Enable a disabled secret version

This page describes how to enable a disabled secret version so that you can access the version and the secret data that it contains.

Required roles

To get the permissions that you need to enable a disabled secret version, ask your administrator to grant you the Secret Manager Secret Version Manager (roles/secretmanager.secretVersionManager) IAM role on a secret. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Enable a disabled secret version

To enable a disabled secret version, use one of the following methods:

Console

  1. In the Google Cloud console, go to the Secret Manager page.

    Go to Secret Manager

  2. On the Secret Manager page, click a secret to access its versions.

  3. On the secret details page, in the Versions tab, select the disabled secret version that you want to enable.

  4. Click Actions, and then click Enable.

  5. In the confirmation dialog that appears, click Enable selected versions.

gcloud

Before using any of the command data below, make the following replacements:

  • VERSION_ID: the ID of the secret version
  • SECRET_ID: the ID of the secret

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudsecretsversionsenableVERSION_ID--secret=SECRET_ID

Windows (PowerShell)

gcloudsecretsversionsenableVERSION_ID--secret=SECRET_ID

Windows (cmd.exe)

gcloudsecretsversionsenableVERSION_ID--secret=SECRET_ID

REST

Before using any of the request data, make the following replacements:

  • PROJECT_ID: the Google Cloud project ID
  • SECRET_ID: the ID of the secret
  • VERSION_ID: the ID of the secret version

HTTP method and URL: 

POST https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets/SECRET_ID/versions/VERSION_ID:enable

Request JSON body: 

{}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command: 

curl -X POST \
 -H "Authorization: Bearer $(gcloud auth print-access-token)" \
 -H "Content-Type: application/json; charset=utf-8" \
 -d @request.json \
 "https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets/SECRET_ID/versions/VERSION_ID:enable"

PowerShell

Save the request body in a file named request.json, and execute the following command: 

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
 -Method POST `
 -Headers $headers `
 -ContentType: "application/json; charset=utf-8" `
 -InFile request.json `
 -Uri "https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets/SECRET_ID/versions/VERSION_ID:enable" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
 "name": "projects/PROJECT_ID/locations/LOCATION/secrets/SECRET_ID/versions/VERSION_ID",
 "createTime": "2024-09-02T07:16:34.566706Z",
 "state": "ENABLED",
 "etag": "\"16214547e7583e\""
}

C#

To run this code, first set up a C# development environment and install the Secret Manager C# SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 


usingGoogle.Cloud.SecretManager.V1 ;
publicclassEnableSecretVersionSample
{
publicSecretVersionEnableSecretVersion(
stringprojectId="my-project",stringsecretId="my-secret",stringsecretVersionId="123")
{
// Create the client.
SecretManagerServiceClient client=SecretManagerServiceClient .Create ();
// Build the resource name.
SecretVersionName secretVersionName=newSecretVersionName (projectId,secretId,secretVersionId);
// Call the API.
SecretVersion version=client.EnableSecretVersion (secretVersionName);
returnversion;
}
}

Go

To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 

import(
"context"
"fmt"
secretmanager"cloud.google.com/go/secretmanager/apiv1"
"cloud.google.com/go/secretmanager/apiv1/secretmanagerpb"
)
// enableSecretVersion enables the given secret version, enabling it to be
// accessed after previously being disabled. Other secrets versions are
// unaffected.
funcenableSecretVersion(namestring)error{
// name := "projects/my-project/secrets/my-secret/versions/5"
// Create the client.
ctx:=context.Background()
client,err:=secretmanager.NewClient (ctx)
iferr!=nil{
returnfmt.Errorf("failed to create secretmanager client: %w",err)
}
deferclient.Close ()
// Build the request.
req:=&secretmanagerpb.EnableSecretVersionRequest{
Name:name,
}
// Call the API.
if_,err:=client.EnableSecretVersion(ctx,req);err!=nil{
returnfmt.Errorf("failed to enable secret version: %w",err)
}
returnnil
}

Java

To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 

importcom.google.cloud.secretmanager.v1.SecretManagerServiceClient ;
importcom.google.cloud.secretmanager.v1.SecretVersion ;
importcom.google.cloud.secretmanager.v1.SecretVersionName ;
importjava.io.IOException;
publicclass EnableSecretVersion{
publicstaticvoidenableSecretVersion()throwsIOException{
// TODO(developer): Replace these variables before running the sample.
StringprojectId="your-project-id";
StringsecretId="your-secret-id";
StringversionId="your-version-id";
enableSecretVersion(projectId,secretId,versionId);
}
// Enable an existing secret version.
publicstaticvoidenableSecretVersion(StringprojectId,StringsecretId,StringversionId)
throwsIOException{
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the "close" method on the client to safely clean up any remaining background resources.
try(SecretManagerServiceClient client=SecretManagerServiceClient .create()){
// Build the name from the version.
SecretVersionName secretVersionName=SecretVersionName .of(projectId,secretId,versionId);
// Enable the secret version.
SecretVersion version=client.enableSecretVersion(secretVersionName);
System.out.printf("Enabled secret version %s\n",version.getName ());
}
}
}

Node.js

To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 

/**
 * TODO(developer): Uncomment these variables before running the sample.
 */
// const name = 'projects/my-project/secrets/my-secret/versions/5';
// Imports the Secret Manager library
const{SecretManagerServiceClient}=require('@google-cloud/secret-manager');
// Instantiates a client
constclient=newSecretManagerServiceClient ();
asyncfunctionenableSecretVersion(){
const[version]=awaitclient.enableSecretVersion({
name:name,
});
console.info(`Enabled ${version.name}`);
}
enableSecretVersion();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 

// Import the Secret Manager client library.
use Google\Cloud\SecretManager\V1\Client\SecretManagerServiceClient;
use Google\Cloud\SecretManager\V1\EnableSecretVersionRequest;
/**
 * @param string $projectId Your Google Cloud Project ID (e.g. 'my-project')
 * @param string $secretId Your secret ID (e.g. 'my-secret')
 * @param string $versionId Your version ID (e.g. 'latest' or '5');
 */
function enable_secret_version(string $projectId, string $secretId, string $versionId): void
{
 // Create the Secret Manager client.
 $client = new SecretManagerServiceClient();
 // Build the resource name of the secret version.
 $name = $client->secretVersionName($projectId, $secretId, $versionId);
 // Build the request.
 $request = EnableSecretVersionRequest::build($name);
 // Enable the secret version.
 $response = $client->enableSecretVersion($request);
 // Print a success message.
 printf('Enabled secret version: %s', $response->getName());
}

Python

To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 

defenable_secret_version(
 project_id: str, secret_id: str, version_id: str
) -> secretmanager.EnableSecretVersionRequest:
"""
 Enable the given secret version, enabling it to be accessed after
 previously being disabled. Other secrets versions are unaffected.
 """
 # Import the Secret Manager client library.
 fromgoogle.cloudimport secretmanager
 # Create the Secret Manager client.
 client = secretmanager.SecretManagerServiceClient()
 # Build the resource name of the secret version
 name = f"projects/{project_id}/secrets/{secret_id}/versions/{version_id}"
 # Disable the secret version.
 response = client.enable_secret_version(request={"name": name})
 print(f"Enabled secret version: {response.name}")

Ruby

To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. 

# project_id = "YOUR-GOOGLE-CLOUD-PROJECT" # (e.g. "my-project")
# secret_id = "YOUR-SECRET-ID" # (e.g. "my-secret")
# version_id = "YOUR-VERSION" # (e.g. "5" or "latest")
# Require the Secret Manager client library.
require"google/cloud/secret_manager"
# Create a Secret Manager client.
client=Google::Cloud::SecretManager .secret_manager_service
# Build the resource name of the secret version.
name=client.secret_version_path(
project:project_id,
secret:secret_id,
secret_version:version_id
)
# Enable the secret version.
response=client.enable_secret_versionname:name
# Print a success message.
puts"Enabled secret version: #{response.name}"

What's next

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025年10月30日 UTC.