Stay organized with collections
Save and categorize content based on your preferences.
This page explains the key differences between the global and regional service of
Secret Manager.
The global service is the default configuration for Secret Manager.
You can start using the service with default settings and the standard API endpoint.
The secret data is replicated across multiple regions and secrets can be accessed
from any region where Google Cloud platform operates.
For organizations with stringent data sovereignty and compliance
requirements, Secret Manager offers a regional service where you can
choose to store your data solely within specific geographical
locations or data residency zones (DRZs). Secrets can only be accessed from
within that specific region. To access the regional service, you'll require
a regional endpoint associated with the data residency zone.
The following table explains the key differences between the global and
regional service.
Data is stored in a single location. Complete data residency zone (DRZ) compliance with
data at-rest, in-use, and in-transit.
Endpoints
Single, global endpoint
Regional endpoints
Cross-region access
Possible with both user managed replication and automatic replication.
Not possible. Secret data is tightly restricted to your region of choice
and doesn't flow outside its boundaries.
Use cases
General secret management
Your data doesn't have to be stored in a specific region.
You are only concerned with availability and latency of data, and not regulatory requirements.
Strict data residency requirements
Your data must be stored in a specific region.
You want to restrict movement of your sensitive data within that specific boundary,
Not all organizations are subject to stringent DRZ regulations on where data is
stored or accessed, and not all data might fall into the sensitive category to
be subject to the DRZ regulations. So depending upon the sensitivity of the data
being handled, you can choose either between the regional or global service.
If your organization must adhere to specific data residency regulations, choose
the regional service as it ensures that your secret data doesn't leave the designated
region. If your application requires high availability and the ability to access
secrets from anywhere, the global service might be more suitable due to its
multi-region replication.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Compare global and regional service\n\nThis page explains the key differences between the global and regional service of\nSecret Manager.\n\nThe *global* service is the default configuration for Secret Manager.\nYou can start using the service with default settings and the standard API endpoint.\nThe secret data is replicated across multiple regions and secrets can be accessed\nfrom any region where Google Cloud platform operates.\n\nFor organizations with stringent data sovereignty and compliance\nrequirements, Secret Manager offers a *regional* service where you can\nchoose to store your data solely within specific geographical\nlocations or data residency zones (DRZs). Secrets can only be accessed from\nwithin that specific region. To access the regional service, you'll require\na regional endpoint associated with the data residency zone.\n\nThe following table explains the key differences between the global and\nregional service.\n\nNot all organizations are subject to stringent DRZ regulations on where data is\nstored or accessed, and not all data might fall into the sensitive category to\nbe subject to the DRZ regulations. So depending upon the sensitivity of the data\nbeing handled, you can choose either between the regional or global service.\n\nIf your organization must adhere to specific data residency regulations, choose\nthe regional service as it ensures that your secret data doesn't leave the designated\nregion. If your application requires high availability and the ability to access\nsecrets from anywhere, the global service might be more suitable due to its\nmulti-region replication.\n\nFor information about the global Secret Manager service, see the\n[global service documentation](/secret-manager/docs/overview).\n\nWhat's next\n-----------\n\n- [Enable the Secret Manager API](/secret-manager/regional-secrets/config-sm-rs)\n- [Create a regional secret](/secret-manager/regional-secrets/create-regional-secret)\n- [Add CMEK encryption to regional secrets](/secret-manager/regional-secrets/create-secret-cmek-encryption)"]]
