or run

tessl search
Log in

Version

Workspace
tessl
Visibility
Public
Created
Last updated
Describes
golangpkg:golang/cloud.google.com/go/secretmanager@v1.16.0

docs

client.mdiam.mdindex.mdsecrets.mdtypes.mdversions.md
tile.json

tessl/golang-cloud-google-com--go--secretmanager

tessl install tessl/golang-cloud-google-com--go--secretmanager@1.16.1

Go Client Library for Google Cloud Secret Manager API - stores sensitive data such as API keys, passwords, and certificates

client.mddocs/

Client Creation and Configuration

The Secret Manager client provides the primary interface for interacting with the Secret Manager API. Clients can use either gRPC or REST protocols.

Client Type

type Client struct {
    CallOptions *CallOptions
    // contains filtered or unexported fields
}

The Client type is the main client for interacting with Secret Manager API. Methods (except Close) may be called concurrently. Fields must not be modified concurrently with method calls.

Creating Clients

NewClient

func NewClient(ctx context.Context, opts ...option.ClientOption) (*Client, error)

Creates a new Secret Manager service client based on gRPC. The returned client must be Closed when it is done being used to clean up its underlying connections.

Example:

ctx := context.Background()
client, err := secretmanager.NewClient(ctx)
if err != nil {
    log.Fatalf("failed to create client: %v", err)
}
defer client.Close()

NewRESTClient

func NewRESTClient(ctx context.Context, opts ...option.ClientOption) (*Client, error)

Creates a new Secret Manager service REST client. REST clients use HTTP/1.1 instead of gRPC.

Example:

ctx := context.Background()
client, err := secretmanager.NewRESTClient(ctx)
if err != nil {
    log.Fatalf("failed to create REST client: %v", err)
}
defer client.Close()

Client Options

Both NewClient and NewRESTClient accept option.ClientOption parameters for configuration:

import "google.golang.org/api/option"

// Use a custom endpoint
client, err := secretmanager.NewClient(ctx,
    option.WithEndpoint("https://custom-endpoint.example.com"),
)

// Use credentials from a JSON key file
client, err := secretmanager.NewClient(ctx,
    option.WithCredentialsFile("/path/to/keyfile.json"),
)

// Use credentials from JSON data
client, err := secretmanager.NewClient(ctx,
    option.WithCredentialsJSON(jsonData),
)

// Disable authentication (for testing)
client, err := secretmanager.NewClient(ctx,
    option.WithoutAuthentication(),
)

// Use specific scopes
client, err := secretmanager.NewClient(ctx,
    option.WithScopes("https://www.googleapis.com/auth/cloud-platform"),
)

Authentication

DefaultAuthScopes

func DefaultAuthScopes() []string

Returns the default set of authentication scopes to use with this package.

Example:

scopes := secretmanager.DefaultAuthScopes()
// Returns: ["https://www.googleapis.com/auth/cloud-platform"]

The default scope https://www.googleapis.com/auth/cloud-platform provides full access to Google Cloud resources.

Client Methods

Close

func (c *Client) Close() error

Closes the connection to the API service. Always call Close() when done using the client to free resources.

Example:

client, err := secretmanager.NewClient(ctx)
if err != nil {
    return err
}
defer client.Close()

Connection (Deprecated)

func (c *Client) Connection() *grpc.ClientConn

Returns a connection to the API service. This method is deprecated as connections are now pooled so this method does not necessarily return the same connection across calls.

CallOptions

type CallOptions struct {
    ListSecrets          []gax.CallOption
    CreateSecret         []gax.CallOption
    AddSecretVersion     []gax.CallOption
    GetSecret            []gax.CallOption
    UpdateSecret         []gax.CallOption
    DeleteSecret         []gax.CallOption
    ListSecretVersions   []gax.CallOption
    GetSecretVersion     []gax.CallOption
    AccessSecretVersion  []gax.CallOption
    DisableSecretVersion []gax.CallOption
    EnableSecretVersion  []gax.CallOption
    DestroySecretVersion []gax.CallOption
    SetIamPolicy         []gax.CallOption
    GetIamPolicy         []gax.CallOption
    TestIamPermissions   []gax.CallOption
    GetLocation          []gax.CallOption
    ListLocations        []gax.CallOption
}

Contains the retry settings for each method of Client. These can be configured to customize retry behavior, timeouts, and other call options.

Example:

import "github.com/googleapis/gax-go/v2"

// Call with custom timeout
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()

secret, err := client.GetSecret(ctx, req,
    gax.WithRetry(func() gax.Retryer {
        return gax.OnCodes([]codes.Code{
            codes.Unavailable,
            codes.DeadlineExceeded,
        }, gax.Backoff{
            Initial:    time.Second,
            Max:        30 * time.Second,
            Multiplier: 2,
        })
    }),
)

Best Practices

Client Reuse

Clients should be reused instead of created per-request. Creating a client establishes a connection pool and allocates resources.

Good:

// Create once, reuse for multiple operations
client, err := secretmanager.NewClient(ctx)
defer client.Close()

for _, secretName := range secretNames {
    secret, err := client.GetSecret(ctx, &secretmanagerpb.GetSecretRequest{
        Name: secretName,
    })
    // Process secret...
}

Bad:

// Don't create a new client for each operation
for _, secretName := range secretNames {
    client, err := secretmanager.NewClient(ctx)
    secret, err := client.GetSecret(ctx, &secretmanagerpb.GetSecretRequest{
        Name: secretName,
    })
    client.Close()
}

Concurrent Use

Client methods are safe for concurrent use by multiple goroutines:

client, err := secretmanager.NewClient(ctx)
defer client.Close()

var wg sync.WaitGroup
for _, secretName := range secretNames {
    wg.Add(1)
    go func(name string) {
        defer wg.Done()
        secret, err := client.GetSecret(ctx, &secretmanagerpb.GetSecretRequest{
            Name: name,
        })
        // Process secret...
    }(secretName)
}
wg.Wait()

Context Usage

The context passed to NewClient is used only for authentication and connection setup. Individual method calls use their own context parameters:

// Context for client creation (authentication)
createCtx := context.Background()
client, err := secretmanager.NewClient(createCtx)
defer client.Close()

// Context for individual calls (can have timeout, cancellation, etc.)
callCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
secret, err := client.GetSecret(callCtx, req)

Regional Endpoints

By default, clients connect to the global Secret Manager endpoint. For data residency or latency requirements, you can specify regional endpoints:

// Use a regional endpoint
client, err := secretmanager.NewClient(ctx,
    option.WithEndpoint("us-east1-secretmanager.googleapis.com:443"),
)

When using regional endpoints, ensure your secret resources are also in that region:

// Create a secret in a specific location
req := &secretmanagerpb.CreateSecretRequest{
    Parent:   "projects/my-project/locations/us-east1",
    SecretId: "my-secret",
    Secret: &secretmanagerpb.Secret{
        Replication: &secretmanagerpb.Replication{
            Replication: &secretmanagerpb.Replication_UserManaged_{
                UserManaged: &secretmanagerpb.Replication_UserManaged{
                    Replicas: []*secretmanagerpb.Replication_UserManaged_Replica{
                        {Location: "us-east1"},
                    },
                },
            },
        },
    },
}