Secret store secret

Secrets written to a secret store are encrypted in transit and at rest. Secret store entries are write-only and plaintext secret values cannot be retrieved via the API. The plaintext values are only available to Compute services during their request processing. Secret names must be unique within a store.

A secret within a secret store. Learn more about secret stores.

Data model

client_keystringThe Base64-encoded string containing the client key used to encrypt the secret, if applicable.
namestringA human-readable name for the secret. The value must contain only letters, numbers, dashes (-), underscores (_), and periods (.).
secretstringA Base64-encoded string containing either the secret or the encrypted secret (when using client_key). The maximum secret size (before Base64 encoding and optional local encryption) is 64KB.
created_atstringDate and time in ISO 8601 format. Read-only.
digeststringAn opaque identifier of the plaintext secret value. This can be used to determine if a secret value has changed. Read-only.
recreatedbooleanTrue if the secret replaced a secret with the same name.

Endpoints

List secrets within a store

GET/resources/stores/secret/store_id/secrets

Create or recreate a secret in a store

PUT/resources/stores/secret/store_id/secrets

Create a new secret in a store

POST/resources/stores/secret/store_id/secrets

Recreate a secret in a store

PATCH/resources/stores/secret/store_id/secrets

Get secret metadata

GET/resources/stores/secret/store_id/secrets/secret_name

Delete a secret from a store

DELETE/resources/stores/secret/store_id/secrets/secret_name