Google Cloud Secret Manager Client Library

Common errors

• ModuleNotFoundError: No module named 'google.cloud.secretmanager'

  cause The `google-cloud-secret-manager` library is not installed in the Python environment, or the environment (e.g., a specific runtime in a cloud service) cannot locate the installed package.
  fix Install the library using pip: `pip install google-cloud-secret-manager`

• ImportError: cannot import name 'secretmanager' from 'google.cloud'

  cause This typically occurs when the `google-cloud-secret-manager` package is not correctly installed or its components are not accessible within the `google.cloud` namespace, sometimes due to conflicts with other `google.cloud` packages or environment issues.
  fix Ensure the library is properly installed: `pip install google-cloud-secret-manager`. If issues persist, verify your Python environment and package paths, especially in isolated environments like virtual machines or containers.

• Permission denied (or similar error message indicating missing permissions like 'secretmanager.versions.accessSecretVersion')

  cause The service account or user identity attempting to access the secret lacks the necessary IAM permissions, such as 'Secret Manager Secret Accessor' (`roles/secretmanager.secretAccessor`) for the secret, project, or folder.
  fix Grant the appropriate IAM role (e.g., 'Secret Manager Secret Accessor') to the service account or user identity on the specific secret or its parent resource (project/folder/organization).

• AttributeError: 'SecretVersion' object has no attribute 'payload'

  cause After retrieving a `SecretVersion` object, the actual secret data is stored within its `payload.data` attribute, not directly in a `payload` attribute of the `SecretVersion` object itself.
  fix Access the secret data via `response.payload.data.decode('utf-8')` after retrieving the secret version, where `response` is the `SecretVersion` object.

Warnings

• breaking Import path changed from 'google.cloud import secretmanager' to 'google.cloud import secretmanager_v1'.
  Fix: Update import statements to 'from google.cloud import secretmanager_v1'.
• deprecated Using 'secretmanager' instead of 'secretmanager_v1' may lead to compatibility issues in future releases.
  Fix: Transition to 'secretmanager_v1' to ensure compatibility with future versions.
• gotcha Ensure that the 'GOOGLE_APPLICATION_CREDENTIALS' environment variable points to a valid service account JSON file for authentication.
  Fix: Set the 'GOOGLE_APPLICATION_CREDENTIALS' environment variable to the path of your service account JSON file.

Install

• pip install google-cloud-secret-manager Install google-cloud-secret-manager

Imports

• SecretManagerServiceClient

  from google.cloud import secretmanager_v1

  Ensure to import from 'secretmanager_v1' for the latest features and fixes.

Quickstart

A complete example demonstrating how to create a secret, add a version, and access the secret's payload using the Google Cloud Secret Manager client library.

import os
from google.cloud import secretmanager_v1

# Set up authentication
os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = 'path_to_your_service_account_file.json'

# Initialize the Secret Manager client
client = secretmanager_v1.SecretManagerServiceClient()

# Define project and secret details
project_id = 'your-project-id'
secret_id = 'your-secret-id'

# Build the parent name from the project
parent = f'projects/{project_id}'

# Create the secret
secret = client.create_secret(
    request={
        'parent': parent,
        'secret_id': secret_id,
        'secret': {'replication': {'automatic': {}}},
    }
)

# Add a version with a payload
version = client.add_secret_version(
    request={
        'parent': secret.name,
        'payload': {'data': b'hello world!'},
    }
)

# Access the secret version
response = client.access_secret_version(request={'name': version.name})

# Print the secret payload
payload = response.payload.data.decode('UTF-8')
print(f'Plaintext: {payload}')