Access the Secret Manager API

We recommend that you access Secret Manager API using the following tools:

  • The Google Cloud CLI, which provides a command-line interface for managing secrets.

  • Convenient, idiomatic Secret Manager client libraries, which lets you access and manage secrets from within your application source code. Client libraries are available in many languages including C#(.NET), Go, Java, Node.js, PHP, Python, and Ruby.

Before you begin

  1. Enable the Secret Manager API.

  2. Requests to the Secret Manager API require authentication. For information, see Authenticate to Secret Manager.

Use Secret Manager with Compute Engine and Google Kubernetes Engine

To use Secret Manager with workloads running on Compute Engine or GKE, the underlying instance or node must have the cloud-platform OAuth scope. If you receive an error with the following message, it means the instance or node was not provisioned with the correct OAuth scopes.

Request had insufficient authentication scopes

The required OAuth scope to use Secret Manager is:

When creating a new instance, instance group, or node pool, specify the cloud-platform scope:


gcloud compute instances create "INSTANCE_ID" \
    --scopes ""

For an existing instance, instance group, or node pool, update the access scopes:


gcloud compute instances set-service-account "INSTANCE_ID" \
    --service-account "SERVICE_ACCOUNT_EMAIL" \
    --scopes ""

See the Compute Engine service account permissions for more information.

Use Secret Manager with App Engine

To use Secret Manager with workloads running on App Engine, you must grant any required permissions to the App Engine service.

What's next