Google Secret Manager provides a secure and convenient tool for storing API keys, passwords, certificates and other sensitive data. These sample Java applications demonstrate how to access the Secret Manager API using the Google Java API Client Libraries.
You must enable the Secret Manager API, Cloud KMS API and Pub/Sub API for your project in order to use these samples
You must set your project ID, KMS Keys (Global and Regional), and Pub/Sub Topic in order to run the tests
$ export GOOGLE_CLOUD_PROJECT=<your-project-id-here>
$ export GOOGLE_CLOUD_REGIONAL_KMS_KEY=<full-name-of-regional-kms-key> (region same as location)
$ export GOOGLE_CLOUD_KMS_KEY=<full-name-of-global-kms-key>
$ export GOOGLE_CLOUD_PUBSUB_TOPIC=<full-name-of-pubsub-topic>
The Pub/Sub topic should be in the format projects/PROJECT_ID/topics/TOPIC_ID and is used for testing secret notifications.
You must ensure that the user account or service account you used to authorize your gcloud session has the proper permissions to edit Secret Manager resources for your project. In the Cloud Console under IAM, add the following roles to the project whose service account you're using to test:
- Secret Manager Admin (
roles/secretmanager.admin) - Secret Manager Secret Accessor (
roles/secretmanager.secretAccessor) - Cloud KMS Encrypter / Decrypter (
roles/cloudkms.cryptoKeyEncrypterDecrypter) on the regional and global KMS key used for testing - Pub/Sub Publisher (
roles/pubsub.publisher) on the Pub/Sub topic used for testing
More information can be found in the Secret Manager Docs