Manage access to secrets

This page describes how to manage access to a secret, including the secret material. To learn more about access controls and permissions, see Access control with IAM.

Important: To use Secret Manager with workloads running on Compute Engine or Google Kubernetes Engine, the underlying instance or node must have the cloud-platform OAuth scope. See accessing the Secret Manager API for more information.

Required roles

To get the permissions that you need to manage access to secrets, ask your administrator to grant you the Secret Manager Admin (roles/secretmanager.admin) IAM role on the secret, project, folder, or organization. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Grant access

To grant access to a secret, use one of the following methods:

Console

In the Google Cloud console, go to the Secret Manager page.

Go to Secret Manager
To select a secret, click the checkbox next to the name of the secret on the Secret Manager page.
If it is not already open, click Show Info Panel to open the panel.
In the info panel, click Add Principal.
In the New principals field, enter the email address(es) of the members to add.
In the Select a role list, choose Secret Manager, and then select Secret Manager Secret Accessor.

gcloud

Before using any of the command data below, make the following replacements:

SECRET_ID: the ID of the secret
MEMBER: the IAM member, such as a user, group, or service account

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudsecretsadd-iam-policy-bindingSECRET_ID\
--member="MEMBER"\
--role="roles/secretmanager.secretAccessor"

Windows (PowerShell)

gcloudsecretsadd-iam-policy-bindingSECRET_ID`
--member="MEMBER"`
--role="roles/secretmanager.secretAccessor"

Windows (cmd.exe)

gcloudsecretsadd-iam-policy-bindingSECRET_ID^
--member="MEMBER"^
--role="roles/secretmanager.secretAccessor"

REST

Note: Unlike the other examples, this replaces the entire IAM policy.

Before using any of the request data, make the following replacements:

PROJECT_ID: the Google Cloud project that contains the secret
SECRET_ID: the ID of the secret
MEMBER: the IAM member, such as a user, group, or service account

HTTP method and URL:

POST https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets/SECRET_ID:setIamPolicy

Request JSON body:

{"policy": {"bindings": [{"members": ["MEMBER"], "role": "roles/secretmanager.secretAccessor"}]}}

To send your request, choose one of these options:

curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
 -H "Authorization: Bearer $(gcloud auth print-access-token)" \
 -H "Content-Type: application/json; charset=utf-8" \
 -d @request.json \
 "https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets/SECRET_ID:setIamPolicy"

PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
 -Method POST `
 -Headers $headers `
 -ContentType: "application/json; charset=utf-8" `
 -InFile request.json `
 -Uri "https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets/SECRET_ID:setIamPolicy" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
 "version": 1,
 "etag": "BwYhOrAmWFQ=",
 "bindings": [
 {
 "role": "roles/secretmanager.secretAccessor",
 "members": [
 "user:username@google.com"
 ]
 }
 ]
}

C#

To run this code, first set up a C# development environment and install the Secret Manager C# SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.


usingGoogle.Cloud.SecretManager.V1 ;
usingGoogle.Cloud.Iam.V1 ;
publicclassIamGrantAccessSample
{
publicPolicyIamGrantAccess(
stringprojectId="my-project",stringsecretId="my-secret",
stringmember="user:foo@example.com")
{
// Create the client.
SecretManagerServiceClient client=SecretManagerServiceClient .Create ();
// Build the resource name.
SecretName secretName=newSecretName (projectId,secretId);
// Get current policy.
Policy policy=client.GetIamPolicy (newGetIamPolicyRequest
{
ResourceAsResourceName=secretName,
});
// Add the user to the list of bindings.
policy.AddRoleMember ("roles/secretmanager.secretAccessor",member);
// Save the updated policy.
policy=client.SetIamPolicy (newSetIamPolicyRequest
{
ResourceAsResourceName=secretName,
Policy=policy,
});
returnpolicy;
}
}

Go

To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

import(
"context"
"fmt"
"io"
secretmanager"cloud.google.com/go/secretmanager/apiv1"
)
// iamGrantAccess grants the given member access to the secret.
funciamGrantAccess(wio.Writer,name,memberstring)error{
// name := "projects/my-project/secrets/my-secret"
// member := "user:foo@example.com"
// Create the client.
ctx:=context.Background()
client,err:=secretmanager.NewClient (ctx)
iferr!=nil{
returnfmt.Errorf("failed to create secretmanager client: %w",err)
}
deferclient.Close ()
// Get the current IAM policy.
handle:=client.IAM (name)
policy,err:=handle.Policy(ctx)
iferr!=nil{
returnfmt.Errorf("failed to get policy: %w",err)
}
// Grant the member access permissions.
policy.Add(member,"roles/secretmanager.secretAccessor")
iferr=handle.SetPolicy(ctx,policy);err!=nil{
returnfmt.Errorf("failed to save policy: %w",err)
}
fmt.Fprintf(w,"Updated IAM policy for %s\n",name)
returnnil
}

Java

To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

importcom.google.cloud.secretmanager.v1.SecretManagerServiceClient ;
importcom.google.cloud.secretmanager.v1.SecretName ;
importcom.google.iam.v1.Binding ;
importcom.google.iam.v1.GetIamPolicyRequest ;
importcom.google.iam.v1.Policy ;
importcom.google.iam.v1.SetIamPolicyRequest ;
importjava.io.IOException;
publicclass IamGrantAccess{
publicstaticvoidiamGrantAccess()throwsIOException{
// TODO(developer): Replace these variables before running the sample.
StringprojectId="your-project-id";
StringsecretId="your-secret-id";
Stringmember="user:foo@example.com";
iamGrantAccess(projectId,secretId,member);
}
// Grant a member access to a particular secret.
publicstaticvoidiamGrantAccess(StringprojectId,StringsecretId,Stringmember)
throwsIOException{
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the "close" method on the client to safely clean up any remaining background resources.
try(SecretManagerServiceClient client=SecretManagerServiceClient .create()){
// Build the name from the version.
SecretName secretName=SecretName .of(projectId,secretId);
// Request the current IAM policy.
Policy currentPolicy=
client.getIamPolicy(
GetIamPolicyRequest .newBuilder().setResource(secretName.toString ()).build());
// Build the new binding.
Binding binding=
Binding .newBuilder()
.setRole("roles/secretmanager.secretAccessor")
.addMembers (member)
.build();
// Create a new IAM policy from the current policy, adding the binding.
Policy newPolicy=Policy .newBuilder().mergeFrom(currentPolicy).addBindings (binding).build();
// Save the updated IAM policy.
client.setIamPolicy(
SetIamPolicyRequest .newBuilder()
.setResource(secretName.toString ())
.setPolicy (newPolicy)
.build());
System.out.printf("Updated IAM policy for %s\n",secretId);
}
}
}

Node.js

To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

/**
 * TODO(developer): Uncomment these variables before running the sample.
 */
// const name = 'projects/my-project/secrets/my-secret';
// const member = 'user:you@example.com';
//
// NOTE: Each member must be prefixed with its type. See the IAM documentation
// for more information: https://cloud.google.com/iam/docs/overview.
// Imports the Secret Manager library
const{SecretManagerServiceClient}=require('@google-cloud/secret-manager');
// Instantiates a client
constclient=newSecretManagerServiceClient ();
asyncfunctiongrantAccess(){
// Get the current IAM policy.
const[policy]=awaitclient.getIamPolicy({
resource:name,
});
// Add the user with accessor permissions to the bindings list.
policy.bindings.push({
role:'roles/secretmanager.secretAccessor',
members:[member],
});
// Save the updated IAM policy.
awaitclient.setIamPolicy({
resource:name,
policy:policy,
});
console.log(`Updated IAM policy for ${name}`);
}
grantAccess();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

// Import the Secret Manager client library.
use Google\Cloud\SecretManager\V1\Client\SecretManagerServiceClient;
// Import the Secret Manager IAM library.
use Google\Cloud\Iam\V1\Binding;
use Google\Cloud\Iam\V1\GetIamPolicyRequest;
use Google\Cloud\Iam\V1\SetIamPolicyRequest;
/**
 * @param string $projectId Your Google Cloud Project ID (e.g. 'my-project')
 * @param string $secretId Your secret ID (e.g. 'my-secret')
 * @param string $member Your member (e.g. 'user:foo@example.com')
 */
function iam_grant_access(string $projectId, string $secretId, string $member): void
{
 // Create the Secret Manager client.
 $client = new SecretManagerServiceClient();
 // Build the resource name of the secret.
 $name = $client->secretName($projectId, $secretId);
 // Get the current IAM policy.
 $policy = $client->getIamPolicy((new GetIamPolicyRequest)->setResource($name));
 // Update the bindings to include the new member.
 $bindings = $policy->getBindings();
 $bindings[] = new Binding([
 'members' => [$member],
 'role' => 'roles/secretmanager.secretAccessor',
 ]);
 $policy->setBindings($bindings);
 // Build the request.
 $request = (new SetIamPolicyRequest)
 ->setResource($name)
 ->setPolicy($policy);
 // Save the updated policy to the server.
 $client->setIamPolicy($request);
 // Print out a success message.
 printf('Updated IAM policy for %s', $secretId);
}

Python

To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

defiam_grant_access(
 project_id: str, secret_id: str, member: str
) -> iam_policy_pb2.SetIamPolicyRequest:
"""
 Grant the given member access to a secret.
 """
 # Import the Secret Manager client library.
 fromgoogle.cloudimport secretmanager
 # Create the Secret Manager client.
 client = secretmanager.SecretManagerServiceClient()
 # Build the resource name of the secret.
 name = client.secret_path(project_id, secret_id)
 # Get the current IAM policy.
 policy = client.get_iam_policy(request={"resource": name})
 # Add the given member with access permissions.
 policy.bindings.add(role="roles/secretmanager.secretAccessor", members=[member])
 # Update the IAM Policy.
 new_policy = client.set_iam_policy(request={"resource": name, "policy": policy})
 # Print data about the secret.
 print(f"Updated IAM policy on {secret_id}")

Ruby

To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

# project_id = "YOUR-GOOGLE-CLOUD-PROJECT" # (e.g. "my-project")
# secret_id = "YOUR-SECRET-ID" # (e.g. "my-secret")
# member = "USER-OR-ACCOUNT" # (e.g. "user:foo@example.com")
# Require the Secret Manager client library.
require"google/cloud/secret_manager"
# Create a Secret Manager client.
client=Google::Cloud::SecretManager .secret_manager_service
# Build the resource name of the secret.
name=client.secret_pathproject:project_id,secret:secret_id
# Get the current IAM policy.
policy=client.get_iam_policyresource:name
# Add new member to current bindings
policy.bindings << Google::Iam::V1 ::Binding.new(
members:[member],
role:"roles/secretmanager.secretAccessor"
)
# Update IAM policy
new_policy=client.set_iam_policyresource:name,policy:policy
# Print a success message.
puts"Updated IAM policy for #{secret_id}"

Python

To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

# Import the Secret Manager client library.
fromgoogleimport iam
fromgoogle.cloudimport secretmanager_v1
defiam_grant_access_with_regional_secret(
 project_id: str,
 location_id: str,
 secret_id: str,
 member: str,
) -> iam.v1.iam_policy_pb2.SetIamPolicyRequest:
"""
 Grants the given member access to a secret.
 """
 # Endpoint to call the regional secret manager sever.
 api_endpoint = f"secretmanager.{location_id}.rep.googleapis.com"
 # Create the Secret Manager client.
 client = secretmanager_v1.SecretManagerServiceClient(
 client_options={"api_endpoint": api_endpoint},
 )
 # Build the resource name of the secret.
 name = f"projects/{project_id}/locations/{location_id}/secrets/{secret_id}"
 # Get the current IAM policy.
 policy = client.get_iam_policy(request={"resource": name})
 # Add the given member with access permissions.
 policy.bindings.add(role="roles/secretmanager.secretAccessor", members=[member])
 # Update the IAM Policy.
 new_policy = client.set_iam_policy(request={"resource": name, "policy": policy})
 # Print data about the secret.
 print(f"Updated IAM policy on {secret_id}")
 return new_policy

Revoke access

To revoke access from a secret, use one of the following methods:

Console

In the Google Cloud console, go to the Secret Manager page.

Go to Secret Manager
To select a secret, click the checkbox next to the name of the secret on the Secret Manager page.
If it is not already open, click Show Info Panel to open the panel.
In the info panel, click the expander arrow next to the user role to see a list of the users or service accounts with access to that role.
To remove the user or service account, click Delete next to service account or user ID.
In the confirmation dialog that appears, click Remove.

gcloud

Before using any of the command data below, make the following replacements:

SECRET_ID: the ID of the secret
MEMBER: the IAM member, such as a user, group, or service account

Execute the following command:

Linux, macOS, or Cloud Shell

gcloudsecretsremove-iam-policy-bindingSECRET_ID\
--member="MEMBER"\
--role="roles/secretmanager.secretAccessor"

Windows (PowerShell)

gcloudsecretsremove-iam-policy-bindingSECRET_ID`
--member="MEMBER"`
--role="roles/secretmanager.secretAccessor"

Windows (cmd.exe)

gcloudsecretsremove-iam-policy-bindingSECRET_ID^
--member="MEMBER"^
--role="roles/secretmanager.secretAccessor"

REST

Note: Unlike the other examples, this replaces the entire IAM policy.

Before using any of the request data, make the following replacements:

PROJECT_ID: the Google Cloud project ID
SECRET_ID: the ID of the secret

HTTP method and URL:

POST https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets/SECRET_ID:setIamPolicy

Request JSON body:

{"policy": {"bindings": []}}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
 -H "Authorization: Bearer $(gcloud auth print-access-token)" \
 -H "Content-Type: application/json; charset=utf-8" \
 -d @request.json \
 "https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets/SECRET_ID:setIamPolicy"

PowerShell

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
 -Method POST `
 -Headers $headers `
 -ContentType: "application/json; charset=utf-8" `
 -InFile request.json `
 -Uri "https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets/SECRET_ID:setIamPolicy" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
 "version": 1,
 "etag": "BwYhOtzsOBk="
}

C#

To run this code, first set up a C# development environment and install the Secret Manager C# SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.


usingGoogle.Cloud.SecretManager.V1 ;
usingGoogle.Cloud.Iam.V1 ;
publicclassIamRevokeAccessSample
{
publicPolicyIamRevokeAccess(
stringprojectId="my-project",stringsecretId="my-secret",
stringmember="user:foo@example.com")
{
// Create the client.
SecretManagerServiceClient client=SecretManagerServiceClient .Create ();
// Build the resource name.
SecretName secretName=newSecretName (projectId,secretId);
// Get current policy.
Policy policy=client.GetIamPolicy (newGetIamPolicyRequest
{
ResourceAsResourceName=secretName,
});
// Remove the user to the list of bindings.
policy.RemoveRoleMember ("roles/secretmanager.secretAccessor",member);
// Save the updated policy.
policy=client.SetIamPolicy (newSetIamPolicyRequest
{
ResourceAsResourceName=secretName,
Policy=policy,
});
returnpolicy;
}
}

Go

To run this code, first set up a Go development environment and install the Secret Manager Go SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

import(
"context"
"fmt"
"io"
secretmanager"cloud.google.com/go/secretmanager/apiv1"
)
// iamRevokeAccess revokes the given member's access on the secret.
funciamRevokeAccess(wio.Writer,name,memberstring)error{
// name := "projects/my-project/secrets/my-secret"
// member := "user:foo@example.com"
// Create the client.
ctx:=context.Background()
client,err:=secretmanager.NewClient (ctx)
iferr!=nil{
returnfmt.Errorf("failed to create secretmanager client: %w",err)
}
deferclient.Close ()
// Get the current IAM policy.
handle:=client.IAM (name)
policy,err:=handle.Policy(ctx)
iferr!=nil{
returnfmt.Errorf("failed to get policy: %w",err)
}
// Grant the member access permissions.
policy.Remove(member,"roles/secretmanager.secretAccessor")
iferr=handle.SetPolicy(ctx,policy);err!=nil{
returnfmt.Errorf("failed to save policy: %w",err)
}
fmt.Fprintf(w,"Updated IAM policy for %s\n",name)
returnnil
}

Java

To run this code, first set up a Java development environment and install the Secret Manager Java SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

importcom.google.cloud.secretmanager.v1.SecretManagerServiceClient ;
importcom.google.cloud.secretmanager.v1.SecretName ;
importcom.google.iam.v1.Binding ;
importcom.google.iam.v1.GetIamPolicyRequest ;
importcom.google.iam.v1.Policy ;
importcom.google.iam.v1.SetIamPolicyRequest ;
importjava.io.IOException;
publicclass IamRevokeAccess{
publicstaticvoidiamRevokeAccess()throwsIOException{
// TODO(developer): Replace these variables before running the sample.
StringprojectId="your-project-id";
StringsecretId="your-secret-id";
Stringmember="user:foo@example.com";
iamRevokeAccess(projectId,secretId,member);
}
// Revoke a member access to a particular secret.
publicstaticvoidiamRevokeAccess(StringprojectId,StringsecretId,Stringmember)
throwsIOException{
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the "close" method on the client to safely clean up any remaining background resources.
try(SecretManagerServiceClient client=SecretManagerServiceClient .create()){
// Build the name from the version.
SecretName secretName=SecretName .of(projectId,secretId);
// Request the current IAM policy.
Policy policy=
client.getIamPolicy(
GetIamPolicyRequest .newBuilder().setResource(secretName.toString ()).build());
// Search through bindings and remove matches.
StringroleToFind="roles/secretmanager.secretAccessor";
for(Binding binding:policy.getBindingsList ()){
if(binding.getRole()==roleToFind && binding.getMembersList().contains(member)){
binding.getMembersList().remove(member);
}
}
// Save the updated IAM policy.
client.setIamPolicy(
SetIamPolicyRequest .newBuilder()
.setResource(secretName.toString ())
.setPolicy (policy)
.build());
System.out.printf("Updated IAM policy for %s\n",secretId);
}
}
}

Node.js

To run this code, first set up a Node.js development environment and install the Secret Manager Node.js SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

/**
 * TODO(developer): Uncomment these variables before running the sample.
 */
// const name = 'projects/my-project/secrets/my-secret';
// const member = 'user:you@example.com';
//
// NOTE: Each member must be prefixed with its type. See the IAM documentation
// for more information: https://cloud.google.com/iam/docs/overview.
// Imports the Secret Manager library
const{SecretManagerServiceClient}=require('@google-cloud/secret-manager');
// Instantiates a client
constclient=newSecretManagerServiceClient ();
asyncfunctiongrantAccess(){
// Get the current IAM policy.
const[policy]=awaitclient.getIamPolicy({
resource:name,
});
// Build a new list of policy bindings with the user excluded.
for(constiinpolicy.bindings){
constbinding=policy.bindings[i];
if(binding.role!=='roles/secretmanager.secretAccessor'){
continue;
}
constidx=binding.members.indexOf(member);
if(idx!==-1){
binding.members.splice(idx,1);
}
}
// Save the updated IAM policy.
awaitclient.setIamPolicy({
resource:name,
policy:policy,
});
console.log(`Updated IAM policy for ${name}`);
}
grantAccess();

PHP

To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

// Import the Secret Manager client library.
use Google\Cloud\SecretManager\V1\Client\SecretManagerServiceClient;
use Google\Cloud\Iam\V1\GetIamPolicyRequest;
use Google\Cloud\Iam\V1\SetIamPolicyRequest;
/**
 * @param string $projectId Your Google Cloud Project ID (e.g. 'my-project')
 * @param string $secretId Your secret ID (e.g. 'my-secret')
 * @param string $member Your member (e.g. 'user:foo@example.com')
 */
function iam_revoke_access(string $projectId, string $secretId, string $member): void
{
 // Create the Secret Manager client.
 $client = new SecretManagerServiceClient();
 // Build the resource name of the secret.
 $name = $client->secretName($projectId, $secretId);
 // Get the current IAM policy.
 $policy = $client->getIamPolicy((new GetIamPolicyRequest)->setResource($name));
 // Remove the member from the list of bindings.
 foreach ($policy->getBindings() as $binding) {
 if ($binding->getRole() == 'roles/secretmanager.secretAccessor') {
 $members = $binding->getMembers();
 foreach ($members as $i => $existingMember) {
 if ($member == $existingMember) {
 unset($members[$i]);
 $binding->setMembers($members);
 break;
 }
 }
 }
 }
 // Build the request.
 $request = (new SetIamPolicyRequest)
 ->setResource($name)
 ->setPolicy($policy);
 // Save the updated policy to the server.
 $client->setIamPolicy($request);
 // Print out a success message.
 printf('Updated IAM policy for %s', $secretId);
}

Python

To run this code, first set up a Python development environment and install the Secret Manager Python SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

defiam_revoke_access(
 project_id: str, secret_id: str, member: str
) -> iam_policy_pb2.SetIamPolicyRequest:
"""
 Revoke the given member access to a secret.
 """
 # Import the Secret Manager client library.
 fromgoogle.cloudimport secretmanager
 # Create the Secret Manager client.
 client = secretmanager.SecretManagerServiceClient()
 # Build the resource name of the secret.
 name = client.secret_path(project_id, secret_id)
 # Get the current IAM policy.
 policy = client.get_iam_policy(request={"resource": name})
 # Remove the given member's access permissions.
 accessRole = "roles/secretmanager.secretAccessor"
 for b in list(policy.bindings):
 if b.role == accessRole and member in b.members:
 b.members.remove(member)
 # Update the IAM Policy.
 new_policy = client.set_iam_policy(request={"resource": name, "policy": policy})
 # Print data about the secret.
 print(f"Updated IAM policy on {secret_id}")

Ruby

To run this code, first set up a Ruby development environment and install the Secret Manager Ruby SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope.

# project_id = "YOUR-GOOGLE-CLOUD-PROJECT" # (e.g. "my-project")
# secret_id = "YOUR-SECRET-ID" # (e.g. "my-secret")
# member = "USER-OR-ACCOUNT" # (e.g. "user:foo@example.com")
# Require the Secret Manager client library.
require"google/cloud/secret_manager"
# Create a Secret Manager client.
client=Google::Cloud::SecretManager .secret_manager_service
# Build the resource name of the secret.
name=client.secret_pathproject:project_id,secret:secret_id
# Get the current IAM policy.
policy=client.get_iam_policyresource:name
# Remove the member from the current bindings
policy.bindings.eachdo|bind|
ifbind.role=="roles/secretmanager.secretAccessor"
bind.members.deletemember
end
end
# Update IAM policy
new_policy=client.set_iam_policyresource:name,policy:policy
# Print a success message.
puts"Updated IAM policy for #{secret_id}"

What's next

Learn how to set an expiration date for a secret.
Learn how to set up rotation schedules for secrets.
Learn how to set up notifications on a secret.