Secret Manager roles and permissions
Stay organized with collections Save and categorize content based on your preferences.

This page lists the IAM roles and permissions for Secret Manager. To search through all roles and permissions, see the role and permission index.

Secret Manager roles

Role Permissions

Role	Permissions
Secret Manager Admin (`roles/secretmanager.admin`) Full access to administer Secret Manager resources. Lowest-level resources where you can grant this role: Secret	`cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `resourcemanager.projects.get` `resourcemanager.projects.list` `secretmanager.` `secretmanager.locations.get` `secretmanager.locations.list` `secretmanager.secrets.create` `secretmanager.secrets.createTagBinding` `secretmanager.secrets.delete` `secretmanager.secrets.deleteTagBinding` `secretmanager.secrets.get` `secretmanager.secrets.getIamPolicy` `secretmanager.secrets.list` `secretmanager.secrets.listEffectiveTags` `secretmanager.secrets.listTagBindings` `secretmanager.secrets.setIamPolicy` `secretmanager.secrets.update` `secretmanager.versions.access` `secretmanager.versions.add` `secretmanager.versions.destroy` `secretmanager.versions.disable` `secretmanager.versions.enable` `secretmanager.versions.get` `secretmanager.versions.list`
Secret Manager Secret Accessor (`roles/secretmanager.secretAccessor`) Allows accessing the payload of secrets. Lowest-level resources where you can grant this role: Secret	`resourcemanager.projects.get` `resourcemanager.projects.list` `secretmanager.versions.access`
Secret Manager Secret Version Adder (`roles/secretmanager.secretVersionAdder`) Allows adding versions to existing secrets. Lowest-level resources where you can grant this role: Secret	`resourcemanager.projects.get` `resourcemanager.projects.list` `secretmanager.versions.add`
Secret Manager Secret Version Manager (`roles/secretmanager.secretVersionManager`) Allows creating and managing versions of existing secrets. Lowest-level resources where you can grant this role: Secret	`resourcemanager.projects.get` `resourcemanager.projects.list` `secretmanager.versions.add` `secretmanager.versions.destroy` `secretmanager.versions.disable` `secretmanager.versions.enable` `secretmanager.versions.get` `secretmanager.versions.list`
Secret Manager Viewer (`roles/secretmanager.viewer`) Allows viewing metadata of all Secret Manager resources Lowest-level resources where you can grant this role: Secret	`resourcemanager.projects.get` `resourcemanager.projects.list` `secretmanager.locations.*` `secretmanager.locations.get` `secretmanager.locations.list` `secretmanager.secrets.get` `secretmanager.secrets.getIamPolicy` `secretmanager.secrets.list` `secretmanager.secrets.listEffectiveTags` `secretmanager.secrets.listTagBindings` `secretmanager.versions.get` `secretmanager.versions.list`

Secret Manager Admin

(roles/secretmanager.admin)

Full access to administer Secret Manager resources.

Lowest-level resources where you can grant this role:

Secret

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

resourcemanager.projects.get

resourcemanager.projects.list

secretmanager.*

secretmanager.locations.get
secretmanager.locations.list
secretmanager.secrets.create
secretmanager.secrets.createTagBinding
secretmanager.secrets.delete
secretmanager.secrets.deleteTagBinding
secretmanager.secrets.get
secretmanager.secrets.getIamPolicy
secretmanager.secrets.list
secretmanager.secrets.listEffectiveTags
secretmanager.secrets.listTagBindings
secretmanager.secrets.setIamPolicy
secretmanager.secrets.update
secretmanager.versions.access
secretmanager.versions.add
secretmanager.versions.destroy
secretmanager.versions.disable
secretmanager.versions.enable
secretmanager.versions.get
secretmanager.versions.list

Secret Manager Secret Accessor

(roles/secretmanager.secretAccessor)

Allows accessing the payload of secrets.

Lowest-level resources where you can grant this role:

Secret

resourcemanager.projects.get

resourcemanager.projects.list

secretmanager.versions.access

Secret Manager Secret Version Adder

(roles/secretmanager.secretVersionAdder)

Allows adding versions to existing secrets.

Lowest-level resources where you can grant this role:

Secret

resourcemanager.projects.get

resourcemanager.projects.list

secretmanager.versions.add

Secret Manager Secret Version Manager

(roles/secretmanager.secretVersionManager)

Allows creating and managing versions of existing secrets.

Lowest-level resources where you can grant this role:

Secret

resourcemanager.projects.get

resourcemanager.projects.list

secretmanager.versions.add

secretmanager.versions.destroy

secretmanager.versions.disable

secretmanager.versions.enable

secretmanager.versions.get

secretmanager.versions.list

Secret Manager Viewer

(roles/secretmanager.viewer)

Allows viewing metadata of all Secret Manager resources

Lowest-level resources where you can grant this role:

Secret

resourcemanager.projects.get

resourcemanager.projects.list

secretmanager.locations.*

secretmanager.locations.get
secretmanager.locations.list

secretmanager.secrets.get

secretmanager.secrets.getIamPolicy

secretmanager.secrets.list

secretmanager.secrets.listEffectiveTags

secretmanager.secrets.listTagBindings

secretmanager.versions.get

secretmanager.versions.list

Secret Manager permissions

Permission	Included in roles
`secretmanager.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Secret Manager Admin (`roles/secretmanager.admin`) Secret Manager Viewer (`roles/secretmanager.viewer`)
`secretmanager.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Secret Manager Admin (`roles/secretmanager.admin`) Secret Manager Viewer (`roles/secretmanager.viewer`)
`secretmanager.secrets.create`	Owner (`roles/owner`) Editor (`roles/editor`) Secret Manager Admin (`roles/secretmanager.admin`)
`secretmanager.secrets.createTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Tag User (`roles/resourcemanager.tagUser`) Secret Manager Admin (`roles/secretmanager.admin`)
`secretmanager.secrets.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Secret Manager Admin (`roles/secretmanager.admin`)
`secretmanager.secrets.deleteTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Tag User (`roles/resourcemanager.tagUser`) Secret Manager Admin (`roles/secretmanager.admin`)
`secretmanager.secrets.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Secret Manager Admin (`roles/secretmanager.admin`) Secret Manager Viewer (`roles/secretmanager.viewer`)
`secretmanager.secrets.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Connector Admin (`roles/connectors.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Secret Manager Admin (`roles/secretmanager.admin`) Secret Manager Viewer (`roles/secretmanager.viewer`)
`secretmanager.secrets.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Secret Manager Admin (`roles/secretmanager.admin`) Secret Manager Viewer (`roles/secretmanager.viewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`)
`secretmanager.secrets.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Secret Manager Admin (`roles/secretmanager.admin`) Secret Manager Viewer (`roles/secretmanager.viewer`)
`secretmanager.secrets.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Secret Manager Admin (`roles/secretmanager.admin`) Secret Manager Viewer (`roles/secretmanager.viewer`)
`secretmanager.secrets.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) Secret Manager Admin (`roles/secretmanager.admin`)
`secretmanager.secrets.update`	Owner (`roles/owner`) Editor (`roles/editor`) Secret Manager Admin (`roles/secretmanager.admin`)
`secretmanager.versions.access`	Owner (`roles/owner`) Secret Manager Admin (`roles/secretmanager.admin`) Secret Manager Secret Accessor (`roles/secretmanager.secretAccessor`)
`secretmanager.versions.add`	Owner (`roles/owner`) Editor (`roles/editor`) Secret Manager Admin (`roles/secretmanager.admin`) Secret Manager Secret Version Adder (`roles/secretmanager.secretVersionAdder`) Secret Manager Secret Version Manager (`roles/secretmanager.secretVersionManager`)
`secretmanager.versions.destroy`	Owner (`roles/owner`) Editor (`roles/editor`) Secret Manager Admin (`roles/secretmanager.admin`) Secret Manager Secret Version Manager (`roles/secretmanager.secretVersionManager`)
`secretmanager.versions.disable`	Owner (`roles/owner`) Editor (`roles/editor`) Secret Manager Admin (`roles/secretmanager.admin`) Secret Manager Secret Version Manager (`roles/secretmanager.secretVersionManager`)
`secretmanager.versions.enable`	Owner (`roles/owner`) Editor (`roles/editor`) Secret Manager Admin (`roles/secretmanager.admin`) Secret Manager Secret Version Manager (`roles/secretmanager.secretVersionManager`)
`secretmanager.versions.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Secret Manager Admin (`roles/secretmanager.admin`) Secret Manager Secret Version Manager (`roles/secretmanager.secretVersionManager`) Secret Manager Viewer (`roles/secretmanager.viewer`)
`secretmanager.versions.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Secret Manager Admin (`roles/secretmanager.admin`) Secret Manager Secret Version Manager (`roles/secretmanager.secretVersionManager`) Secret Manager Viewer (`roles/secretmanager.viewer`)

Secret Manager roles and permissions
Stay organized with collections Save and categorize content based on your preferences.