tessl/pypi-google-cloud-secret-manager
Google Cloud Secret Manager API client library for Python that stores, manages, and secures access to application secrets
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-google-cloud-secret-manager@2.24.0index.mddocs/
Google Cloud Secret Manager
Google Cloud Secret Manager API client library for Python that stores, manages, and secures access to application secrets. This comprehensive client provides both synchronous and asynchronous APIs for creating, storing, accessing, and managing secrets and their versions with built-in IAM integration, encryption options, and audit capabilities.
Package Information
- Package Name: google-cloud-secret-manager
- Language: Python
- Installation:
pip install google-cloud-secret-manager
Core Imports
from google.cloud import secretmanagerSpecific client imports:
from google.cloud.secretmanager import SecretManagerServiceClient
from google.cloud.secretmanager import SecretManagerServiceAsyncClientType imports:
from google.cloud.secretmanager import Secret, SecretVersion, SecretPayload
from google.cloud.secretmanager import CreateSecretRequest, AddSecretVersionRequest
from google.cloud.secretmanager import Replication, CustomerManagedEncryption
from google.cloud.secretmanager import Topic, RotationAdvanced imports for enterprise features:
# For IAM operations
from google.iam.v1 import iam_policy_pb2, policy_pb2
# For async operations
from google.cloud.secretmanager import SecretManagerServiceAsyncClient
# For pagination
from google.cloud.secretmanager import ListSecretsPager, ListSecretsAsyncPager
# For location operations
from google.cloud.location import locations_pb2
# For field masks (updates)
from google.protobuf import field_mask_pb2Basic Usage
from google.cloud import secretmanager
# Initialize the client
client = secretmanager.SecretManagerServiceClient()
# Project path
project_id = "your-project-id"
parent = f"projects/{project_id}"
# Create a secret
secret_id = "my-secret"
secret = secretmanager.Secret()
secret.replication = secretmanager.Replication()
secret.replication.automatic = secretmanager.Replication.Automatic()
create_secret_request = secretmanager.CreateSecretRequest()
create_secret_request.parent = parent
create_secret_request.secret_id = secret_id
create_secret_request.secret = secret
response = client.create_secret(request=create_secret_request)
print(f"Created secret: {response.name}")
# Add a secret version with data
secret_name = response.name
payload = secretmanager.SecretPayload()
payload.data = b"my-secret-data"
add_version_request = secretmanager.AddSecretVersionRequest()
add_version_request.parent = secret_name
add_version_request.payload = payload
version_response = client.add_secret_version(request=add_version_request)
print(f"Added secret version: {version_response.name}")
# Access the secret data
access_request = secretmanager.AccessSecretVersionRequest()
access_request.name = version_response.name
access_response = client.access_secret_version(request=access_request)
data = access_response.payload.data.decode('utf-8')
print(f"Secret data: {data}")Architecture
Google Cloud Secret Manager client follows Google API design patterns:
- Client Classes: Synchronous (
SecretManagerServiceClient) and asynchronous (SecretManagerServiceAsyncClient) clients providing identical APIs - Request/Response Pattern: All API operations use structured request objects and return response objects
- Resource Hierarchy: Secrets belong to projects, secret versions belong to secrets
- Transport Layer: Supports gRPC and REST protocols with automatic retries and authentication
- Type Safety: Proto-based message types ensure type safety and schema validation
Capabilities
Secret Management
Core secret lifecycle operations including creating secrets with replication policies, retrieving secret metadata, updating configurations, and deleting secrets. Provides complete CRUD operations for secret resources.
def create_secret(self, request: CreateSecretRequest = None, **kwargs) -> Secret: ...
def get_secret(self, request: GetSecretRequest = None, **kwargs) -> Secret: ...
def update_secret(self, request: UpdateSecretRequest = None, **kwargs) -> Secret: ...
def delete_secret(self, request: DeleteSecretRequest = None, **kwargs) -> None: ...
def list_secrets(self, request: ListSecretsRequest = None, **kwargs) -> ListSecretsPager: ...Secret Version Management
Managing secret versions and accessing secret data, including adding new versions, retrieving version metadata, accessing secret payloads, and controlling version lifecycle states (enabled/disabled/destroyed).
def add_secret_version(self, request: AddSecretVersionRequest = None, **kwargs) -> SecretVersion: ...
def get_secret_version(self, request: GetSecretVersionRequest = None, **kwargs) -> SecretVersion: ...
def access_secret_version(self, request: AccessSecretVersionRequest = None, **kwargs) -> AccessSecretVersionResponse: ...
def list_secret_versions(self, request: ListSecretVersionsRequest = None, **kwargs) -> ListSecretVersionsPager: ...
def enable_secret_version(self, request: EnableSecretVersionRequest = None, **kwargs) -> SecretVersion: ...
def disable_secret_version(self, request: DisableSecretVersionRequest = None, **kwargs) -> SecretVersion: ...
def destroy_secret_version(self, request: DestroySecretVersionRequest = None, **kwargs) -> SecretVersion: ...IAM and Security
Identity and Access Management operations for controlling access to secrets, including setting IAM policies, retrieving current policies, and testing permissions. Provides fine-grained access control integration.
def set_iam_policy(self, request: SetIamPolicyRequest = None, **kwargs) -> Policy: ...
def get_iam_policy(self, request: GetIamPolicyRequest = None, **kwargs) -> Policy: ...
def test_iam_permissions(self, request: TestIamPermissionsRequest = None, **kwargs) -> TestIamPermissionsResponse: ...Data Types and Models
Core data structures including Secret, SecretVersion, SecretPayload, replication configurations, encryption settings, and all request/response types used throughout the API.
class Secret: ...
class SecretVersion: ...
class SecretPayload: ...
class Replication: ...
class CustomerManagedEncryption: ...Error Handling
The client uses Google API Core exceptions:
from google.api_core import exceptions
try:
secret = client.get_secret(request=get_request)
except exceptions.NotFound:
print("Secret not found")
except exceptions.PermissionDenied:
print("Access denied")
except exceptions.InvalidArgument as e:
print(f"Invalid argument: {e}")Async Usage
import asyncio
from google.cloud.secretmanager import SecretManagerServiceAsyncClient
async def manage_secrets():
async with SecretManagerServiceAsyncClient() as client:
# All methods are async versions of synchronous client
secrets = []
async for secret in await client.list_secrets(request=list_request):
secrets.append(secret)
return secrets
# Run async function
secrets = asyncio.run(manage_secrets())