicy(ctx context.Context, req *iampb.SetIamPolicyRequest, opts ...gax.CallOption) (*iampb.Policy, error)
func (c *Client) GetIamPolicy(ctx context.Context, req *iampb.GetIamPolicyRequest, opts ...gax.CallOption) (*iampb.Policy, error)
func (c *Client) TestIamPermissions(ctx context.Context, req *iampb.TestIamPermissionsRequest, opts ...gax.CallOption) (*iampb.TestIamPermissionsResponse, error)
func (c *Client) IAM(name string) *iam.Handle

IAM and Access Control

Request and Response Types

Complete type definitions for all Secret Manager API operations, including Secret, SecretVersion, Replication, and all request/response structures.

type Secret struct {
    Name                      string
    Replication               *Replication
    CreateTime                *timestamppb.Timestamp
    Labels                    map[string]string
    // ... additional fields
}

type SecretVersion struct {
    Name                           string
    CreateTime                     *timestamppb.Timestamp
    State                          SecretVersion_State
    ReplicationStatus              *ReplicationStatus
    // ... additional fields
}

type SecretPayload struct {
    Data       []byte
    DataCrc32C *int64
}

Request and Response Types

Location Operations

Query information about available GCP locations.

func (c *Client) GetLocation(ctx context.Context, req *locationpb.GetLocationRequest, opts ...gax.CallOption) (*locationpb.Location, error)
func (c *Client) ListLocations(ctx context.Context, req *locationpb.ListLocationsRequest, opts ...gax.CallOption) *LocationIterator

Core Concepts

Resource Names

Secret Manager uses hierarchical resource names:

  • Projects: projects/{project}
  • Project Locations: projects/{project}/locations/{location}
  • Secrets: projects/{project}/secrets/{secret} or projects/{project}/locations/{location}/secrets/{secret}
  • Secret Versions: projects/{project}/secrets/{secret}/versions/{version} or projects/{project}/locations/{location}/secrets/{secret}/versions/{version}

Version identifiers can be:

  • Numeric version number (e.g., 1, 2, 3)
  • latest - the most recently created version
  • Version alias - a custom alias mapped to a version number

Replication

Secrets can use one of two replication strategies:

  1. Automatic Replication: Secret data is automatically replicated across multiple regions for high availability
  2. User-Managed Replication: You specify exact locations where the secret should be replicated

Customer-Managed Encryption (CMEK)

Secrets can be encrypted using customer-managed encryption keys from Cloud KMS, providing an additional layer of control over encryption.

Secret States

Secret versions have states:

  • ENABLED - The version can be accessed
  • DISABLED - The version cannot be accessed but can be re-enabled
  • DESTROYED - The version is permanently destroyed and cannot be recovered