Secret Manager
gRPC · port 8086
Configuration
No env var. Secret Manager has no official
*_EMULATOR_HOST environment variable. You must configure the endpoint manually in your client code.
Go SDK example
Create a secret, add a version, and access it:
package main import ( "context" "fmt" "log" secretmanager "cloud.google.com/go/secretmanager/apiv1" smpb "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb" "google.golang.org/api/option" "google.golang.org/grpc" "google.golang.org/grpc/credentials/insecure" ) func main() { ctx := context.Background() // Connect to localgcp (no TLS, no auth) client, err := secretmanager.NewClient(ctx, option.WithEndpoint("localhost:8086"), option.WithoutAuthentication(), option.WithGRPCDialOption(grpc.WithTransportCredentials( insecure.NewCredentials(), )), ) if err != nil { log.Fatal(err) } defer client.Close() project := "projects/my-project" // Create a secret secret, err := client.CreateSecret(ctx, &smpb.CreateSecretRequest{ Parent: project, SecretId: "db-password", Secret: &smpb.Secret{ Replication: &smpb.Replication{ Replication: &smpb.Replication_Automatic_{ Automatic: &smpb.Replication_Automatic{}, }, }, }, }) if err != nil { log.Fatal(err) } // Add a version with the secret value version, err := client.AddSecretVersion(ctx, &smpb.AddSecretVersionRequest{ Parent: secret.Name, Payload: &smpb.SecretPayload{Data: []byte("s3cret-p@ss")}, }) if err != nil { log.Fatal(err) } // Access the secret (by version or "latest") resp, err := client.AccessSecretVersion(ctx, &smpb.AccessSecretVersionRequest{ Name: version.Name, // or: secret.Name + "/versions/latest" }) if err != nil { log.Fatal(err) } fmt.Printf("Secret: %s\n", resp.Payload.Data) }
Features
- Secret CRUD -- create, get, list, delete secrets
- Versioning -- add multiple versions to a secret
- Access by version -- fetch by version number (e.g.
versions/1) orversions/latest - State management -- enable, disable, destroy individual versions
Version states
Each secret version has a state that controls access:
- ENABLED -- the version can be accessed (default for new versions)
- DISABLED -- the version exists but cannot be accessed
- DESTROYED -- the version payload is deleted permanently
// Disable a version _, err = client.DisableSecretVersion(ctx, &smpb.DisableSecretVersionRequest{ Name: secret.Name + "/versions/1", }) // Re-enable it _, err = client.EnableSecretVersion(ctx, &smpb.EnableSecretVersionRequest{ Name: secret.Name + "/versions/1", }) // Destroy it permanently _, err = client.DestroySecretVersion(ctx, &smpb.DestroySecretVersionRequest{ Name: secret.Name + "/versions/1", })
Not yet supported
- IAM bindings
- Replication policies
- Secret rotation
- Labels and annotations