This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

gcp_secretmanager_secret

ancestors

Type: UNORDERED_LIST_STRING

annotations

Type: MAP_STRING_STRING
Provider name: annotations
Description: Optional. Custom metadata about the secret. Annotations are distinct from various forms of labels. Annotations exist to allow client tools to store their own state information without requiring a database. Annotation keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, begin and end with an alphanumeric character ([a-z0-9A-Z]), and may have dashes (-), underscores (_), dots (.), and alphanumerics in between these symbols. The total size of annotation keys and values must be less than 16KiB.

create_time

Type: TIMESTAMP
Provider name: createTime
Description: Output only. The time at which the Secret was created.

customer_managed_encryption

Type: STRUCT
Provider name: customerManagedEncryption
Description: Optional. The customer-managed encryption configuration of the regionalized secrets. If no configuration is provided, Google-managed default encryption is used. Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions.

  • kms_key_name
    Type: STRING
    Provider name: kmsKeyName
    Description: Required. The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads. For secrets using the UserManaged replication policy type, Cloud KMS CryptoKeys must reside in the same location as the replica location. For secrets using the Automatic replication policy type, Cloud KMS CryptoKeys must reside in global. The expected format is projects/*/locations/*/keyRings/*/cryptoKeys/*.

etag

Type: STRING
Provider name: etag
Description: Optional. Etag of the currently stored Secret.

expire_time

Type: TIMESTAMP
Provider name: expireTime
Description: Optional. Timestamp in UTC when the Secret is scheduled to expire. This is always provided on output, regardless of what was sent on input.

labels

Type: UNORDERED_LIST_STRING

name

Type: STRING
Provider name: name
Description: Output only. The resource name of the Secret in the format projects/*/secrets/*.

organization_id

Type: STRING

parent

Type: STRING

project_id

Type: STRING

project_number

Type: STRING

replication

Type: STRUCT
Provider name: replication
Description: Optional. Immutable. The replication policy of the secret data attached to the Secret. The replication policy cannot be changed after the Secret has been created.

  • automatic
    Type: STRUCT
    Provider name: automatic
    Description: The Secret will automatically be replicated without any restrictions.
    • customer_managed_encryption
      Type: STRUCT
      Provider name: customerManagedEncryption
      Description: Optional. The customer-managed encryption configuration of the Secret. If no configuration is provided, Google-managed default encryption is used. Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions.
      • kms_key_name
        Type: STRING
        Provider name: kmsKeyName
        Description: Required. The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads. For secrets using the UserManaged replication policy type, Cloud KMS CryptoKeys must reside in the same location as the replica location. For secrets using the Automatic replication policy type, Cloud KMS CryptoKeys must reside in global. The expected format is projects/*/locations/*/keyRings/*/cryptoKeys/*.
  • user_managed
    Type: STRUCT
    Provider name: userManaged
    Description: The Secret will only be replicated into the locations specified.
    • replicas
      Type: UNORDERED_LIST_STRUCT
      Provider name: replicas
      Description: Required. The list of Replicas for this Secret. Cannot be empty.
      • customer_managed_encryption
        Type: STRUCT
        Provider name: customerManagedEncryption
        Description: Optional. The customer-managed encryption configuration of the User-Managed Replica. If no configuration is provided, Google-managed default encryption is used. Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions.
        • kms_key_name
          Type: STRING
          Provider name: kmsKeyName
          Description: Required. The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads. For secrets using the UserManaged replication policy type, Cloud KMS CryptoKeys must reside in the same location as the replica location. For secrets using the Automatic replication policy type, Cloud KMS CryptoKeys must reside in global. The expected format is projects/*/locations/*/keyRings/*/cryptoKeys/*.
      • location
        Type: STRING
        Provider name: location
        Description: The canonical IDs of the location to replicate data. For example: "us-east1".

resource_name

Type: STRING

rotation

Type: STRUCT
Provider name: rotation
Description: Optional. Rotation policy attached to the Secret. May be excluded if there is no rotation policy.

  • next_rotation_time
    Type: TIMESTAMP
    Provider name: nextRotationTime
    Description: Optional. Timestamp in UTC at which the Secret is scheduled to rotate. Cannot be set to less than 300s (5 min) in the future and at most 3153600000s (100 years). next_rotation_time MUST be set if rotation_period is set.
  • rotation_period
    Type: STRING
    Provider name: rotationPeriod
    Description: Input only. The Duration between rotation notifications. Must be in seconds and at least 3600s (1h) and at most 3153600000s (100 years). If rotation_period is set, next_rotation_time must be set. next_rotation_time will be advanced by this period when the service automatically sends rotation notifications.

tags

Type: UNORDERED_LIST_STRING

topics

Type: UNORDERED_LIST_STRUCT
Provider name: topics
Description: Optional. A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions.

  • name
    Type: STRING
    Provider name: name
    Description: Identifier. The resource name of the Pub/Sub topic that will be published to, in the following format: projects/*/topics/*. For publication to succeed, the Secret Manager service agent must have the pubsub.topic.publish permission on the topic. The Pub/Sub Publisher role (roles/pubsub.publisher) includes this permission.

ttl

Type: STRING
Provider name: ttl
Description: Input only. The TTL for the Secret.

version_destroy_ttl

Type: STRING
Provider name: versionDestroyTtl
Description: Optional. Secret Version TTL after destruction request This is a part of the Delayed secret version destroy feature. For secret with TTL>0, version destruction doesn’t happen immediately on calling destroy instead the version goes to a disabled state and destruction happens after the TTL expires.