--- title: Secret Manager Secret description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > DDSQL Reference > Data Directory > Secret Manager Secret --- # Secret Manager Secret Secret Manager Secret in Google Cloud is a secure resource used to store, manage, and access sensitive information such as API keys, passwords, or certificates. It provides centralized secret management with fine-grained access control, automatic replication, and audit logging. This helps ensure that applications can safely retrieve secrets without embedding them in code or configuration files. ``` gcp.secretmanager_secret ``` ## Fields | Title | ID | Type | Data Type | Description | | --------------------------- | ---- | ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | | _key | core | string | | ancestors | core | array | | annotations | core | hstore | Optional. Custom metadata about the secret. Annotations are distinct from various forms of labels. Annotations exist to allow client tools to store their own state information without requiring a database. Annotation keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, begin and end with an alphanumeric character ([a-z0-9A-Z]), and may have dashes (-), underscores (_), dots (.), and alphanumerics in between these symbols. The total size of annotation keys and values must be less than 16KiB. | | create_time | core | timestamp | Output only. The time at which the Secret was created. | | customer_managed_encryption | core | json | Optional. The customer-managed encryption configuration of the regionalized secrets. If no configuration is provided, Google-managed default encryption is used. Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions. | | datadog_display_name | core | string | | etag | core | string | Optional. Etag of the currently stored Secret. | | expire_time | core | timestamp | Optional. Timestamp in UTC when the Secret is scheduled to expire. This is always provided on output, regardless of what was sent on input. | | labels | core | array | The labels assigned to this Secret. Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: `\p{Ll}\p{Lo}{0,62}` Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}` No more than 64 labels can be assigned to a given resource. | | name | core | string | Output only. The resource name of the Secret in the format `projects/*/secrets/*`. | | organization_id | core | string | | parent | core | string | | project_id | core | string | | project_number | core | string | | region_id | core | string | | replication | core | json | Optional. Immutable. The replication policy of the secret data attached to the Secret. The replication policy cannot be changed after the Secret has been created. | | resource_name | core | string | | rotation | core | json | Optional. Rotation policy attached to the Secret. May be excluded if there is no rotation policy. | | tags | core | hstore_csv | | topics | core | json | Optional. A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions. | | ttl | core | string | Input only. The TTL for the Secret. | | version_destroy_ttl | core | string | Optional. Secret Version TTL after destruction request This is a part of the Delayed secret version destroy feature. For secret with TTL>0, version destruction doesn't happen immediately on calling destroy instead the version goes to a disabled state and destruction happens after the TTL expires. | | zone_id | core | string |