- Home
- Secret Manager
- Documentation
- Guides
Secret Manager is a secrets and credential management servicethat lets you store and manage sensitive data such as API keys, usernames, passwords,certificates, and more.
A secret is a global resource that contains a collection ofmetadata and secret versions. The metadata can include replication locations,labels, annotations, and permissions. Secret versionsstore the actual secret payload, such as an API key or credential.
Using Secret Manager, you can do the following:
Manage rollback, recovery, and auditing using versions: Versions help youmanage gradual rollouts and emergency rollback, If a secret is accidentally changedor compromised, you can revert to a previous, known-good version. This minimizespotential downtime and security breaches. Versioning maintains a historical recordof changes made to a secret, including who made the changes and when. It helps youaudit secret data and track any unauthorized access attempts. You can pin secretversions to specific workloads and add aliasesfor easier access to secret data. You can also disable ordestroy secret versions thatyou don't require.
Encrypt your secret data in transit and at rest: All secrets are encryptedby default, both in transit using TLS and at rest with AES-256-bit encryptionkeys. For those requiring more granular control, you can encrypt your secret datawith Customer-Managed Encryption Keys (CMEK). UsingCMEK, you can generate new encryption keys or import existing ones to meet your specificrequirements.
Manage access to secrets using fine-grained Identity and Access Management (IAM) roles and conditions:With IAM roles and permissions,you can provide granular access to specificSecret Manager resources. You can segregate responsibilities for accessing,managing, auditing, and rotating secrets.
Ensure high availability and disaster recovery with secret replication: Youcan replicate your secrets across multipleregions to ensure high availability and disaster recovery for your applicationsregardless of their geographic location. You can choose between the following replication policies:
- Automatic: Google decides the regionsconsidering availability and latency. You are only charged for one location.
- User Managed: You canselect a custom set of regions depending on your requirements. You are charged per location.
Rotate secrets automatically to meet your security and compliance requirements:Rotating your secrets protects againstunauthorized access and data breaches. Regularly changing your secrets reduces the riskof stale or forgotten secrets and ensures compliance with many regulatory frameworksthat require periodic rotation of sensitive credentials.
Enforce data residency using regional secrets(Preview):Data residency requiresthat certain types of data, often belonging to specific individuals ororganizations, be stored within a defined geographic location. You can createregional secrets and storeyour sensitive data within a specific location to comply with data sovereignty lawsand regulations.
Difference between secrets management and key management
Secrets management and key management are both critical components of data security,but they serve distinct purposes and handle different types of sensitive information.The choice between secrets management and key management depends on your specific needs.If you want to securely store and manage confidential data, a secrets management systemis the right tool. If you want to manage encryption keys and perform cryptographic operations,a key management system is the better choice.
You can use the following table to understand the key differences between Secret Managerand a key management system, such as Cloud KMS.
| Feature | Secret Manager | Cloud Key Management Service |
|---|---|---|
| Primary function | Store, manage, and access secrets as binary blobs or text strings | Manage cryptographic keys and use them to encrypt or decrypt data |
| Data stored | Actual secret values. With the appropriate permissions, you can view the contents of the secret. | Cryptographic keys. You can't view, extract, or export the actual cryptographic secrets (the bits and bytes) that are used for encryption and decryption operations. |
| Encryption | Encrypts secrets at rest and in transit (using Google-managed or customer-managed keys) | Provides encryption and decryption capabilities for other services |
| Typical use cases | Store configuration information such as database passwords, API keys, or TLS certificates needed by an application at runtime | Handle large encryption workloads, such as encrypting rows in a database or encrypting binary data such as images and files. You can also use Cloud KMS to perform other cryptographic operations such as signing and verification. |
What's next
- Learn how tocreate a secret.
- Learn how to add a secret version.
- Learn how to edit a secret.
- Learn about quotas and limitations.
- Learn about best practices.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-09-10 UTC.
[{ "type": "thumb-down", "id": "hardToUnderstand", "label":"Hard to understand" },{ "type": "thumb-down", "id": "incorrectInformationOrSampleCode", "label":"Incorrect information or sample code" },{ "type": "thumb-down", "id": "missingTheInformationSamplesINeed", "label":"Missing the information/samples I need" },{ "type": "thumb-down", "id": "otherDown", "label":"Other" }] [{ "type": "thumb-up", "id": "easyToUnderstand", "label":"Easy to understand" },{ "type": "thumb-up", "id": "solvedMyProblem", "label":"Solved my problem" },{ "type": "thumb-up", "id": "otherUp", "label":"Other" }]
