Secret Manager

Store API keys, passwords, certificates, and sensitive data

Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data.

The first six secret versions are free. New customers get $300 in free credits to spend on Secret Manager.

Features

Least privilege made easy

Easily follow the principle of least privilege with Secret Manager's Cloud IAM roles. You can grant individual permissions to secrets and separate the ability to manage secrets from the ability to access their data.

Simplified life cycle management

Secret Manager enables simple life cycle management with first class versioning and the ability to pin requests to the latest version of a secret. You can use Cloud Functions to automate rotation.

Powerful auditing, built in

With Cloud Audit Logs integration, every interaction with Secret Manager generates an audit log. This integration makes meeting audit and compliance requirements easy.

Replication policies

Secret names are project-global resources, but secret data is stored in regions. You can choose specific regions in which to store your secrets, or you can let us decide. Either way, we automatically handle the replication of secret data.

First-class versioning

Secret data is immutable and most operations take place on secret versions. With Secret Manager, you can pin a secret to specific versions like "42" or floating aliases like "latest."

Cloud IAM integration

Control access to secrets the same way you control access to other Google Cloud resources. Only project owners have permission to access Secret Manager secrets; other roles must explicitly be granted permissions through Cloud IAM.

Audit logging

With Cloud Audit Logs enabled, every interaction with Secret Manager generates an audit entry. You can ingest these logs into anomaly detection systems to spot abnormal access patterns and alert on possible security breaches.

Encrypted by default

Data is encrypted in transit with TLS and at rest with AES-256-bit encryption keys.

VPC Service Controls support

Enable context-aware access to Secret Manager from hybrid environments with VPC Service Controls.

Powerful and extensible

Secret Manager's API-first design makes it easy to extend and integrate into existing systems. It is also integrated into popular third-party technologies like HashiCorp Terraform and GitHub Actions.

How It Works

Secret Manager lets you store, manage, and access secrets as binary blobs or text strings. Secret Manager works well for storing configuration information such as database passwords, API keys, or TLS certificates needed by an application at runtime.


Video thumbnail for Manage your Cloud Run secrets securely with Secret Manager

Common Uses

Secrets management

Create a secret


  1. Go to the Secret Manager page in the Google Cloud console.
  2. On the Secret Manager page, click Create secret.
  3. On the Create secret page, under Name, enter a name for the secret (for example, my-secret). A secret name can contain uppercase and lowercase letters, numerals, hyphens, and underscores. The maximum allowed length for a name is 255 characters.
  4. Optional: To also add a secret version when creating the initial secret, in the Secret value field, enter a value for the secret (for example, abcd1234). The secret value can be in any format but must not be larger than 64 KiB. You can also upload a text file containing the secret value using the Upload file option.
  5. Click the Create secret button.
View documentation

Create a secret


  1. Go to the Secret Manager page in the Google Cloud console.
  2. On the Secret Manager page, click Create secret.
  3. On the Create secret page, under Name, enter a name for the secret (for example, my-secret). A secret name can contain uppercase and lowercase letters, numerals, hyphens, and underscores. The maximum allowed length for a name is 255 characters.
  4. Optional: To also add a secret version when creating the initial secret, in the Secret value field, enter a value for the secret (for example, abcd1234). The secret value can be in any format but must not be larger than 64 KiB. You can also upload a text file containing the secret value using the Upload file option.
  5. Click the Create secret button.
View documentation

Pricing

How Secret Manager pricing worksWhen you use Secret Manager, you are charged for operations and active secret versions.
ServiceDescriptionPrice

Get started free

New users get $300 in free trial credits to use within 90 days.

Free

All customers get six secret versions for analyzing and storing sensitive data.

Free

Secret versions

Active

$0.06 per version per location

Destroyed

Free

Operations

Access operations


$0.03 per 10,000 operations

Management operations

Free

Notifications

Rotation notifications


$0.05 per rotation

Secret Manager bills for every SECRET_ROTATE message sent to a Pub/Sub topic.

Learn more about Secret Manager pricing

How Secret Manager pricing works

When you use Secret Manager, you are charged for operations and active secret versions.

Get started free

Description

New users get $300 in free trial credits to use within 90 days.

Price

Free

All customers get six secret versions for analyzing and storing sensitive data.

Description

Free

Secret versions

Description

Active

Price

$0.06 per version per location

Destroyed

Description

Free

Operations

Description

Access operations


Price

$0.03 per 10,000 operations

Management operations

Description

Free

Notifications

Description

Rotation notifications


Price

$0.05 per rotation

Secret Manager bills for every SECRET_ROTATE message sent to a Pub/Sub topic.

Learn more about Secret Manager pricing

Pricing Calculator

Use the Google Cloud Pricing Calculator to estimate the cost of using Secret Manager.

Request a custom quote

Connect with our sales team to get a custom quote for your organization.

Take the next step

Start your next project, explore interactive tutorials, and manage your account.

Need help getting started?

Need help getting started?

Work with a trusted partner

Get tips and best practices

Google Cloud
  • ‪English‬
  • ‪Deutsch‬
  • ‪Español‬
  • ‪Español (Latinoamérica)‬
  • ‪Français‬
  • ‪Indonesia‬
  • ‪Italiano‬
  • ‪Português (Brasil)‬
  • ‪简体中文‬
  • ‪繁體中文‬
  • ‪日本語‬
  • ‪한국어‬
Console
Google Cloud
  翻译: