Reference secrets in parameters

This page describes how to reference secrets in parameters. To learn more about secrets, see Secret Manager overview.

You can store sensitive information such as your passwords and API keys in Secret Manager and then reference those secrets from within parameters used in your applications or infrastructure. The maximum number of secret references a parameter version can contain is 15.

For example, you have a database connection string that includes a password. Do the following:

  • Store the password as a secret in Secret Manager.
  • Create a parameter in Parameter Manager for the connection string.
  • Store a reference to the secret in your parameter version.

When your application or infrastructure needs the secret, it retrieves the parameter value, which contains the reference to the secret. Then, it uses that reference to fetch the actual secret value from Secret Manager. This way, the actual password is not exposed in your configuration files.

By storing secrets separately from configuration files and application code, you can reduce the risk of accidental exposure or unauthorized access. You can securely store, audit, and rotate your secrets in Secret Manager while keeping all your configuration data organized in Parameter Manager.

To reference secrets within parameters, you must do the following:

Required roles

To get the permissions that you need to create a parameter version with a secret reference, ask your administrator to grant you the Parameter Manager Parameter Version Adder (roles/parametermanager.parameterversions.create) IAM role on the project, folder, or organization. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Create a parameter version with the secret reference

If you are using the REST API to manage parameter versions, complete these steps before creating a new version:

  • Encode the parameter payload data containing the secret reference using Base64 and then pass the encoded string in the create version command. For example, you want to create a new version of an existing parameter with a secret reference using the following YAML data:

    project:
      display_name: PM Bank
      locale: en-US
      port: 8080
      db_password: __REF__("//secretmanager.googleapis.com/projects/production-1/secrets/db_password/versions/1")
      mask_sensitive_fields: false
    

    The field db_password uses a special reference (__REF__()) to pull the actual password value from Secret Manager and the corresponding URL specifies the location of your database password within Secret Manager.

    Here's the Base64 string for the sample YAML data given in this section:

    cHJvamVjdDoNCiAgZGlzcGxheV9uYW1lOiBQTSBCYW5rDQogIGxvY2FsZTogZW4tVVMNCiAgcG9ydDogODA4MA0KICBkYl9wYXNzd29yZDogX19SRUZfXygiLy9zZWNyZXRtYW5hZ2VyLmdvb2dsZWFwaXMuY29tL3Byb2plY3RzL2FjbS1zYW1wbGUvc2VjcmV0cy9kYl9wYXNzd29yZC92ZXJzaW9ucy8xIikNCiAgbWFza19zZW5zaXRpdmVfZmllbGRzOiBmYWxzZQ==

To create a new version with the secret reference, use one of the following methods:

Global parameters

Console

  1. In the Google Cloud console, go to the Secret Manager page.

    Go to Secret Manager

  2. Click Parameter Manager to go to the Parameter Manager page.

  3. Click the parameter name for which you want to add the new version. The parameter details are displayed.

  4. Click the Versions tab and then click New version. The Create parameter version page opens.

  5. Enter the version name. Parameter version names must be 63 characters or less and consist only of alphanumeric characters (A-Z, a-z, 0-9), dashes (-), and underscores (_). Names cannot begin with a dash.

  6. In the Payload section, enter the parameter value containing the secret reference. Alternatively, you can upload a file containing the parameter value with the secret reference.

  7. Click Create.

gcloud

Before using any of the command data below, make the following replacements:

  • PARAMETER_VERSION_ID: the ID that you want to assign to the parameter version. Parameter version IDs must be 63 characters or less and consist only of alphanumeric characters (A-Z, a-z, 0-9), dashes (-), and underscores (_). IDs cannot begin with a dash.
  • PARAMETER_ID: the name of the parameter.
  • PARAMETER_PAYLOAD: the data, in plaintext, containing the secret references that you want to store within the parameter version.
  • PROJECT_ID: the Google Cloud project ID.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud parametermanager parameters versions create PARAMETER_VERSION_ID --parameter=PARAMETER_ID --location=global --payload-data="PARAMETER_PAYLOAD" --project=PROJECT_ID

Windows (PowerShell)

gcloud parametermanager parameters versions create PARAMETER_VERSION_ID --parameter=PARAMETER_ID --location=global --payload-data="PARAMETER_PAYLOAD" --project=PROJECT_ID

Windows (cmd.exe)

gcloud parametermanager parameters versions create PARAMETER_VERSION_ID --parameter=PARAMETER_ID --location=global --payload-data="PARAMETER_PAYLOAD" --project=PROJECT_ID

You should receive a response similar to the following:

Created parameterVersion [refv1].

REST

Before using any of the request data, make the following replacements:

  • PROJECT_ID: the Google Cloud project ID.
  • PARAMETER_ID: the name of the parameter.
  • PARAMETER_VERSION_ID: the ID that you want to assign to the parameter version. Parameter version IDs must be 63 characters or less and consist only of alphanumeric characters (A-Z, a-z, 0-9), dashes (-), and underscores (_). IDs cannot begin with a dash.
  • PARAMETER_PAYLOAD: the data, as a Base64 encoded string, containing the secret references that you want to store within the parameter version.

HTTP method and URL:

POST https://parametermanager.googleapis.com/v1/projects/PROJECT_ID/locations/global/parameters/PARAMETER_ID/versions?parameter_version_id=PARAMETER_VERSION_ID

Request JSON body:

{"payload": {"data": "PARAMETER_PAYLOAD"}}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://parametermanager.googleapis.com/v1/projects/PROJECT_ID/locations/global/parameters/PARAMETER_ID/versions?parameter_version_id=PARAMETER_VERSION_ID"

PowerShell

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://parametermanager.googleapis.com/v1/projects/PROJECT_ID/locations/global/parameters/PARAMETER_ID/versions?parameter_version_id=PARAMETER_VERSION_ID" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "name": "projects/production-1/locations/global/parameters/db_password_secret_ref/versions/refv1",
  "createTime": "2024-10-15T08:39:05.191747694Z",
  "updateTime": "2024-10-15T08:39:05.191747694Z"
}

C#

To run this code, first set up a C# development environment and install the Secret Manager C# SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.


using Google.Cloud.ParameterManager.V1;
using Google.Protobuf;
using System.Text;

public class CreateParameterVersionWithSecretSample
{
    /// <summary>
    /// This function creates a parameter version with a JSON payload that includes a secret reference using the Parameter Manager SDK for GCP.
    /// </summary>
    /// <param name="projectId">The ID of the project where the parameter is located.</param>
    /// <param name="parameterId">The ID of the parameter for which the version is to be created.</param>
    /// <param name="versionId">The ID of the version to be created.</param>
    /// <param name="secretId">The ID of the secret to be referenced.</param>
    /// <returns>The created ParameterVersion object.</returns>
    public ParameterVersion CreateParameterVersionWithSecret(
        string projectId,
        string parameterId,
        string versionId,
        string secretId)
    {
        // Create the client.
        ParameterManagerClient client = ParameterManagerClient.Create();

        // Build the parent resource name.
        ParameterName parent = new ParameterName(projectId, "global", parameterId);

        // Convert the JSON payload to bytes.
        string payload = $"{{\"username\": \"test-user\", \"password\": \"__REF__(//secretmanager.googleapis.com/{secretId}\"}}";
        ByteString data = ByteString.CopyFrom(payload, Encoding.UTF8);

        // Build the parameter version with the JSON payload that includes a secret reference.
        ParameterVersion parameterVersion = new ParameterVersion
        {
            Payload = new ParameterVersionPayload
            {
                Data = data
            }
        };

        // Call the API to create the parameter version.
        ParameterVersion createdParameterVersion = client.CreateParameterVersion(parent, parameterVersion, versionId);

        // Print the created parameter version name.
        Console.WriteLine($"Created parameter version: {createdParameterVersion.Name}");

        // Return the created parameter version.
        return createdParameterVersion;
    }
}

Go

To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

import (
	"context"
	"fmt"
	"io"

	parametermanager "cloud.google.com/go/parametermanager/apiv1"
	parametermanagerpb "cloud.google.com/go/parametermanager/apiv1/parametermanagerpb"
)

// createParamVersionWithSecret creates a new version of a parameter with a JSON payload that has a secret reference in it using the Parameter Manager SDK for GCP.
//
// w: The io.Writer object used to write the output.
// projectID: The ID of the project where the parameter is located.
// parameterID: The ID of the parameter for which the version is to be created.
// versionID: The ID of the version to be created.
// secretID: The ID of the secret to be referenced.
//
// The function returns an error if the parameter version creation fails.
func createParamVersionWithSecret(w io.Writer, projectID, parameterID, versionID, secretID string) error {
	// Create a context and a Parameter Manager client.
	ctx := context.Background()
	client, err := parametermanager.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create Parameter Manager client: %w", err)
	}
	defer client.Close()

	// Construct the name of the create parameter version.
	parent := fmt.Sprintf("projects/%s/locations/global/parameters/%s", projectID, parameterID)

	payload := []byte(fmt.Sprintf(`{"username": "test-user","password": "__REF__(//secretmanager.googleapis.com/%s)"}`, secretID))

	// Build the request to create a new parameter version with the JSON payload that has a secret reference.
	req := &parametermanagerpb.CreateParameterVersionRequest{
		Parent:             parent,
		ParameterVersionId: versionID,
		ParameterVersion: &parametermanagerpb.ParameterVersion{
			Payload: &parametermanagerpb.ParameterVersionPayload{
				Data: payload,
			},
		},
	}

	// Call the API to create the parameter version.
	version, err := client.CreateParameterVersion(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to create parameter version: %w", err)
	}

	fmt.Fprintf(w, "Created parameter version with secret reference: %s\n", version.Name)
	return nil
}

Java

To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.


import com.google.cloud.parametermanager.v1.ParameterManagerClient;
import com.google.cloud.parametermanager.v1.ParameterName;
import com.google.cloud.parametermanager.v1.ParameterVersion;
import com.google.cloud.parametermanager.v1.ParameterVersionPayload;
import com.google.protobuf.ByteString;
import java.io.IOException;

/**
 * This class demonstrates how to create a parameter version with a JSON payload that includes a
 * secret reference using the Parameter Manager SDK for GCP.
 */
public class CreateParamVersionWithSecret {

  public static void main(String[] args) throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String parameterId = "your-parameter-id";
    String versionId = "your-version-id";
    String secretId = "projects/your-project-id/secrets/your-secret-id/versions/latest";

    // Call the method to create parameter version with JSON payload that includes a secret
    // reference.
    createParamVersionWithSecret(projectId, parameterId, versionId, secretId);
  }

  // This is an example snippet that creates a parameter version with a JSON payload that includes a
  // secret reference.
  public static ParameterVersion createParamVersionWithSecret(
      String projectId, String parameterId, String versionId, String secretId) throws IOException {
    // Initialize the client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests.
    try (ParameterManagerClient client = ParameterManagerClient.create()) {
      String locationId = "global";

      // Build the parameter name.
      ParameterName parameterName = ParameterName.of(projectId, locationId, parameterId);

      // Convert the JSON payload string to ByteString.
      String payload =
          String.format(
              "{\"username\": \"test-user\", "
                  + "\"password\": \"__REF__(//secretmanager.googleapis.com/%s)\"}",
              secretId);
      ByteString byteStringPayload = ByteString.copyFromUtf8(payload);

      // Create the parameter version payload with the secret reference.
      ParameterVersionPayload parameterVersionPayload =
          ParameterVersionPayload.newBuilder().setData(byteStringPayload).build();

      // Create the parameter version with the JSON payload.
      ParameterVersion parameterVersion =
          ParameterVersion.newBuilder().setPayload(parameterVersionPayload).build();

      // Create the parameter version in the Parameter Manager.
      ParameterVersion createdParameterVersion =
          client.createParameterVersion(parameterName.toString(), parameterVersion, versionId);
      System.out.printf("Created parameter version: %s\n", createdParameterVersion.getName());

      return createdParameterVersion;
    }
  }
}

Node.js

To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

/**
 * TODO(developer): Uncomment these variables before running the sample.
 */
// const projectId = 'YOUR_PROJECT_ID';
// const parameterId = 'YOUR_PARAMETER_ID';
// const parameterVersionId = 'YOUR_PARAMETER_VERSION_ID';
// const secretId = 'YOUR_SECRET_ID'; // For example projects/my-project/secrets/application-secret/version/latest

// Imports the Parameter Manager library
const {ParameterManagerClient} = require('@google-cloud/parametermanager');

// Instantiates a client
const client = new ParameterManagerClient();

async function createParamVersionWithSecret() {
  // Construct the parent resource name
  const parent = client.parameterPath(projectId, 'global', parameterId);

  // Construct the JSON data with secret references
  const jsonData = {
    db_user: 'test_user',
    db_password: `__REF__(//secretmanager.googleapis.com/${secretId})`,
  };

  // Construct the parameter version
  const parameterVersion = {
    payload: {
      data: Buffer.from(JSON.stringify(jsonData), 'utf8'),
    },
  };

  // Construct the request
  const request = {
    parent: parent,
    parameterVersionId: parameterVersionId,
    parameterVersion: parameterVersion,
  };

  // Create the parameter version
  const [paramVersion] = await client.createParameterVersion(request);
  console.log(
    `Created parameter version with secret references: ${paramVersion.name}`
  );
  return paramVersion;
}

return await createParamVersionWithSecret();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

// Import necessary classes for creating a parameter version.
use Google\Cloud\ParameterManager\V1\Client\ParameterManagerClient;
use Google\Cloud\ParameterManager\V1\CreateParameterVersionRequest;
use Google\Cloud\ParameterManager\V1\ParameterVersion;
use Google\Cloud\ParameterManager\V1\ParameterVersionPayload;

/**
 * Creates a parameter version with an secret reference.
 *
 * @param string $projectId The Google Cloud Project ID (e.g. 'my-project')
 * @param string $parameterId The Parameter ID (e.g. 'my-param')
 * @param string $versionId The Version ID (e.g. 'my-param-version')
 * @param string $secretId The ID of the secret to be referenced (e.g. 'projects/my-project/secrets/my-secret/versions/latest')
 */
function create_param_version_with_secret(string $projectId, string $parameterId, string $versionId, string $secretId): void
{
    // Create a client for the Parameter Manager service.
    $client = new ParameterManagerClient();

    // Build the resource name of the parent object.
    $parent = $client->parameterName($projectId, 'global', $parameterId);

    // Build payload.
    $payload = json_encode([
        'username' => 'test-user',
        'password' => sprintf('__REF__(//secretmanager.googleapis.com/%s)', $secretId)
    ], JSON_UNESCAPED_SLASHES);

    // Create a new ParameterVersionPayload object and set the payload with secret reference.
    $parameterVersionPayload = new ParameterVersionPayload();
    $parameterVersionPayload->setData($payload);

    // Create a new ParameterVersion object and set the payload.
    $parameterVersion = new ParameterVersion();
    $parameterVersion->setPayload($parameterVersionPayload);

    // Prepare the request with the parent and parameter version object.
    $request = (new CreateParameterVersionRequest())
        ->setParent($parent)
        ->setParameterVersionId($versionId)
        ->setParameterVersion($parameterVersion);

    // Call the API to create the parameter version.
    $newParameterVersion = $client->createParameterVersion($request);
    printf('Created parameter version: %s' . PHP_EOL, $newParameterVersion->getName());
}

Python

To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

def create_param_version_with_secret(
    project_id: str, parameter_id: str, version_id: str, secret_id: str
) -> parametermanager_v1.ParameterVersion:
    """
    Creates a new version of an existing parameter in the global location
    of the specified project using the Google Cloud Parameter Manager SDK.
    The payload is specified as a JSON string and
    includes a reference to a secret.

    Args:
        project_id (str): The ID of the project where the parameter is located.
        parameter_id (str): The ID of the parameter for
        which the version is to be created.
        version_id (str): The ID of the version to be created.
        secret_id (str): The ID of the secret to be referenced.

    Returns:
        parametermanager_v1.ParameterVersion: An object representing the
        newly created parameter version.

    Example:
        create_param_version_with_secret(
            "my-project",
            "my-global-parameter",
            "v1",
            "projects/my-project/secrets/application-secret/version/latest"
        )
    """
    # Import the necessary library for Google Cloud Parameter Manager.
    from google.cloud import parametermanager_v1
    import json

    # Create the Parameter Manager client.
    client = parametermanager_v1.ParameterManagerClient()

    # Build the resource name of the parameter.
    parent = client.parameter_path(project_id, "global", parameter_id)

    # Create the JSON payload with a secret reference.
    payload_dict = {
        "username": "test-user",
        "password": f"__REF__('//secretmanager.googleapis.com/{secret_id}')",
    }
    payload_json = json.dumps(payload_dict)

    # Define the parameter version creation request with the JSON payload.
    request = parametermanager_v1.CreateParameterVersionRequest(
        parent=parent,
        parameter_version_id=version_id,
        parameter_version=parametermanager_v1.ParameterVersion(
            payload=parametermanager_v1.ParameterVersionPayload(
                data=payload_json.encode("utf-8")
            )
        ),
    )

    # Create the parameter version.
    response = client.create_parameter_version(request=request)

    # Print the newly created parameter version name.
    print(f"Created parameter version: {response.name}")

Ruby

To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

require "google/cloud/parameter_manager"

##
# Create a parameter version
#
# @param project_id [String] The Google Cloud project (e.g. "my-project")
# @param parameter_id [String] The parameter name (e.g. "my-parameter")
# @param version_id [String] The version name (e.g. "my-version")
# @param secret_id [String] The secret name
# (e.g. "projects/my-project/secrets/my-secret/versions/latest")
#
def create_param_version_with_secret project_id:, parameter_id:, version_id:, secret_id:
  # Create a Parameter Manager client.
  client = Google::Cloud::ParameterManager.parameter_manager

  # Build the resource name of the parent project.
  parent = client.parameter_path project: project_id, location: "global", parameter: parameter_id

  payload = "{\"username\": \"test-user\", \"password\": \"__REF__(//secretmanager.googleapis.com/#{secret_id})\"}"
  parameter_version = {
    payload: {
      data: payload
    }
  }

  # Create the parameter version.
  param_version = client.create_parameter_version parent: parent, parameter_version_id: version_id,
                                                  parameter_version: parameter_version

  # Print the new parameter version name.
  puts "Created parameter version #{param_version.name}"
end

Regional parameters

Console

  1. In the Google Cloud console, go to the Secret Manager page.

    Go to Secret Manager

  2. Click Parameter Manager to go to the Parameter Manager page.

  3. Click the parameter name for which you want to add the new version. The parameter details are displayed.

  4. Click the Versions tab and then click New version. The Create parameter version page opens.

  5. Enter the version name. Parameter version names must be 63 characters or less and consist only of alphanumeric characters (A-Z, a-z, 0-9), dashes (-), and underscores (_). Names cannot begin with a dash.

  6. In the Payload section, enter the parameter value containing the secret reference. Alternatively, you can upload a file containing the parameter value with the secret reference.

  7. Click Create.

gcloud

Before using any of the command data below, make the following replacements:

  • PARAMETER_VERSION_ID: the ID that you want to assign to the parameter version. Parameter version IDs must be 63 characters or less and consist only of alphanumeric characters (A-Z, a-z, 0-9), dashes (-), and underscores (_). IDs cannot begin with a dash.
  • PARAMETER_ID: the name of the parameter.
  • LOCATION: the Google Cloud location of the parameter.
  • PARAMETER_PAYLOAD: the data, in plaintext, containing the secret references that you want to store within the parameter version.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud parametermanager parameters versions create PARAMETER_VERSION_ID --parameter=PARAMETER_ID --location=LOCATION --payload-data="PARAMETER_PAYLOAD" --project=PROJECT_ID

Windows (PowerShell)

gcloud parametermanager parameters versions create PARAMETER_VERSION_ID --parameter=PARAMETER_ID --location=LOCATION --payload-data="PARAMETER_PAYLOAD" --project=PROJECT_ID

Windows (cmd.exe)

gcloud parametermanager parameters versions create PARAMETER_VERSION_ID --parameter=PARAMETER_ID --location=LOCATION --payload-data="PARAMETER_PAYLOAD" --project=PROJECT_ID

You should receive a response similar to the following:

Created parameterVersion [refv2].

REST

Before using any of the request data, make the following replacements:

  • LOCATION: the Google Cloud location of the parameter.
  • PROJECT_ID: the Google Cloud project ID.
  • PARAMETER_ID: the name of the parameter.
  • PARAMETER_VERSION_ID: the ID that you want to assign to the parameter version. Parameter version IDs must be 63 characters or less and consist only of alphanumeric characters (A-Z, a-z, 0-9), dashes (-), and underscores (_). IDs cannot begin with a dash.
  • PARAMETER_PAYLOAD: the data, as a Base64 encoded string, containing the secret references that you want to store within the parameter version.

HTTP method and URL:

POST https://parametermanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/parameters/PARAMETER_ID/versions?parameter_version_id=PARAMETER_VERSION_ID

Request JSON body:

{"payload": {"data": "PARAMETER_PAYLOAD"}}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://parametermanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/parameters/PARAMETER_ID/versions?parameter_version_id=PARAMETER_VERSION_ID"

PowerShell

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://parametermanager.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/parameters/PARAMETER_ID/versions?parameter_version_id=PARAMETER_VERSION_ID" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "name": "projects/production-1/locations/us-central1/parameters/db_password_secret_ref/versions/refv2",
  "createTime": "2024-10-15T08:39:05.191747694Z",
  "updateTime": "2024-10-15T08:39:05.191747694Z"
}

C#

To run this code, first set up a C# development environment and install the Secret Manager C# SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.


using Google.Cloud.ParameterManager.V1;
using Google.Protobuf;
using System.Text;


public class CreateRegionalParameterVersionWithSecretSample
{
    /// <summary>
    /// This function creates a regional parameter version with a JSON payload that includes a secret reference using the Parameter Manager SDK for GCP.
    /// </summary>
    /// <param name="projectId">The ID of the project where the parameter is located.</param>
    /// <param name="locationId">The ID of the region where the parameter is located.</param>
    /// <param name="parameterId">The ID of the parameter for which the version is to be created.</param>
    /// <param name="versionId">The ID of the version to be created.</param>
    /// <param name="secretId">The ID of the secret to be referenced.</param>
    /// <returns>The created ParameterVersion object.</returns>
    public ParameterVersion CreateRegionalParameterVersionWithSecret(
        string projectId,
        string locationId,
        string parameterId,
        string versionId,
        string secretId)
    {
        // Define the regional endpoint
        string regionalEndpoint = $"parametermanager.{locationId}.rep.googleapis.com";

        // Create the client with the regional endpoint
        ParameterManagerClient client = new ParameterManagerClientBuilder
        {
            Endpoint = regionalEndpoint
        }.Build();

        // Build the parent resource name using ParameterName
        ParameterName parent = new ParameterName(projectId, locationId, parameterId);

        // Convert the JSON payload to bytes
        string payload = $"{{\"username\": \"test-user\", \"password\": \"__REF__(//secretmanager.googleapis.com/{secretId}\"}}";
        ByteString data = ByteString.CopyFrom(payload, Encoding.UTF8);

        // Build the parameter version with the JSON payload that includes a secret reference
        ParameterVersion parameterVersion = new ParameterVersion
        {
            Payload = new ParameterVersionPayload
            {
                Data = data
            }
        };

        // Call the API to create the parameter version
        ParameterVersion createdParameterVersion = client.CreateParameterVersion(parent, parameterVersion, versionId);

        // Print the created parameter version name
        Console.WriteLine($"created regional parameter version: {createdParameterVersion.Name}");

        // Return the created parameter version
        return createdParameterVersion;
    }
}

Go

To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

import (
	"context"
	"fmt"
	"io"

	parametermanager "cloud.google.com/go/parametermanager/apiv1"
	parametermanagerpb "cloud.google.com/go/parametermanager/apiv1/parametermanagerpb"
	"google.golang.org/api/option"
)

// createRegionalParamVersionWithSecret creates a new version of a regional parameter with a JSON payload that has a secret reference in it using the Parameter Manager SDK for GCP.
//
// w: The io.Writer object used to write the output.
// projectID: The ID of the project where the parameter is located.
// locationID: The ID of the region where the parameter is located.
// parameterID: The ID of the parameter for which the version is to be created.
// versionID: The ID of the version to be created.
// secretID: The ID of the secret to be referenced.
//
// The function returns an error if the parameter version creation fails.
func createRegionalParamVersionWithSecret(w io.Writer, projectID, locationID, parameterID, versionID, secretID string) error {
	// Create a context.
	ctx := context.Background()

	// Create a Parameter Manager client.
	endpoint := fmt.Sprintf("parametermanager.%s.rep.googleapis.com:443", locationID)
	client, err := parametermanager.NewClient(ctx, option.WithEndpoint(endpoint))
	if err != nil {
		return fmt.Errorf("failed to create parametermanager client: %w", err)
	}
	defer client.Close()

	// Construct the name of the create parameter version.
	parent := fmt.Sprintf("projects/%s/locations/%s/parameters/%s", projectID, locationID, parameterID)

	payload := []byte(fmt.Sprintf(`{"db_host": "localhost","db_password": "__REF__(//secretmanager.googleapis.com/%s)"}`, secretID))

	// Create a parameter version.
	req := &parametermanagerpb.CreateParameterVersionRequest{
		Parent:             parent,
		ParameterVersionId: versionID,
		ParameterVersion: &parametermanagerpb.ParameterVersion{
			Payload: &parametermanagerpb.ParameterVersionPayload{
				Data: payload,
			},
		},
	}
	version, err := client.CreateParameterVersion(ctx, req)
	if err != nil {
		return fmt.Errorf("failed to create parameter version: %w", err)
	}
	fmt.Fprintf(w, "Created regional parameter version with secret reference: %s\n", version.Name)
	return nil
}

Java

To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.


import com.google.cloud.parametermanager.v1.ParameterManagerClient;
import com.google.cloud.parametermanager.v1.ParameterManagerSettings;
import com.google.cloud.parametermanager.v1.ParameterName;
import com.google.cloud.parametermanager.v1.ParameterVersion;
import com.google.cloud.parametermanager.v1.ParameterVersionPayload;
import com.google.protobuf.ByteString;
import java.io.IOException;

/**
 * This class demonstrates how to create a regional parameter version with a JSON payload that
 * includes a secret reference using the Parameter Manager SDK for GCP.
 */
public class CreateRegionalParamVersionWithSecret {

  public static void main(String[] args) throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String locationId = "your-location-id";
    String parameterId = "your-parameter-id";
    String versionId = "your-version-id";
    String secretId =
        "projects/your-project-id/locations/your-location-id"
            + "/secrets/your-secret-id/versions/latest";

    // Call the method to create a regional parameter version with JSON payload that includes a
    // secret reference.
    createRegionalParamVersionWithSecret(projectId, locationId, parameterId, versionId, secretId);
  }

  // This is an example snippet that creates a regional parameter version with a JSON payload that
  // includes a secret reference.
  public static ParameterVersion createRegionalParamVersionWithSecret(
      String projectId, String locationId, String parameterId, String versionId, String secretId)
      throws IOException {
    // Endpoint to call the regional parameter manager server
    String apiEndpoint = String.format("parametermanager.%s.rep.googleapis.com:443", locationId);
    ParameterManagerSettings parameterManagerSettings =
        ParameterManagerSettings.newBuilder().setEndpoint(apiEndpoint).build();

    // Initialize the client that will be used to send requests. This client only
    // needs to be created once, and can be reused for multiple requests.
    try (ParameterManagerClient client = ParameterManagerClient.create(parameterManagerSettings)) {
      // Build the parameter name.
      ParameterName parameterName = ParameterName.of(projectId, locationId, parameterId);

      // Convert the JSON payload string to ByteString.
      String payload =
          String.format(
              "{\"username\": \"test-user\","
                  + "\"password\": \"__REF__(//secretmanager.googleapis.com/%s)\"}",
              secretId);
      ByteString byteStringPayload = ByteString.copyFromUtf8(payload);

      // Create the parameter version payload with the secret reference.
      ParameterVersionPayload parameterVersionPayload =
          ParameterVersionPayload.newBuilder().setData(byteStringPayload).build();

      // Create the parameter version with the JSON payload.
      ParameterVersion parameterVersion =
          ParameterVersion.newBuilder().setPayload(parameterVersionPayload).build();

      // Create the parameter version in the Parameter Manager.
      ParameterVersion createdParameterVersion =
          client.createParameterVersion(parameterName.toString(), parameterVersion, versionId);
      System.out.printf(
          "Created regional parameter version: %s\n", createdParameterVersion.getName());

      return createdParameterVersion;
    }
  }
}

Node.js

To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

/**
 * TODO(developer): Uncomment these variables before running the sample.
 */
// const projectId = 'YOUR_PROJECT_ID';
// const locationId = 'us-central1';
// const parameterId = 'YOUR_PARAMETER_ID';
// const parameterVersionId = 'YOUR_PARAMETER_VERSION_ID';
// const secretId = 'YOUR_SECRET_ID'; // For example projects/my-project/secrets/application-secret/version/latest

// Imports the Parameter Manager library
const {ParameterManagerClient} = require('@google-cloud/parametermanager');

// Adding the endpoint to call the regional parameter manager server
const options = {
  apiEndpoint: `parametermanager.${locationId}.rep.googleapis.com`,
};

// Instantiates a client with regional endpoint
const client = new ParameterManagerClient(options);

async function createRegionalParamVersionWithSecret() {
  // Construct the parent resource name
  const parent = client.parameterPath(projectId, locationId, parameterId);

  // Construct the payload JSON data with secret references
  const payloadData = {
    db_user: 'test_user',
    db_password: `__REF__("//secretmanager.googleapis.com/${secretId}")`,
  };

  // Construct the parameter version
  const parameterVersion = {
    payload: {
      data: Buffer.from(JSON.stringify(payloadData), 'utf8'),
    },
  };

  // Construct the request
  const request = {
    parent: parent,
    parameterVersionId: parameterVersionId,
    parameterVersion: parameterVersion,
  };

  // Create the regional parameter version
  const [paramVersion] = await client.createParameterVersion(request);
  console.log(
    `Created regional parameter version with secret: ${paramVersion.name}`
  );
  return paramVersion;
}

return await createRegionalParamVersionWithSecret();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

// Import necessary classes for creating a parameter version.
use Google\Cloud\ParameterManager\V1\Client\ParameterManagerClient;
use Google\Cloud\ParameterManager\V1\CreateParameterVersionRequest;
use Google\Cloud\ParameterManager\V1\ParameterVersion;
use Google\Cloud\ParameterManager\V1\ParameterVersionPayload;

/**
 * Creates a regional parameter version with an secret reference.
 *
 * @param string $projectId The Google Cloud Project ID (e.g. 'my-project')
 * @param string $locationId The Parameter Location (e.g. 'us-central1')
 * @param string $parameterId The Parameter ID (e.g. 'my-param')
 * @param string $versionId The Version ID (e.g. 'my-param-version')
 * @param string $secretId The ID of the secret to be referenced (e.g. 'projects/my-project/locations/us-central1/secrets/my-secret/versions/latest')
 */
function create_regional_param_version_with_secret(string $projectId, string $locationId, string $parameterId, string $versionId, string $secretId): void
{
    // Specify regional endpoint.
    $options = ['apiEndpoint' => "parametermanager.$locationId.rep.googleapis.com"];

    // Create a client for the Parameter Manager service.
    $client = new ParameterManagerClient($options);

    // Build the resource name of the parent object.
    $parent = $client->parameterName($projectId, $locationId, $parameterId);

    // Build payload.
    $payload = json_encode([
        'username' => 'test-user',
        'password' => sprintf('__REF__(//secretmanager.googleapis.com/%s)', $secretId)
    ], JSON_UNESCAPED_SLASHES);

    // Create a new ParameterVersionPayload object and set the payload with secret reference.
    $parameterVersionPayload = new ParameterVersionPayload();
    $parameterVersionPayload->setData($payload);

    // Create a new ParameterVersion object and set the payload.
    $parameterVersion = new ParameterVersion();
    $parameterVersion->setPayload($parameterVersionPayload);

    // Prepare the request with the parent and parameter version object.
    $request = (new CreateParameterVersionRequest())
        ->setParent($parent)
        ->setParameterVersionId($versionId)
        ->setParameterVersion($parameterVersion);

    // Call the API to create the parameter version.
    $newParameterVersion = $client->createParameterVersion($request);
    printf('Created regional parameter version: %s' . PHP_EOL, $newParameterVersion->getName());
}

Python

To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

def create_regional_param_version_with_secret(
    project_id: str,
    location_id: str,
    parameter_id: str,
    version_id: str,
    secret_id: str,
) -> parametermanager_v1.ParameterVersion:
    """
    Creates a new version of an existing parameter in the specified region
    of the specified project using the Google Cloud Parameter Manager SDK.
    The payload is specified as a JSON string and
    includes a reference to a secret.

    Args:
        project_id (str): The ID of the project where the parameter is located.
        location_id (str): The ID of the region where the parameter is located.
        parameter_id (str): The ID of the parameter for
        which the version is to be created.
        version_id (str): The ID of the version to be created.
        secret_id (str): The ID of the secret to be referenced.

    Returns:
        parametermanager_v1.ParameterVersion: An object representing the
        newly created parameter version.

    Example:
        create_regional_param_version_with_secret(
            "my-project",
            "us-central1",
            "my-regional-parameter",
            "v1",
            "projects/my-project/locations/us-central1/
            secrets/application-secret/version/latest"
        )
    """
    # Import the necessary library for Google Cloud Parameter Manager.
    from google.cloud import parametermanager_v1
    import json

    # Create the Parameter Manager client with the regional endpoint.
    api_endpoint = f"parametermanager.{location_id}.rep.googleapis.com"
    client = parametermanager_v1.ParameterManagerClient(
        client_options={"api_endpoint": api_endpoint}
    )

    # Build the resource name of the parameter.
    parent = client.parameter_path(project_id, location_id, parameter_id)

    # Create the JSON payload with a secret reference.
    payload_dict = {
        "username": "test-user",
        "password": f"__REF__('//secretmanager.googleapis.com/{secret_id}')",
    }
    payload_json = json.dumps(payload_dict)

    # Define the parameter version creation request with the JSON payload.
    request = parametermanager_v1.CreateParameterVersionRequest(
        parent=parent,
        parameter_version_id=version_id,
        parameter_version=parametermanager_v1.ParameterVersion(
            payload=parametermanager_v1.ParameterVersionPayload(
                data=payload_json.encode("utf-8")
            )
        ),
    )

    # Create the parameter version.
    response = client.create_parameter_version(request=request)

    # Print the newly created parameter version name.
    print(f"Created regional parameter version: {response.name}")

Ruby

To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

require "google/cloud/parameter_manager"

##
# Create a regional parameter version
#
# @param project_id [String] The Google Cloud project (e.g. "my-project")
# @param location_id [String] The location name (e.g. "us-central1")
# @param parameter_id [String] The parameter name (e.g. "my-parameter")
# @param version_id [String] The version name (e.g. "my-version")
# @param secret_id [String] The secret name
# (e.g. "projects/my-project/locations/us-central1/secrets/my-secret/versions/latest")
#
def create_regional_param_version_with_secret project_id:, location_id:, parameter_id:, version_id:, secret_id:
  # Endpoint for the regional parameter manager service.
  api_endpoint = "parametermanager.#{location_id}.rep.googleapis.com"

  # Create the Parameter Manager client.
  client = Google::Cloud::ParameterManager.parameter_manager do |config|
    config.endpoint = api_endpoint
  end

  # Build the resource name of the parent project.
  parent = client.parameter_path project: project_id, location: location_id, parameter: parameter_id

  payload = "{\"username\": \"test-user\", \"password\": \"__REF__(//secretmanager.googleapis.com/#{secret_id})\"}"
  parameter_version = {
    payload: {
      data: payload
    }
  }

  # Create the parameter version.
  param_version = client.create_parameter_version parent: parent, parameter_version_id: version_id,
                                                  parameter_version: parameter_version

  # Print the new parameter version name.
  puts "Created regional parameter version #{param_version.name}"
end

Grant the Secret Manager Secret Accessor role to the parameter

To let a parameter access a secret stored in Secret Manager, grant the Secret Manager Secret Accessor role (roles/secretmanager.secretAccessor) to the parameter. This gives the parameter permission to read the secret's value. Parameters are resources with built-in identities, which means that you must grant the IAM role using the resource's principal identifier. Refer to the following example to grant the role using the Google Cloud CLI:

gcloud

Before using any of the command data below, make the following replacements:

  • PROJECT_ID: the ID of the project containing the secret
  • SECRET_ID: the ID of the secret or fully qualified identifier for the secret
  • PROJECT_NUMBER: the project number of the Google Cloud project where the parameter is stored
  • PARAMETER_UID: the system-generated unique ID of the parameter

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud secrets add-iam-policy-binding projects/PROJECT_ID/secrets/SECRET_ID --member="principal://parametermanager.googleapis.com/projects/PROJECT_NUMBER/uid/locations/global/parameters/PARAMETER_UID" --role="roles/secretmanager.secretAccessor"

Windows (PowerShell)

gcloud secrets add-iam-policy-binding projects/PROJECT_ID/secrets/SECRET_ID --member="principal://parametermanager.googleapis.com/projects/PROJECT_NUMBER/uid/locations/global/parameters/PARAMETER_UID" --role="roles/secretmanager.secretAccessor"

Windows (cmd.exe)

gcloud secrets add-iam-policy-binding projects/PROJECT_ID/secrets/SECRET_ID --member="principal://parametermanager.googleapis.com/projects/PROJECT_NUMBER/uid/locations/global/parameters/PARAMETER_UID" --role="roles/secretmanager.secretAccessor"

You should receive a response similar to the following:

Updated IAM policy for secret [db_password].
bindings:
- members:
  - principal://parametermanager.googleapis.com/projects/609765466568/uid/locations/global/parameters/3fe3492e-a0da-4447-8d6b-68b4594b7243
  role: roles/secretmanager.secretAccessor
etag: BwYkj3X1kGo=
version: 1

For information on rendering secret references when retrieving parameter payloads, see Render secrets referenced within a parameter version.

What's next