# -*- coding: utf-8 -*- # Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # from collections import OrderedDict import os import re from typing import ( Dict, Mapping, MutableMapping, MutableSequence, Optional, Sequence, Tuple, Type, Union, cast, ) import warnings from google.api_core import client_options as client_options_lib from google.api_core import exceptions as core_exceptions from google.api_core import gapic_v1 from google.api_core import retry as retries from google.auth import credentials as ga_credentials # type: ignore from google.auth.exceptions import MutualTLSChannelError # type: ignore from google.auth.transport import mtls # type: ignore from google.auth.transport.grpc import SslCredentials # type: ignore from google.oauth2 import service_account # type: ignore from google.cloud.secretmanager_v1beta1 import gapic_version as package_version try: OptionalRetry = Union[retries.Retry, gapic_v1.method._MethodDefault, None] except AttributeError: # pragma: NO COVER OptionalRetry = Union[retries.Retry, object, None] # type: ignore from google.iam.v1 import iam_policy_pb2 # type: ignore from google.iam.v1 import policy_pb2 # type: ignore from google.protobuf import field_mask_pb2 # type: ignore from google.protobuf import timestamp_pb2 # type: ignore from google.cloud.secretmanager_v1beta1.services.secret_manager_service import pagers from google.cloud.secretmanager_v1beta1.types import resources, service from .transports.base import DEFAULT_CLIENT_INFO, SecretManagerServiceTransport from .transports.grpc import SecretManagerServiceGrpcTransport from .transports.grpc_asyncio import SecretManagerServiceGrpcAsyncIOTransport from .transports.rest import SecretManagerServiceRestTransport class SecretManagerServiceClientMeta(type): """Metaclass for the SecretManagerService client. This provides class-level methods for building and retrieving support objects (e.g. transport) without polluting the client instance objects. """ _transport_registry = ( OrderedDict() ) # type: Dict[str, Type[SecretManagerServiceTransport]] _transport_registry["grpc"] = SecretManagerServiceGrpcTransport _transport_registry["grpc_asyncio"] = SecretManagerServiceGrpcAsyncIOTransport _transport_registry["rest"] = SecretManagerServiceRestTransport def get_transport_class( cls, label: Optional[str] = None, ) -> Type[SecretManagerServiceTransport]: """Returns an appropriate transport class. Args: label: The name of the desired transport. If none is provided, then the first transport in the registry is used. Returns: The transport class to use. """ # If a specific transport is requested, return that one. if label: return cls._transport_registry[label] # No transport is requested; return the default (that is, the first one # in the dictionary). return next(iter(cls._transport_registry.values())) class SecretManagerServiceClient(metaclass=SecretManagerServiceClientMeta): """Secret Manager Service Manages secrets and operations using those secrets. Implements a REST model with the following objects: - [Secret][google.cloud.secrets.v1beta1.Secret] - [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] """ @staticmethod def _get_default_mtls_endpoint(api_endpoint): """Converts api endpoint to mTLS endpoint. Convert "*.sandbox.googleapis.com" and "*.googleapis.com" to "*.mtls.sandbox.googleapis.com" and "*.mtls.googleapis.com" respectively. Args: api_endpoint (Optional[str]): the api endpoint to convert. Returns: str: converted mTLS api endpoint. """ if not api_endpoint: return api_endpoint mtls_endpoint_re = re.compile( r"(?P[^.]+)(?P\.mtls)?(?P\.sandbox)?(?P\.googleapis\.com)?" ) m = mtls_endpoint_re.match(api_endpoint) name, mtls, sandbox, googledomain = m.groups() if mtls or not googledomain: return api_endpoint if sandbox: return api_endpoint.replace( "sandbox.googleapis.com", "mtls.sandbox.googleapis.com" ) return api_endpoint.replace(".googleapis.com", ".mtls.googleapis.com") # Note: DEFAULT_ENDPOINT is deprecated. Use _DEFAULT_ENDPOINT_TEMPLATE instead. DEFAULT_ENDPOINT = "secretmanager.googleapis.com" DEFAULT_MTLS_ENDPOINT = _get_default_mtls_endpoint.__func__( # type: ignore DEFAULT_ENDPOINT ) _DEFAULT_ENDPOINT_TEMPLATE = "secretmanager.{UNIVERSE_DOMAIN}" _DEFAULT_UNIVERSE = "googleapis.com" @classmethod def from_service_account_info(cls, info: dict, *args, **kwargs): """Creates an instance of this client using the provided credentials info. Args: info (dict): The service account private key info. args: Additional arguments to pass to the constructor. kwargs: Additional arguments to pass to the constructor. Returns: SecretManagerServiceClient: The constructed client. """ credentials = service_account.Credentials.from_service_account_info(info) kwargs["credentials"] = credentials return cls(*args, **kwargs) @classmethod def from_service_account_file(cls, filename: str, *args, **kwargs): """Creates an instance of this client using the provided credentials file. Args: filename (str): The path to the service account private key json file. args: Additional arguments to pass to the constructor. kwargs: Additional arguments to pass to the constructor. Returns: SecretManagerServiceClient: The constructed client. """ credentials = service_account.Credentials.from_service_account_file(filename) kwargs["credentials"] = credentials return cls(*args, **kwargs) from_service_account_json = from_service_account_file @property def transport(self) -> SecretManagerServiceTransport: """Returns the transport used by the client instance. Returns: SecretManagerServiceTransport: The transport used by the client instance. """ return self._transport @staticmethod def secret_path( project: str, secret: str, ) -> str: """Returns a fully-qualified secret string.""" return "projects/{project}/secrets/{secret}".format( project=project, secret=secret, ) @staticmethod def parse_secret_path(path: str) -> Dict[str, str]: """Parses a secret path into its component segments.""" m = re.match(r"^projects/(?P.+?)/secrets/(?P.+?)$", path) return m.groupdict() if m else {} @staticmethod def secret_version_path( project: str, secret: str, secret_version: str, ) -> str: """Returns a fully-qualified secret_version string.""" return "projects/{project}/secrets/{secret}/versions/{secret_version}".format( project=project, secret=secret, secret_version=secret_version, ) @staticmethod def parse_secret_version_path(path: str) -> Dict[str, str]: """Parses a secret_version path into its component segments.""" m = re.match( r"^projects/(?P.+?)/secrets/(?P.+?)/versions/(?P.+?)$", path, ) return m.groupdict() if m else {} @staticmethod def common_billing_account_path( billing_account: str, ) -> str: """Returns a fully-qualified billing_account string.""" return "billingAccounts/{billing_account}".format( billing_account=billing_account, ) @staticmethod def parse_common_billing_account_path(path: str) -> Dict[str, str]: """Parse a billing_account path into its component segments.""" m = re.match(r"^billingAccounts/(?P.+?)$", path) return m.groupdict() if m else {} @staticmethod def common_folder_path( folder: str, ) -> str: """Returns a fully-qualified folder string.""" return "folders/{folder}".format( folder=folder, ) @staticmethod def parse_common_folder_path(path: str) -> Dict[str, str]: """Parse a folder path into its component segments.""" m = re.match(r"^folders/(?P.+?)$", path) return m.groupdict() if m else {} @staticmethod def common_organization_path( organization: str, ) -> str: """Returns a fully-qualified organization string.""" return "organizations/{organization}".format( organization=organization, ) @staticmethod def parse_common_organization_path(path: str) -> Dict[str, str]: """Parse a organization path into its component segments.""" m = re.match(r"^organizations/(?P.+?)$", path) return m.groupdict() if m else {} @staticmethod def common_project_path( project: str, ) -> str: """Returns a fully-qualified project string.""" return "projects/{project}".format( project=project, ) @staticmethod def parse_common_project_path(path: str) -> Dict[str, str]: """Parse a project path into its component segments.""" m = re.match(r"^projects/(?P.+?)$", path) return m.groupdict() if m else {} @staticmethod def common_location_path( project: str, location: str, ) -> str: """Returns a fully-qualified location string.""" return "projects/{project}/locations/{location}".format( project=project, location=location, ) @staticmethod def parse_common_location_path(path: str) -> Dict[str, str]: """Parse a location path into its component segments.""" m = re.match(r"^projects/(?P.+?)/locations/(?P.+?)$", path) return m.groupdict() if m else {} @classmethod def get_mtls_endpoint_and_cert_source( cls, client_options: Optional[client_options_lib.ClientOptions] = None ): """Deprecated. Return the API endpoint and client cert source for mutual TLS. The client cert source is determined in the following order: (1) if `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is not "true", the client cert source is None. (2) if `client_options.client_cert_source` is provided, use the provided one; if the default client cert source exists, use the default one; otherwise the client cert source is None. The API endpoint is determined in the following order: (1) if `client_options.api_endpoint` if provided, use the provided one. (2) if `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is "always", use the default mTLS endpoint; if the environment variable is "never", use the default API endpoint; otherwise if client cert source exists, use the default mTLS endpoint, otherwise use the default API endpoint. More details can be found at https://google.aip.dev/auth/4114. Args: client_options (google.api_core.client_options.ClientOptions): Custom options for the client. Only the `api_endpoint` and `client_cert_source` properties may be used in this method. Returns: Tuple[str, Callable[[], Tuple[bytes, bytes]]]: returns the API endpoint and the client cert source to use. Raises: google.auth.exceptions.MutualTLSChannelError: If any errors happen. """ warnings.warn( "get_mtls_endpoint_and_cert_source is deprecated. Use the api_endpoint property instead.", DeprecationWarning, ) if client_options is None: client_options = client_options_lib.ClientOptions() use_client_cert = os.getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE", "false") use_mtls_endpoint = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto") if use_client_cert not in ("true", "false"): raise ValueError( "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must be either `true` or `false`" ) if use_mtls_endpoint not in ("auto", "never", "always"): raise MutualTLSChannelError( "Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be `never`, `auto` or `always`" ) # Figure out the client cert source to use. client_cert_source = None if use_client_cert == "true": if client_options.client_cert_source: client_cert_source = client_options.client_cert_source elif mtls.has_default_client_cert_source(): client_cert_source = mtls.default_client_cert_source() # Figure out which api endpoint to use. if client_options.api_endpoint is not None: api_endpoint = client_options.api_endpoint elif use_mtls_endpoint == "always" or ( use_mtls_endpoint == "auto" and client_cert_source ): api_endpoint = cls.DEFAULT_MTLS_ENDPOINT else: api_endpoint = cls.DEFAULT_ENDPOINT return api_endpoint, client_cert_source @staticmethod def _read_environment_variables(): """Returns the environment variables used by the client. Returns: Tuple[bool, str, str]: returns the GOOGLE_API_USE_CLIENT_CERTIFICATE, GOOGLE_API_USE_MTLS_ENDPOINT, and GOOGLE_CLOUD_UNIVERSE_DOMAIN environment variables. Raises: ValueError: If GOOGLE_API_USE_CLIENT_CERTIFICATE is not any of ["true", "false"]. google.auth.exceptions.MutualTLSChannelError: If GOOGLE_API_USE_MTLS_ENDPOINT is not any of ["auto", "never", "always"]. """ use_client_cert = os.getenv( "GOOGLE_API_USE_CLIENT_CERTIFICATE", "false" ).lower() use_mtls_endpoint = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto").lower() universe_domain_env = os.getenv("GOOGLE_CLOUD_UNIVERSE_DOMAIN") if use_client_cert not in ("true", "false"): raise ValueError( "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must be either `true` or `false`" ) if use_mtls_endpoint not in ("auto", "never", "always"): raise MutualTLSChannelError( "Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be `never`, `auto` or `always`" ) return use_client_cert == "true", use_mtls_endpoint, universe_domain_env @staticmethod def _get_client_cert_source(provided_cert_source, use_cert_flag): """Return the client cert source to be used by the client. Args: provided_cert_source (bytes): The client certificate source provided. use_cert_flag (bool): A flag indicating whether to use the client certificate. Returns: bytes or None: The client cert source to be used by the client. """ client_cert_source = None if use_cert_flag: if provided_cert_source: client_cert_source = provided_cert_source elif mtls.has_default_client_cert_source(): client_cert_source = mtls.default_client_cert_source() return client_cert_source @staticmethod def _get_api_endpoint( api_override, client_cert_source, universe_domain, use_mtls_endpoint ): """Return the API endpoint used by the client. Args: api_override (str): The API endpoint override. If specified, this is always the return value of this function and the other arguments are not used. client_cert_source (bytes): The client certificate source used by the client. universe_domain (str): The universe domain used by the client. use_mtls_endpoint (str): How to use the mTLS endpoint, which depends also on the other parameters. Possible values are "always", "auto", or "never". Returns: str: The API endpoint to be used by the client. """ if api_override is not None: api_endpoint = api_override elif use_mtls_endpoint == "always" or ( use_mtls_endpoint == "auto" and client_cert_source ): _default_universe = SecretManagerServiceClient._DEFAULT_UNIVERSE if universe_domain != _default_universe: raise MutualTLSChannelError( f"mTLS is not supported in any universe other than {_default_universe}." ) api_endpoint = SecretManagerServiceClient.DEFAULT_MTLS_ENDPOINT else: api_endpoint = SecretManagerServiceClient._DEFAULT_ENDPOINT_TEMPLATE.format( UNIVERSE_DOMAIN=universe_domain ) return api_endpoint @staticmethod def _get_universe_domain( client_universe_domain: Optional[str], universe_domain_env: Optional[str] ) -> str: """Return the universe domain used by the client. Args: client_universe_domain (Optional[str]): The universe domain configured via the client options. universe_domain_env (Optional[str]): The universe domain configured via the "GOOGLE_CLOUD_UNIVERSE_DOMAIN" environment variable. Returns: str: The universe domain to be used by the client. Raises: ValueError: If the universe domain is an empty string. """ universe_domain = SecretManagerServiceClient._DEFAULT_UNIVERSE if client_universe_domain is not None: universe_domain = client_universe_domain elif universe_domain_env is not None: universe_domain = universe_domain_env if len(universe_domain.strip()) == 0: raise ValueError("Universe Domain cannot be an empty string.") return universe_domain @staticmethod def _compare_universes( client_universe: str, credentials: ga_credentials.Credentials ) -> bool: """Returns True iff the universe domains used by the client and credentials match. Args: client_universe (str): The universe domain configured via the client options. credentials (ga_credentials.Credentials): The credentials being used in the client. Returns: bool: True iff client_universe matches the universe in credentials. Raises: ValueError: when client_universe does not match the universe in credentials. """ default_universe = SecretManagerServiceClient._DEFAULT_UNIVERSE credentials_universe = getattr(credentials, "universe_domain", default_universe) if client_universe != credentials_universe: raise ValueError( "The configured universe domain " f"({client_universe}) does not match the universe domain " f"found in the credentials ({credentials_universe}). " "If you haven't configured the universe domain explicitly, " f"`{default_universe}` is the default." ) return True def _validate_universe_domain(self): """Validates client's and credentials' universe domains are consistent. Returns: bool: True iff the configured universe domain is valid. Raises: ValueError: If the configured universe domain is not valid. """ self._is_universe_domain_valid = ( self._is_universe_domain_valid or SecretManagerServiceClient._compare_universes( self.universe_domain, self.transport._credentials ) ) return self._is_universe_domain_valid @property def api_endpoint(self): """Return the API endpoint used by the client instance. Returns: str: The API endpoint used by the client instance. """ return self._api_endpoint @property def universe_domain(self) -> str: """Return the universe domain used by the client instance. Returns: str: The universe domain used by the client instance. """ return self._universe_domain def __init__( self, *, credentials: Optional[ga_credentials.Credentials] = None, transport: Optional[Union[str, SecretManagerServiceTransport]] = None, client_options: Optional[Union[client_options_lib.ClientOptions, dict]] = None, client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, ) -> None: """Instantiates the secret manager service client. Args: credentials (Optional[google.auth.credentials.Credentials]): The authorization credentials to attach to requests. These credentials identify the application to the service; if none are specified, the client will attempt to ascertain the credentials from the environment. transport (Union[str, SecretManagerServiceTransport]): The transport to use. If set to None, a transport is chosen automatically. client_options (Optional[Union[google.api_core.client_options.ClientOptions, dict]]): Custom options for the client. 1. The ``api_endpoint`` property can be used to override the default endpoint provided by the client when ``transport`` is not explicitly provided. Only if this property is not set and ``transport`` was not explicitly provided, the endpoint is determined by the GOOGLE_API_USE_MTLS_ENDPOINT environment variable, which have one of the following values: "always" (always use the default mTLS endpoint), "never" (always use the default regular endpoint) and "auto" (auto-switch to the default mTLS endpoint if client certificate is present; this is the default value). 2. If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is "true", then the ``client_cert_source`` property can be used to provide a client certificate for mTLS transport. If not provided, the default SSL client certificate will be used if present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is "false" or not set, no client certificate will be used. 3. The ``universe_domain`` property can be used to override the default "googleapis.com" universe. Note that the ``api_endpoint`` property still takes precedence; and ``universe_domain`` is currently not supported for mTLS. client_info (google.api_core.gapic_v1.client_info.ClientInfo): The client info used to send a user-agent string along with API requests. If ``None``, then default info will be used. Generally, you only need to set this if you're developing your own client library. Raises: google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport creation failed for any reason. """ self._client_options = client_options if isinstance(self._client_options, dict): self._client_options = client_options_lib.from_dict(self._client_options) if self._client_options is None: self._client_options = client_options_lib.ClientOptions() self._client_options = cast( client_options_lib.ClientOptions, self._client_options ) universe_domain_opt = getattr(self._client_options, "universe_domain", None) ( self._use_client_cert, self._use_mtls_endpoint, self._universe_domain_env, ) = SecretManagerServiceClient._read_environment_variables() self._client_cert_source = SecretManagerServiceClient._get_client_cert_source( self._client_options.client_cert_source, self._use_client_cert ) self._universe_domain = SecretManagerServiceClient._get_universe_domain( universe_domain_opt, self._universe_domain_env ) self._api_endpoint = None # updated below, depending on `transport` # Initialize the universe domain validation. self._is_universe_domain_valid = False api_key_value = getattr(self._client_options, "api_key", None) if api_key_value and credentials: raise ValueError( "client_options.api_key and credentials are mutually exclusive" ) # Save or instantiate the transport. # Ordinarily, we provide the transport, but allowing a custom transport # instance provides an extensibility point for unusual situations. transport_provided = isinstance(transport, SecretManagerServiceTransport) if transport_provided: # transport is a SecretManagerServiceTransport instance. if credentials or self._client_options.credentials_file or api_key_value: raise ValueError( "When providing a transport instance, " "provide its credentials directly." ) if self._client_options.scopes: raise ValueError( "When providing a transport instance, provide its scopes " "directly." ) self._transport = cast(SecretManagerServiceTransport, transport) self._api_endpoint = self._transport.host self._api_endpoint = ( self._api_endpoint or SecretManagerServiceClient._get_api_endpoint( self._client_options.api_endpoint, self._client_cert_source, self._universe_domain, self._use_mtls_endpoint, ) ) if not transport_provided: import google.auth._default # type: ignore if api_key_value and hasattr( google.auth._default, "get_api_key_credentials" ): credentials = google.auth._default.get_api_key_credentials( api_key_value ) Transport = type(self).get_transport_class(cast(str, transport)) self._transport = Transport( credentials=credentials, credentials_file=self._client_options.credentials_file, host=self._api_endpoint, scopes=self._client_options.scopes, client_cert_source_for_mtls=self._client_cert_source, quota_project_id=self._client_options.quota_project_id, client_info=client_info, always_use_jwt_access=True, api_audience=self._client_options.api_audience, ) def list_secrets( self, request: Optional[Union[service.ListSecretsRequest, dict]] = None, *, parent: Optional[str] = None, retry: OptionalRetry = gapic_v1.method.DEFAULT, timeout: Union[float, object] = gapic_v1.method.DEFAULT, metadata: Sequence[Tuple[str, str]] = (), ) -> pagers.ListSecretsPager: r"""Lists [Secrets][google.cloud.secrets.v1beta1.Secret]. .. code-block:: python # This snippet has been automatically generated and should be regarded as a # code template only. # It will require modifications to work: # - It may require correct/in-range values for request initialization. # - It may require specifying regional endpoints when creating the service # client as shown in: # https://googleapis.dev/python/google-api-core/latest/client_options.html from google.cloud import secretmanager_v1beta1 def sample_list_secrets(): # Create a client client = secretmanager_v1beta1.SecretManagerServiceClient() # Initialize request argument(s) request = secretmanager_v1beta1.ListSecretsRequest( parent="parent_value", ) # Make the request page_result = client.list_secrets(request=request) # Handle the response for response in page_result: print(response) Args: request (Union[google.cloud.secretmanager_v1beta1.types.ListSecretsRequest, dict]): The request object. Request message for [SecretManagerService.ListSecrets][google.cloud.secrets.v1beta1.SecretManagerService.ListSecrets]. parent (str): Required. The resource name of the project associated with the [Secrets][google.cloud.secrets.v1beta1.Secret], in the format ``projects/*``. This corresponds to the ``parent`` field on the ``request`` instance; if ``request`` is provided, this should not be set. retry (google.api_core.retry.Retry): Designation of what errors, if any, should be retried. timeout (float): The timeout for this request. metadata (Sequence[Tuple[str, str]]): Strings which should be sent along with the request as metadata. Returns: google.cloud.secretmanager_v1beta1.services.secret_manager_service.pagers.ListSecretsPager: Response message for [SecretManagerService.ListSecrets][google.cloud.secrets.v1beta1.SecretManagerService.ListSecrets]. Iterating over this object will yield results and resolve additional pages automatically. """ # Create or coerce a protobuf request object. # Quick check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. has_flattened_params = any([parent]) if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." ) # Minor optimization to avoid making a copy if the user passes # in a service.ListSecretsRequest. # There's no risk of modifying the input as we've already verified # there are no flattened fields. if not isinstance(request, service.ListSecretsRequest): request = service.ListSecretsRequest(request) # If we have keyword arguments corresponding to fields on the # request, apply these. if parent is not None: request.parent = parent # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = self._transport._wrapped_methods[self._transport.list_secrets] # Certain fields should be provided within the metadata header; # add these here. metadata = tuple(metadata) + ( gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)), ) # Validate the universe domain. self._validate_universe_domain() # Send the request. response = rpc( request, retry=retry, timeout=timeout, metadata=metadata, ) # This method is paged; wrap the response in a pager, which provides # an `__iter__` convenience method. response = pagers.ListSecretsPager( method=rpc, request=request, response=response, metadata=metadata, ) # Done; return the response. return response def create_secret( self, request: Optional[Union[service.CreateSecretRequest, dict]] = None, *, parent: Optional[str] = None, secret_id: Optional[str] = None, secret: Optional[resources.Secret] = None, retry: OptionalRetry = gapic_v1.method.DEFAULT, timeout: Union[float, object] = gapic_v1.method.DEFAULT, metadata: Sequence[Tuple[str, str]] = (), ) -> resources.Secret: r"""Creates a new [Secret][google.cloud.secrets.v1beta1.Secret] containing no [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion]. .. code-block:: python # This snippet has been automatically generated and should be regarded as a # code template only. # It will require modifications to work: # - It may require correct/in-range values for request initialization. # - It may require specifying regional endpoints when creating the service # client as shown in: # https://googleapis.dev/python/google-api-core/latest/client_options.html from google.cloud import secretmanager_v1beta1 def sample_create_secret(): # Create a client client = secretmanager_v1beta1.SecretManagerServiceClient() # Initialize request argument(s) request = secretmanager_v1beta1.CreateSecretRequest( parent="parent_value", secret_id="secret_id_value", ) # Make the request response = client.create_secret(request=request) # Handle the response print(response) Args: request (Union[google.cloud.secretmanager_v1beta1.types.CreateSecretRequest, dict]): The request object. Request message for [SecretManagerService.CreateSecret][google.cloud.secrets.v1beta1.SecretManagerService.CreateSecret]. parent (str): Required. The resource name of the project to associate with the [Secret][google.cloud.secrets.v1beta1.Secret], in the format ``projects/*``. This corresponds to the ``parent`` field on the ``request`` instance; if ``request`` is provided, this should not be set. secret_id (str): Required. This must be unique within the project. A secret ID is a string with a maximum length of 255 characters and can contain uppercase and lowercase letters, numerals, and the hyphen (``-``) and underscore (``_``) characters. This corresponds to the ``secret_id`` field on the ``request`` instance; if ``request`` is provided, this should not be set. secret (google.cloud.secretmanager_v1beta1.types.Secret): Required. A [Secret][google.cloud.secrets.v1beta1.Secret] with initial field values. This corresponds to the ``secret`` field on the ``request`` instance; if ``request`` is provided, this should not be set. retry (google.api_core.retry.Retry): Designation of what errors, if any, should be retried. timeout (float): The timeout for this request. metadata (Sequence[Tuple[str, str]]): Strings which should be sent along with the request as metadata. Returns: google.cloud.secretmanager_v1beta1.types.Secret: A [Secret][google.cloud.secrets.v1beta1.Secret] is a logical secret whose value and versions can be accessed. A [Secret][google.cloud.secrets.v1beta1.Secret] is made up of zero or more [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion] that represent the secret data. """ # Create or coerce a protobuf request object. # Quick check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. has_flattened_params = any([parent, secret_id, secret]) if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." ) # Minor optimization to avoid making a copy if the user passes # in a service.CreateSecretRequest. # There's no risk of modifying the input as we've already verified # there are no flattened fields. if not isinstance(request, service.CreateSecretRequest): request = service.CreateSecretRequest(request) # If we have keyword arguments corresponding to fields on the # request, apply these. if parent is not None: request.parent = parent if secret_id is not None: request.secret_id = secret_id if secret is not None: request.secret = secret # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = self._transport._wrapped_methods[self._transport.create_secret] # Certain fields should be provided within the metadata header; # add these here. metadata = tuple(metadata) + ( gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)), ) # Validate the universe domain. self._validate_universe_domain() # Send the request. response = rpc( request, retry=retry, timeout=timeout, metadata=metadata, ) # Done; return the response. return response def add_secret_version( self, request: Optional[Union[service.AddSecretVersionRequest, dict]] = None, *, parent: Optional[str] = None, payload: Optional[resources.SecretPayload] = None, retry: OptionalRetry = gapic_v1.method.DEFAULT, timeout: Union[float, object] = gapic_v1.method.DEFAULT, metadata: Sequence[Tuple[str, str]] = (), ) -> resources.SecretVersion: r"""Creates a new [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] containing secret data and attaches it to an existing [Secret][google.cloud.secrets.v1beta1.Secret]. .. code-block:: python # This snippet has been automatically generated and should be regarded as a # code template only. # It will require modifications to work: # - It may require correct/in-range values for request initialization. # - It may require specifying regional endpoints when creating the service # client as shown in: # https://googleapis.dev/python/google-api-core/latest/client_options.html from google.cloud import secretmanager_v1beta1 def sample_add_secret_version(): # Create a client client = secretmanager_v1beta1.SecretManagerServiceClient() # Initialize request argument(s) request = secretmanager_v1beta1.AddSecretVersionRequest( parent="parent_value", ) # Make the request response = client.add_secret_version(request=request) # Handle the response print(response) Args: request (Union[google.cloud.secretmanager_v1beta1.types.AddSecretVersionRequest, dict]): The request object. Request message for [SecretManagerService.AddSecretVersion][google.cloud.secrets.v1beta1.SecretManagerService.AddSecretVersion]. parent (str): Required. The resource name of the [Secret][google.cloud.secrets.v1beta1.Secret] to associate with the [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] in the format ``projects/*/secrets/*``. This corresponds to the ``parent`` field on the ``request`` instance; if ``request`` is provided, this should not be set. payload (google.cloud.secretmanager_v1beta1.types.SecretPayload): Required. The secret payload of the [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion]. This corresponds to the ``payload`` field on the ``request`` instance; if ``request`` is provided, this should not be set. retry (google.api_core.retry.Retry): Designation of what errors, if any, should be retried. timeout (float): The timeout for this request. metadata (Sequence[Tuple[str, str]]): Strings which should be sent along with the request as metadata. Returns: google.cloud.secretmanager_v1beta1.types.SecretVersion: A secret version resource in the Secret Manager API. """ # Create or coerce a protobuf request object. # Quick check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. has_flattened_params = any([parent, payload]) if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." ) # Minor optimization to avoid making a copy if the user passes # in a service.AddSecretVersionRequest. # There's no risk of modifying the input as we've already verified # there are no flattened fields. if not isinstance(request, service.AddSecretVersionRequest): request = service.AddSecretVersionRequest(request) # If we have keyword arguments corresponding to fields on the # request, apply these. if parent is not None: request.parent = parent if payload is not None: request.payload = payload # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = self._transport._wrapped_methods[self._transport.add_secret_version] # Certain fields should be provided within the metadata header; # add these here. metadata = tuple(metadata) + ( gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)), ) # Validate the universe domain. self._validate_universe_domain() # Send the request. response = rpc( request, retry=retry, timeout=timeout, metadata=metadata, ) # Done; return the response. return response def get_secret( self, request: Optional[Union[service.GetSecretRequest, dict]] = None, *, name: Optional[str] = None, retry: OptionalRetry = gapic_v1.method.DEFAULT, timeout: Union[float, object] = gapic_v1.method.DEFAULT, metadata: Sequence[Tuple[str, str]] = (), ) -> resources.Secret: r"""Gets metadata for a given [Secret][google.cloud.secrets.v1beta1.Secret]. .. code-block:: python # This snippet has been automatically generated and should be regarded as a # code template only. # It will require modifications to work: # - It may require correct/in-range values for request initialization. # - It may require specifying regional endpoints when creating the service # client as shown in: # https://googleapis.dev/python/google-api-core/latest/client_options.html from google.cloud import secretmanager_v1beta1 def sample_get_secret(): # Create a client client = secretmanager_v1beta1.SecretManagerServiceClient() # Initialize request argument(s) request = secretmanager_v1beta1.GetSecretRequest( name="name_value", ) # Make the request response = client.get_secret(request=request) # Handle the response print(response) Args: request (Union[google.cloud.secretmanager_v1beta1.types.GetSecretRequest, dict]): The request object. Request message for [SecretManagerService.GetSecret][google.cloud.secrets.v1beta1.SecretManagerService.GetSecret]. name (str): Required. The resource name of the [Secret][google.cloud.secrets.v1beta1.Secret], in the format ``projects/*/secrets/*``. This corresponds to the ``name`` field on the ``request`` instance; if ``request`` is provided, this should not be set. retry (google.api_core.retry.Retry): Designation of what errors, if any, should be retried. timeout (float): The timeout for this request. metadata (Sequence[Tuple[str, str]]): Strings which should be sent along with the request as metadata. Returns: google.cloud.secretmanager_v1beta1.types.Secret: A [Secret][google.cloud.secrets.v1beta1.Secret] is a logical secret whose value and versions can be accessed. A [Secret][google.cloud.secrets.v1beta1.Secret] is made up of zero or more [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion] that represent the secret data. """ # Create or coerce a protobuf request object. # Quick check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. has_flattened_params = any([name]) if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." ) # Minor optimization to avoid making a copy if the user passes # in a service.GetSecretRequest. # There's no risk of modifying the input as we've already verified # there are no flattened fields. if not isinstance(request, service.GetSecretRequest): request = service.GetSecretRequest(request) # If we have keyword arguments corresponding to fields on the # request, apply these. if name is not None: request.name = name # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = self._transport._wrapped_methods[self._transport.get_secret] # Certain fields should be provided within the metadata header; # add these here. metadata = tuple(metadata) + ( gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), ) # Validate the universe domain. self._validate_universe_domain() # Send the request. response = rpc( request, retry=retry, timeout=timeout, metadata=metadata, ) # Done; return the response. return response def update_secret( self, request: Optional[Union[service.UpdateSecretRequest, dict]] = None, *, secret: Optional[resources.Secret] = None, update_mask: Optional[field_mask_pb2.FieldMask] = None, retry: OptionalRetry = gapic_v1.method.DEFAULT, timeout: Union[float, object] = gapic_v1.method.DEFAULT, metadata: Sequence[Tuple[str, str]] = (), ) -> resources.Secret: r"""Updates metadata of an existing [Secret][google.cloud.secrets.v1beta1.Secret]. .. code-block:: python # This snippet has been automatically generated and should be regarded as a # code template only. # It will require modifications to work: # - It may require correct/in-range values for request initialization. # - It may require specifying regional endpoints when creating the service # client as shown in: # https://googleapis.dev/python/google-api-core/latest/client_options.html from google.cloud import secretmanager_v1beta1 def sample_update_secret(): # Create a client client = secretmanager_v1beta1.SecretManagerServiceClient() # Initialize request argument(s) request = secretmanager_v1beta1.UpdateSecretRequest( ) # Make the request response = client.update_secret(request=request) # Handle the response print(response) Args: request (Union[google.cloud.secretmanager_v1beta1.types.UpdateSecretRequest, dict]): The request object. Request message for [SecretManagerService.UpdateSecret][google.cloud.secrets.v1beta1.SecretManagerService.UpdateSecret]. secret (google.cloud.secretmanager_v1beta1.types.Secret): Required. [Secret][google.cloud.secrets.v1beta1.Secret] with updated field values. This corresponds to the ``secret`` field on the ``request`` instance; if ``request`` is provided, this should not be set. update_mask (google.protobuf.field_mask_pb2.FieldMask): Required. Specifies the fields to be updated. This corresponds to the ``update_mask`` field on the ``request`` instance; if ``request`` is provided, this should not be set. retry (google.api_core.retry.Retry): Designation of what errors, if any, should be retried. timeout (float): The timeout for this request. metadata (Sequence[Tuple[str, str]]): Strings which should be sent along with the request as metadata. Returns: google.cloud.secretmanager_v1beta1.types.Secret: A [Secret][google.cloud.secrets.v1beta1.Secret] is a logical secret whose value and versions can be accessed. A [Secret][google.cloud.secrets.v1beta1.Secret] is made up of zero or more [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion] that represent the secret data. """ # Create or coerce a protobuf request object. # Quick check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. has_flattened_params = any([secret, update_mask]) if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." ) # Minor optimization to avoid making a copy if the user passes # in a service.UpdateSecretRequest. # There's no risk of modifying the input as we've already verified # there are no flattened fields. if not isinstance(request, service.UpdateSecretRequest): request = service.UpdateSecretRequest(request) # If we have keyword arguments corresponding to fields on the # request, apply these. if secret is not None: request.secret = secret if update_mask is not None: request.update_mask = update_mask # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = self._transport._wrapped_methods[self._transport.update_secret] # Certain fields should be provided within the metadata header; # add these here. metadata = tuple(metadata) + ( gapic_v1.routing_header.to_grpc_metadata( (("secret.name", request.secret.name),) ), ) # Validate the universe domain. self._validate_universe_domain() # Send the request. response = rpc( request, retry=retry, timeout=timeout, metadata=metadata, ) # Done; return the response. return response def delete_secret( self, request: Optional[Union[service.DeleteSecretRequest, dict]] = None, *, name: Optional[str] = None, retry: OptionalRetry = gapic_v1.method.DEFAULT, timeout: Union[float, object] = gapic_v1.method.DEFAULT, metadata: Sequence[Tuple[str, str]] = (), ) -> None: r"""Deletes a [Secret][google.cloud.secrets.v1beta1.Secret]. .. code-block:: python # This snippet has been automatically generated and should be regarded as a # code template only. # It will require modifications to work: # - It may require correct/in-range values for request initialization. # - It may require specifying regional endpoints when creating the service # client as shown in: # https://googleapis.dev/python/google-api-core/latest/client_options.html from google.cloud import secretmanager_v1beta1 def sample_delete_secret(): # Create a client client = secretmanager_v1beta1.SecretManagerServiceClient() # Initialize request argument(s) request = secretmanager_v1beta1.DeleteSecretRequest( name="name_value", ) # Make the request client.delete_secret(request=request) Args: request (Union[google.cloud.secretmanager_v1beta1.types.DeleteSecretRequest, dict]): The request object. Request message for [SecretManagerService.DeleteSecret][google.cloud.secrets.v1beta1.SecretManagerService.DeleteSecret]. name (str): Required. The resource name of the [Secret][google.cloud.secrets.v1beta1.Secret] to delete in the format ``projects/*/secrets/*``. This corresponds to the ``name`` field on the ``request`` instance; if ``request`` is provided, this should not be set. retry (google.api_core.retry.Retry): Designation of what errors, if any, should be retried. timeout (float): The timeout for this request. metadata (Sequence[Tuple[str, str]]): Strings which should be sent along with the request as metadata. """ # Create or coerce a protobuf request object. # Quick check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. has_flattened_params = any([name]) if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." ) # Minor optimization to avoid making a copy if the user passes # in a service.DeleteSecretRequest. # There's no risk of modifying the input as we've already verified # there are no flattened fields. if not isinstance(request, service.DeleteSecretRequest): request = service.DeleteSecretRequest(request) # If we have keyword arguments corresponding to fields on the # request, apply these. if name is not None: request.name = name # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = self._transport._wrapped_methods[self._transport.delete_secret] # Certain fields should be provided within the metadata header; # add these here. metadata = tuple(metadata) + ( gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), ) # Validate the universe domain. self._validate_universe_domain() # Send the request. rpc( request, retry=retry, timeout=timeout, metadata=metadata, ) def list_secret_versions( self, request: Optional[Union[service.ListSecretVersionsRequest, dict]] = None, *, parent: Optional[str] = None, retry: OptionalRetry = gapic_v1.method.DEFAULT, timeout: Union[float, object] = gapic_v1.method.DEFAULT, metadata: Sequence[Tuple[str, str]] = (), ) -> pagers.ListSecretVersionsPager: r"""Lists [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion]. This call does not return secret data. .. code-block:: python # This snippet has been automatically generated and should be regarded as a # code template only. # It will require modifications to work: # - It may require correct/in-range values for request initialization. # - It may require specifying regional endpoints when creating the service # client as shown in: # https://googleapis.dev/python/google-api-core/latest/client_options.html from google.cloud import secretmanager_v1beta1 def sample_list_secret_versions(): # Create a client client = secretmanager_v1beta1.SecretManagerServiceClient() # Initialize request argument(s) request = secretmanager_v1beta1.ListSecretVersionsRequest( parent="parent_value", ) # Make the request page_result = client.list_secret_versions(request=request) # Handle the response for response in page_result: print(response) Args: request (Union[google.cloud.secretmanager_v1beta1.types.ListSecretVersionsRequest, dict]): The request object. Request message for [SecretManagerService.ListSecretVersions][google.cloud.secrets.v1beta1.SecretManagerService.ListSecretVersions]. parent (str): Required. The resource name of the [Secret][google.cloud.secrets.v1beta1.Secret] associated with the [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion] to list, in the format ``projects/*/secrets/*``. This corresponds to the ``parent`` field on the ``request`` instance; if ``request`` is provided, this should not be set. retry (google.api_core.retry.Retry): Designation of what errors, if any, should be retried. timeout (float): The timeout for this request. metadata (Sequence[Tuple[str, str]]): Strings which should be sent along with the request as metadata. Returns: google.cloud.secretmanager_v1beta1.services.secret_manager_service.pagers.ListSecretVersionsPager: Response message for [SecretManagerService.ListSecretVersions][google.cloud.secrets.v1beta1.SecretManagerService.ListSecretVersions]. Iterating over this object will yield results and resolve additional pages automatically. """ # Create or coerce a protobuf request object. # Quick check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. has_flattened_params = any([parent]) if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." ) # Minor optimization to avoid making a copy if the user passes # in a service.ListSecretVersionsRequest. # There's no risk of modifying the input as we've already verified # there are no flattened fields. if not isinstance(request, service.ListSecretVersionsRequest): request = service.ListSecretVersionsRequest(request) # If we have keyword arguments corresponding to fields on the # request, apply these. if parent is not None: request.parent = parent # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = self._transport._wrapped_methods[self._transport.list_secret_versions] # Certain fields should be provided within the metadata header; # add these here. metadata = tuple(metadata) + ( gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)), ) # Validate the universe domain. self._validate_universe_domain() # Send the request. response = rpc( request, retry=retry, timeout=timeout, metadata=metadata, ) # This method is paged; wrap the response in a pager, which provides # an `__iter__` convenience method. response = pagers.ListSecretVersionsPager( method=rpc, request=request, response=response, metadata=metadata, ) # Done; return the response. return response def get_secret_version( self, request: Optional[Union[service.GetSecretVersionRequest, dict]] = None, *, name: Optional[str] = None, retry: OptionalRetry = gapic_v1.method.DEFAULT, timeout: Union[float, object] = gapic_v1.method.DEFAULT, metadata: Sequence[Tuple[str, str]] = (), ) -> resources.SecretVersion: r"""Gets metadata for a [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion]. ``projects/*/secrets/*/versions/latest`` is an alias to the ``latest`` [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion]. .. code-block:: python # This snippet has been automatically generated and should be regarded as a # code template only. # It will require modifications to work: # - It may require correct/in-range values for request initialization. # - It may require specifying regional endpoints when creating the service # client as shown in: # https://googleapis.dev/python/google-api-core/latest/client_options.html from google.cloud import secretmanager_v1beta1 def sample_get_secret_version(): # Create a client client = secretmanager_v1beta1.SecretManagerServiceClient() # Initialize request argument(s) request = secretmanager_v1beta1.GetSecretVersionRequest( name="name_value", ) # Make the request response = client.get_secret_version(request=request) # Handle the response print(response) Args: request (Union[google.cloud.secretmanager_v1beta1.types.GetSecretVersionRequest, dict]): The request object. Request message for [SecretManagerService.GetSecretVersion][google.cloud.secrets.v1beta1.SecretManagerService.GetSecretVersion]. name (str): Required. The resource name of the [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] in the format ``projects/*/secrets/*/versions/*``. ``projects/*/secrets/*/versions/latest`` is an alias to the ``latest`` [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion]. This corresponds to the ``name`` field on the ``request`` instance; if ``request`` is provided, this should not be set. retry (google.api_core.retry.Retry): Designation of what errors, if any, should be retried. timeout (float): The timeout for this request. metadata (Sequence[Tuple[str, str]]): Strings which should be sent along with the request as metadata. Returns: google.cloud.secretmanager_v1beta1.types.SecretVersion: A secret version resource in the Secret Manager API. """ # Create or coerce a protobuf request object. # Quick check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. has_flattened_params = any([name]) if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." ) # Minor optimization to avoid making a copy if the user passes # in a service.GetSecretVersionRequest. # There's no risk of modifying the input as we've already verified # there are no flattened fields. if not isinstance(request, service.GetSecretVersionRequest): request = service.GetSecretVersionRequest(request) # If we have keyword arguments corresponding to fields on the # request, apply these. if name is not None: request.name = name # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = self._transport._wrapped_methods[self._transport.get_secret_version] # Certain fields should be provided within the metadata header; # add these here. metadata = tuple(metadata) + ( gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), ) # Validate the universe domain. self._validate_universe_domain() # Send the request. response = rpc( request, retry=retry, timeout=timeout, metadata=metadata, ) # Done; return the response. return response def access_secret_version( self, request: Optional[Union[service.AccessSecretVersionRequest, dict]] = None, *, name: Optional[str] = None, retry: OptionalRetry = gapic_v1.method.DEFAULT, timeout: Union[float, object] = gapic_v1.method.DEFAULT, metadata: Sequence[Tuple[str, str]] = (), ) -> service.AccessSecretVersionResponse: r"""Accesses a [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion]. This call returns the secret data. ``projects/*/secrets/*/versions/latest`` is an alias to the ``latest`` [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion]. .. code-block:: python # This snippet has been automatically generated and should be regarded as a # code template only. # It will require modifications to work: # - It may require correct/in-range values for request initialization. # - It may require specifying regional endpoints when creating the service # client as shown in: # https://googleapis.dev/python/google-api-core/latest/client_options.html from google.cloud import secretmanager_v1beta1 def sample_access_secret_version(): # Create a client client = secretmanager_v1beta1.SecretManagerServiceClient() # Initialize request argument(s) request = secretmanager_v1beta1.AccessSecretVersionRequest( name="name_value", ) # Make the request response = client.access_secret_version(request=request) # Handle the response print(response) Args: request (Union[google.cloud.secretmanager_v1beta1.types.AccessSecretVersionRequest, dict]): The request object. Request message for [SecretManagerService.AccessSecretVersion][google.cloud.secrets.v1beta1.SecretManagerService.AccessSecretVersion]. name (str): Required. The resource name of the [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] in the format ``projects/*/secrets/*/versions/*``. This corresponds to the ``name`` field on the ``request`` instance; if ``request`` is provided, this should not be set. retry (google.api_core.retry.Retry): Designation of what errors, if any, should be retried. timeout (float): The timeout for this request. metadata (Sequence[Tuple[str, str]]): Strings which should be sent along with the request as metadata. Returns: google.cloud.secretmanager_v1beta1.types.AccessSecretVersionResponse: Response message for [SecretManagerService.AccessSecretVersion][google.cloud.secrets.v1beta1.SecretManagerService.AccessSecretVersion]. """ # Create or coerce a protobuf request object. # Quick check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. has_flattened_params = any([name]) if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." ) # Minor optimization to avoid making a copy if the user passes # in a service.AccessSecretVersionRequest. # There's no risk of modifying the input as we've already verified # there are no flattened fields. if not isinstance(request, service.AccessSecretVersionRequest): request = service.AccessSecretVersionRequest(request) # If we have keyword arguments corresponding to fields on the # request, apply these. if name is not None: request.name = name # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = self._transport._wrapped_methods[self._transport.access_secret_version] # Certain fields should be provided within the metadata header; # add these here. metadata = tuple(metadata) + ( gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), ) # Validate the universe domain. self._validate_universe_domain() # Send the request. response = rpc( request, retry=retry, timeout=timeout, metadata=metadata, ) # Done; return the response. return response def disable_secret_version( self, request: Optional[Union[service.DisableSecretVersionRequest, dict]] = None, *, name: Optional[str] = None, retry: OptionalRetry = gapic_v1.method.DEFAULT, timeout: Union[float, object] = gapic_v1.method.DEFAULT, metadata: Sequence[Tuple[str, str]] = (), ) -> resources.SecretVersion: r"""Disables a [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion]. Sets the [state][google.cloud.secrets.v1beta1.SecretVersion.state] of the [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] to [DISABLED][google.cloud.secrets.v1beta1.SecretVersion.State.DISABLED]. .. code-block:: python # This snippet has been automatically generated and should be regarded as a # code template only. # It will require modifications to work: # - It may require correct/in-range values for request initialization. # - It may require specifying regional endpoints when creating the service # client as shown in: # https://googleapis.dev/python/google-api-core/latest/client_options.html from google.cloud import secretmanager_v1beta1 def sample_disable_secret_version(): # Create a client client = secretmanager_v1beta1.SecretManagerServiceClient() # Initialize request argument(s) request = secretmanager_v1beta1.DisableSecretVersionRequest( name="name_value", ) # Make the request response = client.disable_secret_version(request=request) # Handle the response print(response) Args: request (Union[google.cloud.secretmanager_v1beta1.types.DisableSecretVersionRequest, dict]): The request object. Request message for [SecretManagerService.DisableSecretVersion][google.cloud.secrets.v1beta1.SecretManagerService.DisableSecretVersion]. name (str): Required. The resource name of the [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] to disable in the format ``projects/*/secrets/*/versions/*``. This corresponds to the ``name`` field on the ``request`` instance; if ``request`` is provided, this should not be set. retry (google.api_core.retry.Retry): Designation of what errors, if any, should be retried. timeout (float): The timeout for this request. metadata (Sequence[Tuple[str, str]]): Strings which should be sent along with the request as metadata. Returns: google.cloud.secretmanager_v1beta1.types.SecretVersion: A secret version resource in the Secret Manager API. """ # Create or coerce a protobuf request object. # Quick check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. has_flattened_params = any([name]) if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." ) # Minor optimization to avoid making a copy if the user passes # in a service.DisableSecretVersionRequest. # There's no risk of modifying the input as we've already verified # there are no flattened fields. if not isinstance(request, service.DisableSecretVersionRequest): request = service.DisableSecretVersionRequest(request) # If we have keyword arguments corresponding to fields on the # request, apply these. if name is not None: request.name = name # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = self._transport._wrapped_methods[self._transport.disable_secret_version] # Certain fields should be provided within the metadata header; # add these here. metadata = tuple(metadata) + ( gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), ) # Validate the universe domain. self._validate_universe_domain() # Send the request. response = rpc( request, retry=retry, timeout=timeout, metadata=metadata, ) # Done; return the response. return response def enable_secret_version( self, request: Optional[Union[service.EnableSecretVersionRequest, dict]] = None, *, name: Optional[str] = None, retry: OptionalRetry = gapic_v1.method.DEFAULT, timeout: Union[float, object] = gapic_v1.method.DEFAULT, metadata: Sequence[Tuple[str, str]] = (), ) -> resources.SecretVersion: r"""Enables a [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion]. Sets the [state][google.cloud.secrets.v1beta1.SecretVersion.state] of the [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] to [ENABLED][google.cloud.secrets.v1beta1.SecretVersion.State.ENABLED]. .. code-block:: python # This snippet has been automatically generated and should be regarded as a # code template only. # It will require modifications to work: # - It may require correct/in-range values for request initialization. # - It may require specifying regional endpoints when creating the service # client as shown in: # https://googleapis.dev/python/google-api-core/latest/client_options.html from google.cloud import secretmanager_v1beta1 def sample_enable_secret_version(): # Create a client client = secretmanager_v1beta1.SecretManagerServiceClient() # Initialize request argument(s) request = secretmanager_v1beta1.EnableSecretVersionRequest( name="name_value", ) # Make the request response = client.enable_secret_version(request=request) # Handle the response print(response) Args: request (Union[google.cloud.secretmanager_v1beta1.types.EnableSecretVersionRequest, dict]): The request object. Request message for [SecretManagerService.EnableSecretVersion][google.cloud.secrets.v1beta1.SecretManagerService.EnableSecretVersion]. name (str): Required. The resource name of the [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] to enable in the format ``projects/*/secrets/*/versions/*``. This corresponds to the ``name`` field on the ``request`` instance; if ``request`` is provided, this should not be set. retry (google.api_core.retry.Retry): Designation of what errors, if any, should be retried. timeout (float): The timeout for this request. metadata (Sequence[Tuple[str, str]]): Strings which should be sent along with the request as metadata. Returns: google.cloud.secretmanager_v1beta1.types.SecretVersion: A secret version resource in the Secret Manager API. """ # Create or coerce a protobuf request object. # Quick check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. has_flattened_params = any([name]) if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." ) # Minor optimization to avoid making a copy if the user passes # in a service.EnableSecretVersionRequest. # There's no risk of modifying the input as we've already verified # there are no flattened fields. if not isinstance(request, service.EnableSecretVersionRequest): request = service.EnableSecretVersionRequest(request) # If we have keyword arguments corresponding to fields on the # request, apply these. if name is not None: request.name = name # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = self._transport._wrapped_methods[self._transport.enable_secret_version] # Certain fields should be provided within the metadata header; # add these here. metadata = tuple(metadata) + ( gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), ) # Validate the universe domain. self._validate_universe_domain() # Send the request. response = rpc( request, retry=retry, timeout=timeout, metadata=metadata, ) # Done; return the response. return response def destroy_secret_version( self, request: Optional[Union[service.DestroySecretVersionRequest, dict]] = None, *, name: Optional[str] = None, retry: OptionalRetry = gapic_v1.method.DEFAULT, timeout: Union[float, object] = gapic_v1.method.DEFAULT, metadata: Sequence[Tuple[str, str]] = (), ) -> resources.SecretVersion: r"""Destroys a [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion]. Sets the [state][google.cloud.secrets.v1beta1.SecretVersion.state] of the [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] to [DESTROYED][google.cloud.secrets.v1beta1.SecretVersion.State.DESTROYED] and irrevocably destroys the secret data. .. code-block:: python # This snippet has been automatically generated and should be regarded as a # code template only. # It will require modifications to work: # - It may require correct/in-range values for request initialization. # - It may require specifying regional endpoints when creating the service # client as shown in: # https://googleapis.dev/python/google-api-core/latest/client_options.html from google.cloud import secretmanager_v1beta1 def sample_destroy_secret_version(): # Create a client client = secretmanager_v1beta1.SecretManagerServiceClient() # Initialize request argument(s) request = secretmanager_v1beta1.DestroySecretVersionRequest( name="name_value", ) # Make the request response = client.destroy_secret_version(request=request) # Handle the response print(response) Args: request (Union[google.cloud.secretmanager_v1beta1.types.DestroySecretVersionRequest, dict]): The request object. Request message for [SecretManagerService.DestroySecretVersion][google.cloud.secrets.v1beta1.SecretManagerService.DestroySecretVersion]. name (str): Required. The resource name of the [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] to destroy in the format ``projects/*/secrets/*/versions/*``. This corresponds to the ``name`` field on the ``request`` instance; if ``request`` is provided, this should not be set. retry (google.api_core.retry.Retry): Designation of what errors, if any, should be retried. timeout (float): The timeout for this request. metadata (Sequence[Tuple[str, str]]): Strings which should be sent along with the request as metadata. Returns: google.cloud.secretmanager_v1beta1.types.SecretVersion: A secret version resource in the Secret Manager API. """ # Create or coerce a protobuf request object. # Quick check: If we got a request object, we should *not* have # gotten any keyword arguments that map to the request. has_flattened_params = any([name]) if request is not None and has_flattened_params: raise ValueError( "If the `request` argument is set, then none of " "the individual field arguments should be set." ) # Minor optimization to avoid making a copy if the user passes # in a service.DestroySecretVersionRequest. # There's no risk of modifying the input as we've already verified # there are no flattened fields. if not isinstance(request, service.DestroySecretVersionRequest): request = service.DestroySecretVersionRequest(request) # If we have keyword arguments corresponding to fields on the # request, apply these. if name is not None: request.name = name # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = self._transport._wrapped_methods[self._transport.destroy_secret_version] # Certain fields should be provided within the metadata header; # add these here. metadata = tuple(metadata) + ( gapic_v1.routing_header.to_grpc_metadata((("name", request.name),)), ) # Validate the universe domain. self._validate_universe_domain() # Send the request. response = rpc( request, retry=retry, timeout=timeout, metadata=metadata, ) # Done; return the response. return response def set_iam_policy( self, request: Optional[Union[iam_policy_pb2.SetIamPolicyRequest, dict]] = None, *, retry: OptionalRetry = gapic_v1.method.DEFAULT, timeout: Union[float, object] = gapic_v1.method.DEFAULT, metadata: Sequence[Tuple[str, str]] = (), ) -> policy_pb2.Policy: r"""Sets the access control policy on the specified secret. Replaces any existing policy. Permissions on [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion] are enforced according to the policy set on the associated [Secret][google.cloud.secrets.v1beta1.Secret]. .. code-block:: python # This snippet has been automatically generated and should be regarded as a # code template only. # It will require modifications to work: # - It may require correct/in-range values for request initialization. # - It may require specifying regional endpoints when creating the service # client as shown in: # https://googleapis.dev/python/google-api-core/latest/client_options.html from google.cloud import secretmanager_v1beta1 from google.iam.v1 import iam_policy_pb2 # type: ignore def sample_set_iam_policy(): # Create a client client = secretmanager_v1beta1.SecretManagerServiceClient() # Initialize request argument(s) request = iam_policy_pb2.SetIamPolicyRequest( resource="resource_value", ) # Make the request response = client.set_iam_policy(request=request) # Handle the response print(response) Args: request (Union[google.iam.v1.iam_policy_pb2.SetIamPolicyRequest, dict]): The request object. Request message for ``SetIamPolicy`` method. retry (google.api_core.retry.Retry): Designation of what errors, if any, should be retried. timeout (float): The timeout for this request. metadata (Sequence[Tuple[str, str]]): Strings which should be sent along with the request as metadata. Returns: google.iam.v1.policy_pb2.Policy: An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A Policy is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a binding can also specify a condition, which is a logical expression that allows access to a resource only if the expression evaluates to true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](\ https://cloud.google.com/iam/help/conditions/resource-policies). **JSON example:** :literal:`\` { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }`\ \` **YAML example:** :literal:`\` bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3`\ \` For a description of IAM and its features, see the [IAM documentation](\ https://cloud.google.com/iam/docs/). """ # Create or coerce a protobuf request object. if isinstance(request, dict): # The request isn't a proto-plus wrapped type, # so it must be constructed via keyword expansion. request = iam_policy_pb2.SetIamPolicyRequest(**request) elif not request: # Null request, just make one. request = iam_policy_pb2.SetIamPolicyRequest() # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = self._transport._wrapped_methods[self._transport.set_iam_policy] # Certain fields should be provided within the metadata header; # add these here. metadata = tuple(metadata) + ( gapic_v1.routing_header.to_grpc_metadata((("resource", request.resource),)), ) # Validate the universe domain. self._validate_universe_domain() # Send the request. response = rpc( request, retry=retry, timeout=timeout, metadata=metadata, ) # Done; return the response. return response def get_iam_policy( self, request: Optional[Union[iam_policy_pb2.GetIamPolicyRequest, dict]] = None, *, retry: OptionalRetry = gapic_v1.method.DEFAULT, timeout: Union[float, object] = gapic_v1.method.DEFAULT, metadata: Sequence[Tuple[str, str]] = (), ) -> policy_pb2.Policy: r"""Gets the access control policy for a secret. Returns empty policy if the secret exists and does not have a policy set. .. code-block:: python # This snippet has been automatically generated and should be regarded as a # code template only. # It will require modifications to work: # - It may require correct/in-range values for request initialization. # - It may require specifying regional endpoints when creating the service # client as shown in: # https://googleapis.dev/python/google-api-core/latest/client_options.html from google.cloud import secretmanager_v1beta1 from google.iam.v1 import iam_policy_pb2 # type: ignore def sample_get_iam_policy(): # Create a client client = secretmanager_v1beta1.SecretManagerServiceClient() # Initialize request argument(s) request = iam_policy_pb2.GetIamPolicyRequest( resource="resource_value", ) # Make the request response = client.get_iam_policy(request=request) # Handle the response print(response) Args: request (Union[google.iam.v1.iam_policy_pb2.GetIamPolicyRequest, dict]): The request object. Request message for ``GetIamPolicy`` method. retry (google.api_core.retry.Retry): Designation of what errors, if any, should be retried. timeout (float): The timeout for this request. metadata (Sequence[Tuple[str, str]]): Strings which should be sent along with the request as metadata. Returns: google.iam.v1.policy_pb2.Policy: An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A Policy is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a binding can also specify a condition, which is a logical expression that allows access to a resource only if the expression evaluates to true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the [IAM documentation](\ https://cloud.google.com/iam/help/conditions/resource-policies). **JSON example:** :literal:`\` { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }`\ \` **YAML example:** :literal:`\` bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3`\ \` For a description of IAM and its features, see the [IAM documentation](\ https://cloud.google.com/iam/docs/). """ # Create or coerce a protobuf request object. if isinstance(request, dict): # The request isn't a proto-plus wrapped type, # so it must be constructed via keyword expansion. request = iam_policy_pb2.GetIamPolicyRequest(**request) elif not request: # Null request, just make one. request = iam_policy_pb2.GetIamPolicyRequest() # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = self._transport._wrapped_methods[self._transport.get_iam_policy] # Certain fields should be provided within the metadata header; # add these here. metadata = tuple(metadata) + ( gapic_v1.routing_header.to_grpc_metadata((("resource", request.resource),)), ) # Validate the universe domain. self._validate_universe_domain() # Send the request. response = rpc( request, retry=retry, timeout=timeout, metadata=metadata, ) # Done; return the response. return response def test_iam_permissions( self, request: Optional[Union[iam_policy_pb2.TestIamPermissionsRequest, dict]] = None, *, retry: OptionalRetry = gapic_v1.method.DEFAULT, timeout: Union[float, object] = gapic_v1.method.DEFAULT, metadata: Sequence[Tuple[str, str]] = (), ) -> iam_policy_pb2.TestIamPermissionsResponse: r"""Returns permissions that a caller has for the specified secret. If the secret does not exist, this call returns an empty set of permissions, not a NOT_FOUND error. Note: This operation is designed to be used for building permission-aware UIs and command-line tools, not for authorization checking. This operation may "fail open" without warning. .. code-block:: python # This snippet has been automatically generated and should be regarded as a # code template only. # It will require modifications to work: # - It may require correct/in-range values for request initialization. # - It may require specifying regional endpoints when creating the service # client as shown in: # https://googleapis.dev/python/google-api-core/latest/client_options.html from google.cloud import secretmanager_v1beta1 from google.iam.v1 import iam_policy_pb2 # type: ignore def sample_test_iam_permissions(): # Create a client client = secretmanager_v1beta1.SecretManagerServiceClient() # Initialize request argument(s) request = iam_policy_pb2.TestIamPermissionsRequest( resource="resource_value", permissions=['permissions_value1', 'permissions_value2'], ) # Make the request response = client.test_iam_permissions(request=request) # Handle the response print(response) Args: request (Union[google.iam.v1.iam_policy_pb2.TestIamPermissionsRequest, dict]): The request object. Request message for ``TestIamPermissions`` method. retry (google.api_core.retry.Retry): Designation of what errors, if any, should be retried. timeout (float): The timeout for this request. metadata (Sequence[Tuple[str, str]]): Strings which should be sent along with the request as metadata. Returns: google.iam.v1.iam_policy_pb2.TestIamPermissionsResponse: Response message for TestIamPermissions method. """ # Create or coerce a protobuf request object. if isinstance(request, dict): # The request isn't a proto-plus wrapped type, # so it must be constructed via keyword expansion. request = iam_policy_pb2.TestIamPermissionsRequest(**request) elif not request: # Null request, just make one. request = iam_policy_pb2.TestIamPermissionsRequest() # Wrap the RPC method; this adds retry and timeout information, # and friendly error handling. rpc = self._transport._wrapped_methods[self._transport.test_iam_permissions] # Certain fields should be provided within the metadata header; # add these here. metadata = tuple(metadata) + ( gapic_v1.routing_header.to_grpc_metadata((("resource", request.resource),)), ) # Validate the universe domain. self._validate_universe_domain() # Send the request. response = rpc( request, retry=retry, timeout=timeout, metadata=metadata, ) # Done; return the response. return response def __enter__(self) -> "SecretManagerServiceClient": return self def __exit__(self, type, value, traceback): """Releases underlying transport's resources. .. warning:: ONLY use as a context manager if the transport is NOT shared with other clients! Exiting the with block will CLOSE the transport and may cause errors in other clients! """ self.transport.close() DEFAULT_CLIENT_INFO = gapic_v1.client_info.ClientInfo( gapic_version=package_version.__version__ ) __all__ = ("SecretManagerServiceClient",)