On January 1, 2020 this library will no longer support Python 2 on the latest released version. Previously released library versions will continue to be available. For more information please visit Python 2 support on Google Cloud.

Client for Secret Manager API

class google.cloud.secretmanager_v1.SecretManagerServiceClient(transport=None, channel=None, credentials=None, client_config=None, client_info=None, client_options=None)[source]

Secret Manager Service

Manages secrets and operations using those secrets. Implements a REST model with the following objects:

  • Secret

  • SecretVersion

Constructor.

Parameters
  • (Union[SecretManagerServiceGrpcTransport, (transport) – Callable[[~.Credentials, type], ~.SecretManagerServiceGrpcTransport]): A transport instance, responsible for actually making the API calls. The default transport uses the gRPC protocol. This argument may also be a callable which returns a transport instance. Callables will be sent the credentials as the first argument and the default transport class as the second argument.

  • channel (grpc.Channel) – DEPRECATED. A Channel instance through which to make calls. This argument is mutually exclusive with credentials; providing both will raise an exception.

  • credentials (google.auth.credentials.Credentials) – The authorization credentials to attach to requests. These credentials identify this application to the service. If none are specified, the client will attempt to ascertain the credentials from the environment. This argument is mutually exclusive with providing a transport instance to transport; doing so will raise an exception.

  • client_config (dict) – DEPRECATED. A dictionary of call options for each method. If not specified, the default configuration is used.

  • client_info (google.api_core.gapic_v1.client_info.ClientInfo) – The client info used to send a user-agent string along with API requests. If None, then default info will be used. Generally, you only need to set this if you’re developing your own client library.

  • client_options (Union[dict, google.api_core.client_options.ClientOptions]) – Client options used to set user options on the client. API Endpoint should be set through client_options.

access_secret_version(name, retry=<object object>, timeout=<object object>, metadata=None)[source]

Accesses a SecretVersion. This call returns the secret data.

projects/*/secrets/*/versions/latest is an alias to the latest SecretVersion.

Example

>>> from google.cloud import secretmanager_v1
>>>
>>> client = secretmanager_v1.SecretManagerServiceClient()
>>>
>>> name = client.secret_version_path('[PROJECT]', '[SECRET]', '[SECRET_VERSION]')
>>>
>>> response = client.access_secret_version(name)
Parameters
  • name (str) – Required. The resource name of the SecretVersion in the format projects/*/secrets/*/versions/*.

  • retry (Optional[google.api_core.retry.Retry]) – A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

  • timeout (Optional[float]) – The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

  • metadata (Optional[Sequence[Tuple[str, str]]]) – Additional metadata that is provided to the method.

Returns

A AccessSecretVersionResponse instance.

Raises
add_secret_version(parent, payload, retry=<object object>, timeout=<object object>, metadata=None)[source]

Creates a new SecretVersion containing secret data and attaches it to an existing Secret.

Example

>>> from google.cloud import secretmanager_v1
>>>
>>> client = secretmanager_v1.SecretManagerServiceClient()
>>>
>>> parent = client.secret_path('[PROJECT]', '[SECRET]')
>>>
>>> # TODO: Initialize `payload`:
>>> payload = {}
>>>
>>> response = client.add_secret_version(parent, payload)
Parameters
  • parent (str) – Required. The resource name of the Secret to associate with the SecretVersion in the format projects/*/secrets/*.

  • payload (Union[dict, SecretPayload]) –

    Required. The secret payload of the SecretVersion.

    If a dict is provided, it must be of the same form as the protobuf message SecretPayload

  • retry (Optional[google.api_core.retry.Retry]) – A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

  • timeout (Optional[float]) – The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

  • metadata (Optional[Sequence[Tuple[str, str]]]) – Additional metadata that is provided to the method.

Returns

A SecretVersion instance.

Raises
create_secret(parent, secret_id, secret, retry=<object object>, timeout=<object object>, metadata=None)[source]

Creates a new Secret containing no SecretVersions.

Example

>>> from google.cloud import secretmanager_v1
>>>
>>> client = secretmanager_v1.SecretManagerServiceClient()
>>>
>>> parent = client.project_path('[PROJECT]')
>>>
>>> # TODO: Initialize `secret_id`:
>>> secret_id = ''
>>>
>>> # TODO: Initialize `secret`:
>>> secret = {}
>>>
>>> response = client.create_secret(parent, secret_id, secret)
Parameters
  • parent (str) – Required. The resource name of the project to associate with the Secret, in the format projects/*.

  • secret_id (str) –

    Required. This must be unique within the project.

    A secret ID is a string with a maximum length of 255 characters and can contain uppercase and lowercase letters, numerals, and the hyphen (-) and underscore (_) characters.

  • secret (Union[dict, Secret]) –

    Required. A Secret with initial field values.

    If a dict is provided, it must be of the same form as the protobuf message Secret

  • retry (Optional[google.api_core.retry.Retry]) – A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

  • timeout (Optional[float]) – The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

  • metadata (Optional[Sequence[Tuple[str, str]]]) – Additional metadata that is provided to the method.

Returns

A Secret instance.

Raises
delete_secret(name, retry=<object object>, timeout=<object object>, metadata=None)[source]

Deletes a Secret.

Example

>>> from google.cloud import secretmanager_v1
>>>
>>> client = secretmanager_v1.SecretManagerServiceClient()
>>>
>>> name = client.secret_path('[PROJECT]', '[SECRET]')
>>>
>>> client.delete_secret(name)
Parameters
  • name (str) – Required. The resource name of the Secret to delete in the format projects/*/secrets/*.

  • retry (Optional[google.api_core.retry.Retry]) – A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

  • timeout (Optional[float]) – The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

  • metadata (Optional[Sequence[Tuple[str, str]]]) – Additional metadata that is provided to the method.

Raises
destroy_secret_version(name, retry=<object object>, timeout=<object object>, metadata=None)[source]

Destroys a SecretVersion.

Sets the state of the SecretVersion to DESTROYED and irrevocably destroys the secret data.

Example

>>> from google.cloud import secretmanager_v1
>>>
>>> client = secretmanager_v1.SecretManagerServiceClient()
>>>
>>> name = client.secret_version_path('[PROJECT]', '[SECRET]', '[SECRET_VERSION]')
>>>
>>> response = client.destroy_secret_version(name)
Parameters
  • name (str) – Required. The resource name of the SecretVersion to destroy in the format projects/*/secrets/*/versions/*.

  • retry (Optional[google.api_core.retry.Retry]) – A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

  • timeout (Optional[float]) – The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

  • metadata (Optional[Sequence[Tuple[str, str]]]) – Additional metadata that is provided to the method.

Returns

A SecretVersion instance.

Raises
disable_secret_version(name, retry=<object object>, timeout=<object object>, metadata=None)[source]

Disables a SecretVersion.

Sets the state of the SecretVersion to DISABLED.

Example

>>> from google.cloud import secretmanager_v1
>>>
>>> client = secretmanager_v1.SecretManagerServiceClient()
>>>
>>> name = client.secret_version_path('[PROJECT]', '[SECRET]', '[SECRET_VERSION]')
>>>
>>> response = client.disable_secret_version(name)
Parameters
  • name (str) – Required. The resource name of the SecretVersion to disable in the format projects/*/secrets/*/versions/*.

  • retry (Optional[google.api_core.retry.Retry]) – A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

  • timeout (Optional[float]) – The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

  • metadata (Optional[Sequence[Tuple[str, str]]]) – Additional metadata that is provided to the method.

Returns

A SecretVersion instance.

Raises
enable_secret_version(name, retry=<object object>, timeout=<object object>, metadata=None)[source]

Enables a SecretVersion.

Sets the state of the SecretVersion to ENABLED.

Example

>>> from google.cloud import secretmanager_v1
>>>
>>> client = secretmanager_v1.SecretManagerServiceClient()
>>>
>>> name = client.secret_version_path('[PROJECT]', '[SECRET]', '[SECRET_VERSION]')
>>>
>>> response = client.enable_secret_version(name)
Parameters
  • name (str) – Required. The resource name of the SecretVersion to enable in the format projects/*/secrets/*/versions/*.

  • retry (Optional[google.api_core.retry.Retry]) – A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

  • timeout (Optional[float]) – The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

  • metadata (Optional[Sequence[Tuple[str, str]]]) – Additional metadata that is provided to the method.

Returns

A SecretVersion instance.

Raises
enums = <module 'google.cloud.secretmanager_v1.gapic.enums' from '/tmpfs/src/github/python-secret-manager/google/cloud/secretmanager_v1/gapic/enums.py'>
classmethod from_service_account_file(filename, *args, **kwargs)[source]

Creates an instance of this client using the provided credentials file.

Parameters
  • filename (str) – The path to the service account private key json file.

  • args – Additional arguments to pass to the constructor.

  • kwargs – Additional arguments to pass to the constructor.

Returns

The constructed client.

Return type

SecretManagerServiceClient

classmethod from_service_account_json(filename, *args, **kwargs)

Creates an instance of this client using the provided credentials file.

Parameters
  • filename (str) – The path to the service account private key json file.

  • args – Additional arguments to pass to the constructor.

  • kwargs – Additional arguments to pass to the constructor.

Returns

The constructed client.

Return type

SecretManagerServiceClient

get_iam_policy(resource, options_=None, retry=<object object>, timeout=<object object>, metadata=None)[source]

Gets the access control policy for a secret. Returns empty policy if the secret exists and does not have a policy set.

Example

>>> from google.cloud import secretmanager_v1
>>>
>>> client = secretmanager_v1.SecretManagerServiceClient()
>>>
>>> # TODO: Initialize `resource`:
>>> resource = ''
>>>
>>> response = client.get_iam_policy(resource)
Parameters
  • resource (str) – REQUIRED: The resource for which the policy is being requested. See the operation documentation for the appropriate value for this field.

  • options_ (Union[dict, GetPolicyOptions]) –

    OPTIONAL: A GetPolicyOptions object for specifying options to GetIamPolicy. This field is only used by Cloud IAM.

    If a dict is provided, it must be of the same form as the protobuf message GetPolicyOptions

  • retry (Optional[google.api_core.retry.Retry]) – A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

  • timeout (Optional[float]) – The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

  • metadata (Optional[Sequence[Tuple[str, str]]]) – Additional metadata that is provided to the method.

Returns

A Policy instance.

Raises
get_secret(name, retry=<object object>, timeout=<object object>, metadata=None)[source]

Gets metadata for a given Secret.

Example

>>> from google.cloud import secretmanager_v1
>>>
>>> client = secretmanager_v1.SecretManagerServiceClient()
>>>
>>> name = client.secret_path('[PROJECT]', '[SECRET]')
>>>
>>> response = client.get_secret(name)
Parameters
  • name (str) – Required. The resource name of the Secret, in the format projects/*/secrets/*.

  • retry (Optional[google.api_core.retry.Retry]) – A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

  • timeout (Optional[float]) – The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

  • metadata (Optional[Sequence[Tuple[str, str]]]) – Additional metadata that is provided to the method.

Returns

A Secret instance.

Raises
get_secret_version(name, retry=<object object>, timeout=<object object>, metadata=None)[source]

Gets metadata for a SecretVersion.

projects/*/secrets/*/versions/latest is an alias to the latest SecretVersion.

Example

>>> from google.cloud import secretmanager_v1
>>>
>>> client = secretmanager_v1.SecretManagerServiceClient()
>>>
>>> name = client.secret_version_path('[PROJECT]', '[SECRET]', '[SECRET_VERSION]')
>>>
>>> response = client.get_secret_version(name)
Parameters
  • name (str) – Required. The resource name of the SecretVersion in the format projects/*/secrets/*/versions/*. projects/*/secrets/*/versions/latest is an alias to the latest SecretVersion.

  • retry (Optional[google.api_core.retry.Retry]) – A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

  • timeout (Optional[float]) – The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

  • metadata (Optional[Sequence[Tuple[str, str]]]) – Additional metadata that is provided to the method.

Returns

A SecretVersion instance.

Raises
list_secret_versions(parent, page_size=None, retry=<object object>, timeout=<object object>, metadata=None)[source]

Lists SecretVersions. This call does not return secret data.

Example

>>> from google.cloud import secretmanager_v1
>>>
>>> client = secretmanager_v1.SecretManagerServiceClient()
>>>
>>> parent = client.secret_path('[PROJECT]', '[SECRET]')
>>>
>>> # Iterate over all results
>>> for element in client.list_secret_versions(parent):
...     # process element
...     pass
>>>
>>>
>>> # Alternatively:
>>>
>>> # Iterate over results one page at a time
>>> for page in client.list_secret_versions(parent).pages:
...     for element in page:
...         # process element
...         pass
Parameters
  • parent (str) – Required. The resource name of the Secret associated with the SecretVersions to list, in the format projects/*/secrets/*.

  • page_size (int) – The maximum number of resources contained in the underlying API response. If page streaming is performed per- resource, this parameter does not affect the return value. If page streaming is performed per-page, this determines the maximum number of resources in a page.

  • retry (Optional[google.api_core.retry.Retry]) – A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

  • timeout (Optional[float]) – The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

  • metadata (Optional[Sequence[Tuple[str, str]]]) – Additional metadata that is provided to the method.

Returns

A PageIterator instance. An iterable of SecretVersion instances. You can also iterate over the pages of the response using its pages property.

Raises
list_secrets(parent, page_size=None, retry=<object object>, timeout=<object object>, metadata=None)[source]

Lists Secrets.

Example

>>> from google.cloud import secretmanager_v1
>>>
>>> client = secretmanager_v1.SecretManagerServiceClient()
>>>
>>> parent = client.project_path('[PROJECT]')
>>>
>>> # Iterate over all results
>>> for element in client.list_secrets(parent):
...     # process element
...     pass
>>>
>>>
>>> # Alternatively:
>>>
>>> # Iterate over results one page at a time
>>> for page in client.list_secrets(parent).pages:
...     for element in page:
...         # process element
...         pass
Parameters
  • parent (str) – Required. The resource name of the project associated with the Secrets, in the format projects/*.

  • page_size (int) – The maximum number of resources contained in the underlying API response. If page streaming is performed per- resource, this parameter does not affect the return value. If page streaming is performed per-page, this determines the maximum number of resources in a page.

  • retry (Optional[google.api_core.retry.Retry]) – A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

  • timeout (Optional[float]) – The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

  • metadata (Optional[Sequence[Tuple[str, str]]]) – Additional metadata that is provided to the method.

Returns

A PageIterator instance. An iterable of Secret instances. You can also iterate over the pages of the response using its pages property.

Raises
classmethod project_path(project)[source]

Return a fully-qualified project string.

classmethod secret_path(project, secret)[source]

Return a fully-qualified secret string.

classmethod secret_version_path(project, secret, secret_version)[source]

Return a fully-qualified secret_version string.

set_iam_policy(resource, policy, retry=<object object>, timeout=<object object>, metadata=None)[source]

Sets the access control policy on the specified secret. Replaces any existing policy.

Permissions on SecretVersions are enforced according to the policy set on the associated Secret.

Example

>>> from google.cloud import secretmanager_v1
>>>
>>> client = secretmanager_v1.SecretManagerServiceClient()
>>>
>>> # TODO: Initialize `resource`:
>>> resource = ''
>>>
>>> # TODO: Initialize `policy`:
>>> policy = {}
>>>
>>> response = client.set_iam_policy(resource, policy)
Parameters
  • resource (str) – REQUIRED: The resource for which the policy is being specified. See the operation documentation for the appropriate value for this field.

  • policy (Union[dict, Policy]) –

    REQUIRED: The complete policy to be applied to the resource. The size of the policy is limited to a few 10s of KB. An empty policy is a valid policy but certain Cloud Platform services (such as Projects) might reject them.

    If a dict is provided, it must be of the same form as the protobuf message Policy

  • retry (Optional[google.api_core.retry.Retry]) – A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

  • timeout (Optional[float]) – The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

  • metadata (Optional[Sequence[Tuple[str, str]]]) – Additional metadata that is provided to the method.

Returns

A Policy instance.

Raises
test_iam_permissions(resource, permissions, retry=<object object>, timeout=<object object>, metadata=None)[source]

Returns permissions that a caller has for the specified secret. If the secret does not exist, this call returns an empty set of permissions, not a NOT_FOUND error.

Note: This operation is designed to be used for building permission-aware UIs and command-line tools, not for authorization checking. This operation may “fail open” without warning.

Example

>>> from google.cloud import secretmanager_v1
>>>
>>> client = secretmanager_v1.SecretManagerServiceClient()
>>>
>>> # TODO: Initialize `resource`:
>>> resource = ''
>>>
>>> # TODO: Initialize `permissions`:
>>> permissions = []
>>>
>>> response = client.test_iam_permissions(resource, permissions)
Parameters
  • resource (str) – REQUIRED: The resource for which the policy detail is being requested. See the operation documentation for the appropriate value for this field.

  • permissions (list[str]) – The set of permissions to check for the resource. Permissions with wildcards (such as ‘*’ or ‘storage.*’) are not allowed. For more information see IAM Overview.

  • retry (Optional[google.api_core.retry.Retry]) – A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

  • timeout (Optional[float]) – The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

  • metadata (Optional[Sequence[Tuple[str, str]]]) – Additional metadata that is provided to the method.

Returns

A TestIamPermissionsResponse instance.

Raises
update_secret(secret, update_mask, retry=<object object>, timeout=<object object>, metadata=None)[source]

Updates metadata of an existing Secret.

Example

>>> from google.cloud import secretmanager_v1
>>>
>>> client = secretmanager_v1.SecretManagerServiceClient()
>>>
>>> # TODO: Initialize `secret`:
>>> secret = {}
>>>
>>> # TODO: Initialize `update_mask`:
>>> update_mask = {}
>>>
>>> response = client.update_secret(secret, update_mask)
Parameters
  • secret (Union[dict, Secret]) –

    Required. Secret with updated field values.

    If a dict is provided, it must be of the same form as the protobuf message Secret

  • update_mask (Union[dict, FieldMask]) –

    Required. Specifies the fields to be updated.

    If a dict is provided, it must be of the same form as the protobuf message FieldMask

  • retry (Optional[google.api_core.retry.Retry]) – A retry object used to retry requests. If None is specified, requests will be retried using a default configuration.

  • timeout (Optional[float]) – The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

  • metadata (Optional[Sequence[Tuple[str, str]]]) – Additional metadata that is provided to the method.

Returns

A Secret instance.

Raises