Module secretmanager

This page documents the language specification for the gcp package. If you're looking for help working with the inputs, outputs, or functions of gcp resources in a Pulumi program, please see the resource documentation for examples and API reference.

Resources

Resource Secret

class Secret extends CustomResource

A Secret is a logical secret whose value and versions can be accessed.

To get more information about Secret, see:

API documentation

Example Usage - Secret Config Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const secretBasic = new gcp.secretmanager.Secret("secret-basic", {
    labels: {
        label: "my-label",
    },
    replication: {
        userManaged: {
            replicas: [
                {
                    location: "us-central1",
                },
                {
                    location: "us-east1",
                },
            ],
        },
    },
    secretId: "secret",
});

constructor

new Secret(name: string, args: SecretArgs, opts?: pulumi.CustomResourceOptions)

Create a Secret resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretState, opts?: pulumi.CustomResourceOptions): Secret

Get an existing Secret resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Secret

Returns true if the given object is an instance of Secret. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property createTime

public createTime: pulumi.Output<string>;

The time at which the Secret was created.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property labels

public labels: pulumi.Output<{[key: string]: string} | undefined>;

The labels assigned to this Secret. Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}-]{0,62} Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}\p{N}-]{0,63} No more than 64 labels can be assigned to a given resource. An object containing a list of “key”: value pairs. Example: { “name”: “wrench”, “mass”: “1.3kg”, “count”: “3” }.

property name

public name: pulumi.Output<string>;

The resource name of the Secret. Format: ‘projects/{{project}}/secrets/{{secret_id}}’

property project

public project: pulumi.Output<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

property replication

public replication: pulumi.Output<SecretReplication>;

The replication policy of the secret data attached to the Secret. It cannot be changed after the Secret has been created. Structure is documented below.

property secretId

public secretId: pulumi.Output<string>;

This must be unique within the project.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource SecretIamBinding

class SecretIamBinding extends CustomResource

Three different resources help you manage your IAM policy for Secret Manager Secret. Each of these resources serves a different use case:

gcp.secretmanager.SecretIamPolicy: Authoritative. Sets the IAM policy for the secret and replaces any existing policy already attached.
gcp.secretmanager.SecretIamBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the secret are preserved.
gcp.secretmanager.SecretIamMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the secret are preserved.

Note: gcp.secretmanager.SecretIamPolicy cannot be used in conjunction with gcp.secretmanager.SecretIamBinding and gcp.secretmanager.SecretIamMember or they will fight over what your policy should be.
Note: gcp.secretmanager.SecretIamBinding resources can be used in conjunction with gcp.secretmanager.SecretIamMember resources only if they do not grant privilege to the same role.

google_secret_manager_secret_iam_policy

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/viewer",
        members: ["user:jane@example.com"],
    }],
});
const policy = new gcp.secretmanager.SecretIamPolicy("policy", {
    project: google_secret_manager_secret["secret-basic"].project,
    secretId: google_secret_manager_secret["secret-basic"].secret_id,
    policyData: admin.then(admin => admin.policyData),
});

google_secret_manager_secret_iam_binding

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.secretmanager.SecretIamBinding("binding", {
    project: google_secret_manager_secret["secret-basic"].project,
    secretId: google_secret_manager_secret["secret-basic"].secret_id,
    role: "roles/viewer",
    members: ["user:jane@example.com"],
});

google_secret_manager_secret_iam_member

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.secretmanager.SecretIamMember("member", {
    project: google_secret_manager_secret["secret-basic"].project,
    secretId: google_secret_manager_secret["secret-basic"].secret_id,
    role: "roles/viewer",
    member: "user:jane@example.com",
});

constructor

new SecretIamBinding(name: string, args: SecretIamBindingArgs, opts?: pulumi.CustomResourceOptions)

Create a SecretIamBinding resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretIamBindingState, opts?: pulumi.CustomResourceOptions): SecretIamBinding

Get an existing SecretIamBinding resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is SecretIamBinding

Returns true if the given object is an instance of SecretIamBinding. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property condition

public condition: pulumi.Output<SecretIamBindingCondition | undefined>;

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property members

public members: pulumi.Output<string[]>;

property project

public project: pulumi.Output<string>;

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

property role

public role: pulumi.Output<string>;

The role that should be applied. Only one gcp.secretmanager.SecretIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property secretId

public secretId: pulumi.Output<string>;

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource SecretIamMember

class SecretIamMember extends CustomResource

Three different resources help you manage your IAM policy for Secret Manager Secret. Each of these resources serves a different use case:

gcp.secretmanager.SecretIamPolicy: Authoritative. Sets the IAM policy for the secret and replaces any existing policy already attached.
gcp.secretmanager.SecretIamBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the secret are preserved.
gcp.secretmanager.SecretIamMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the secret are preserved.

Note: gcp.secretmanager.SecretIamPolicy cannot be used in conjunction with gcp.secretmanager.SecretIamBinding and gcp.secretmanager.SecretIamMember or they will fight over what your policy should be.
Note: gcp.secretmanager.SecretIamBinding resources can be used in conjunction with gcp.secretmanager.SecretIamMember resources only if they do not grant privilege to the same role.

google_secret_manager_secret_iam_policy

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/viewer",
        members: ["user:jane@example.com"],
    }],
});
const policy = new gcp.secretmanager.SecretIamPolicy("policy", {
    project: google_secret_manager_secret["secret-basic"].project,
    secretId: google_secret_manager_secret["secret-basic"].secret_id,
    policyData: admin.then(admin => admin.policyData),
});

google_secret_manager_secret_iam_binding

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.secretmanager.SecretIamBinding("binding", {
    project: google_secret_manager_secret["secret-basic"].project,
    secretId: google_secret_manager_secret["secret-basic"].secret_id,
    role: "roles/viewer",
    members: ["user:jane@example.com"],
});

google_secret_manager_secret_iam_member

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.secretmanager.SecretIamMember("member", {
    project: google_secret_manager_secret["secret-basic"].project,
    secretId: google_secret_manager_secret["secret-basic"].secret_id,
    role: "roles/viewer",
    member: "user:jane@example.com",
});

constructor

new SecretIamMember(name: string, args: SecretIamMemberArgs, opts?: pulumi.CustomResourceOptions)

Create a SecretIamMember resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretIamMemberState, opts?: pulumi.CustomResourceOptions): SecretIamMember

Get an existing SecretIamMember resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is SecretIamMember

Returns true if the given object is an instance of SecretIamMember. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property condition

public condition: pulumi.Output<SecretIamMemberCondition | undefined>;

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property member

public member: pulumi.Output<string>;

property project

public project: pulumi.Output<string>;

property role

public role: pulumi.Output<string>;

property secretId

public secretId: pulumi.Output<string>;

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource SecretIamPolicy

class SecretIamPolicy extends CustomResource

Three different resources help you manage your IAM policy for Secret Manager Secret. Each of these resources serves a different use case:

gcp.secretmanager.SecretIamPolicy: Authoritative. Sets the IAM policy for the secret and replaces any existing policy already attached.
gcp.secretmanager.SecretIamBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the secret are preserved.
gcp.secretmanager.SecretIamMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the secret are preserved.

Note: gcp.secretmanager.SecretIamPolicy cannot be used in conjunction with gcp.secretmanager.SecretIamBinding and gcp.secretmanager.SecretIamMember or they will fight over what your policy should be.
Note: gcp.secretmanager.SecretIamBinding resources can be used in conjunction with gcp.secretmanager.SecretIamMember resources only if they do not grant privilege to the same role.

google_secret_manager_secret_iam_policy

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/viewer",
        members: ["user:jane@example.com"],
    }],
});
const policy = new gcp.secretmanager.SecretIamPolicy("policy", {
    project: google_secret_manager_secret["secret-basic"].project,
    secretId: google_secret_manager_secret["secret-basic"].secret_id,
    policyData: admin.then(admin => admin.policyData),
});

google_secret_manager_secret_iam_binding

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.secretmanager.SecretIamBinding("binding", {
    project: google_secret_manager_secret["secret-basic"].project,
    secretId: google_secret_manager_secret["secret-basic"].secret_id,
    role: "roles/viewer",
    members: ["user:jane@example.com"],
});

google_secret_manager_secret_iam_member

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.secretmanager.SecretIamMember("member", {
    project: google_secret_manager_secret["secret-basic"].project,
    secretId: google_secret_manager_secret["secret-basic"].secret_id,
    role: "roles/viewer",
    member: "user:jane@example.com",
});

constructor

new SecretIamPolicy(name: string, args: SecretIamPolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a SecretIamPolicy resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretIamPolicyState, opts?: pulumi.CustomResourceOptions): SecretIamPolicy

Get an existing SecretIamPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is SecretIamPolicy

Returns true if the given object is an instance of SecretIamPolicy. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property policyData

public policyData: pulumi.Output<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

property project

public project: pulumi.Output<string>;

property secretId

public secretId: pulumi.Output<string>;

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource SecretVersion

class SecretVersion extends CustomResource

A secret version resource.

Warning: All arguments including payload.secret_data will be stored in the raw state as plain-text.

Example Usage - Secret Version Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const secretBasic = new gcp.secretmanager.Secret("secret-basic", {
    secretId: "secret-version",
    labels: {
        label: "my-label",
    },
    replication: {
        automatic: true,
    },
});
const secretVersionBasic = new gcp.secretmanager.SecretVersion("secret-version-basic", {
    secret: secret_basic.id,
    secretData: "secret-data",
});

constructor

new SecretVersion(name: string, args: SecretVersionArgs, opts?: pulumi.CustomResourceOptions)

Create a SecretVersion resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: SecretVersionState, opts?: pulumi.CustomResourceOptions): SecretVersion

Get an existing SecretVersion resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is SecretVersion

Returns true if the given object is an instance of SecretVersion. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property createTime

public createTime: pulumi.Output<string>;

The time at which the Secret was created.

property destroyTime

public destroyTime: pulumi.Output<string>;

The time at which the Secret was destroyed. Only present if state is DESTROYED.

property enabled

public enabled: pulumi.Output<boolean | undefined>;

The current state of the SecretVersion.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The resource name of the SecretVersion. Format: ‘projects/{{project}}/secrets/{{secret_id}}/versions/{{version}}’

property secret

public secret: pulumi.Output<string>;

Secret Manager secret resource

property secretData

public secretData: pulumi.Output<string | undefined>;

The secret data. Must be no larger than 64KiB. Note: This property is sensitive and will not be displayed in the plan.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Functions

Function getSecretVersion

getSecretVersion(args: GetSecretVersionArgs, opts?: pulumi.InvokeOptions): Promise<GetSecretVersionResult>

Get a Secret Manager secret’s version. For more information see the official documentation and API.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const basic = pulumi.output(gcp.secretmanager.getSecretVersion({
    secret: "my-secret",
}, { async: true }));

Others

interface GetSecretVersionArgs

interface GetSecretVersionArgs

A collection of arguments for invoking getSecretVersion.

property project

project?: undefined | string;

The project to get the secret version for. If it is not provided, the provider project is used.

property secret

secret: string;

The secret to get the secret version for.

property version

version?: undefined | string;

The version of the secret to get. If it is not provided, the latest version is retrieved.

interface GetSecretVersionResult

interface GetSecretVersionResult

A collection of values returned by getSecretVersion.

property createTime

createTime: string;

The time at which the Secret was created.

property destroyTime

destroyTime: string;

The time at which the Secret was destroyed. Only present if state is DESTROYED.

property enabled

enabled: boolean;

True if the current state of the SecretVersion is enabled.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property name

name: string;

The resource name of the SecretVersion. Format: projects/{{project}}/secrets/{{secret_id}}/versions/{{version}}

property project

project: string;

property secret

secret: string;

property secretData

secretData: string;

The secret data. No larger than 64KiB.

property version

version: string;

interface SecretArgs

interface SecretArgs

The set of arguments for constructing a Secret resource.

property labels

labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

property project

project?: pulumi.Input<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

property replication

replication: pulumi.Input<SecretReplication>;

The replication policy of the secret data attached to the Secret. It cannot be changed after the Secret has been created. Structure is documented below.

property secretId

secretId: pulumi.Input<string>;

This must be unique within the project.

interface SecretIamBindingArgs

interface SecretIamBindingArgs

The set of arguments for constructing a SecretIamBinding resource.

property condition

condition?: pulumi.Input<SecretIamBindingCondition>;

property members

members: pulumi.Input<pulumi.Input<string>[]>;

property project

project?: pulumi.Input<string>;

property role

role: pulumi.Input<string>;

property secretId

secretId: pulumi.Input<string>;

interface SecretIamBindingState

interface SecretIamBindingState

Input properties used for looking up and filtering SecretIamBinding resources.

property condition

condition?: pulumi.Input<SecretIamBindingCondition>;

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the IAM policy.

property members

members?: pulumi.Input<pulumi.Input<string>[]>;

property project

project?: pulumi.Input<string>;

property role

role?: pulumi.Input<string>;

property secretId

secretId?: pulumi.Input<string>;

interface SecretIamMemberArgs

interface SecretIamMemberArgs

The set of arguments for constructing a SecretIamMember resource.

property condition

condition?: pulumi.Input<SecretIamMemberCondition>;

property member

member: pulumi.Input<string>;

property project

project?: pulumi.Input<string>;

property role

role: pulumi.Input<string>;

property secretId

secretId: pulumi.Input<string>;

interface SecretIamMemberState

interface SecretIamMemberState

Input properties used for looking up and filtering SecretIamMember resources.

property condition

condition?: pulumi.Input<SecretIamMemberCondition>;

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the IAM policy.

property member

member?: pulumi.Input<string>;

property project

project?: pulumi.Input<string>;

property role

role?: pulumi.Input<string>;

property secretId

secretId?: pulumi.Input<string>;

interface SecretIamPolicyArgs

interface SecretIamPolicyArgs

The set of arguments for constructing a SecretIamPolicy resource.

property policyData

policyData: pulumi.Input<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

property project

project?: pulumi.Input<string>;

property secretId

secretId: pulumi.Input<string>;

interface SecretIamPolicyState

interface SecretIamPolicyState

Input properties used for looking up and filtering SecretIamPolicy resources.

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the IAM policy.

property policyData

policyData?: pulumi.Input<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

property project

project?: pulumi.Input<string>;

property secretId

secretId?: pulumi.Input<string>;

interface SecretState

interface SecretState

Input properties used for looking up and filtering Secret resources.

property createTime

createTime?: pulumi.Input<string>;

The time at which the Secret was created.

property labels

labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

property name

name?: pulumi.Input<string>;

The resource name of the Secret. Format: ‘projects/{{project}}/secrets/{{secret_id}}’

property project

project?: pulumi.Input<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

property replication

replication?: pulumi.Input<SecretReplication>;

The replication policy of the secret data attached to the Secret. It cannot be changed after the Secret has been created. Structure is documented below.