1// Copyright 2022 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.secretmanager.v1; 18 19import "google/api/field_behavior.proto"; 20import "google/api/resource.proto"; 21import "google/protobuf/duration.proto"; 22import "google/protobuf/timestamp.proto"; 23 24option cc_enable_arenas = true; 25option csharp_namespace = "Google.Cloud.SecretManager.V1"; 26option go_package = "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb;secretmanagerpb"; 27option java_multiple_files = true; 28option java_outer_classname = "ResourcesProto"; 29option java_package = "com.google.cloud.secretmanager.v1"; 30option objc_class_prefix = "GSM"; 31option php_namespace = "Google\\Cloud\\SecretManager\\V1"; 32option ruby_package = "Google::Cloud::SecretManager::V1"; 33 34// A [Secret][google.cloud.secretmanager.v1.Secret] is a logical secret whose 35// value and versions can be accessed. 36// 37// A [Secret][google.cloud.secretmanager.v1.Secret] is made up of zero or more 38// [SecretVersions][google.cloud.secretmanager.v1.SecretVersion] that represent 39// the secret data. 40message Secret { 41 option (google.api.resource) = { 42 type: "secretmanager.googleapis.com/Secret" 43 pattern: "projects/{project}/secrets/{secret}" 44 }; 45 46 // Output only. The resource name of the 47 // [Secret][google.cloud.secretmanager.v1.Secret] in the format 48 // `projects/*/secrets/*`. 49 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 50 51 // Required. Immutable. The replication policy of the secret data attached to 52 // the [Secret][google.cloud.secretmanager.v1.Secret]. 53 // 54 // The replication policy cannot be changed after the Secret has been created. 55 Replication replication = 2 [ 56 (google.api.field_behavior) = IMMUTABLE, 57 (google.api.field_behavior) = REQUIRED 58 ]; 59 60 // Output only. The time at which the 61 // [Secret][google.cloud.secretmanager.v1.Secret] was created. 62 google.protobuf.Timestamp create_time = 3 63 [(google.api.field_behavior) = OUTPUT_ONLY]; 64 65 // The labels assigned to this Secret. 66 // 67 // Label keys must be between 1 and 63 characters long, have a UTF-8 encoding 68 // of maximum 128 bytes, and must conform to the following PCRE regular 69 // expression: `[\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62}` 70 // 71 // Label values must be between 0 and 63 characters long, have a UTF-8 72 // encoding of maximum 128 bytes, and must conform to the following PCRE 73 // regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}` 74 // 75 // No more than 64 labels can be assigned to a given resource. 76 map<string, string> labels = 4; 77 78 // Optional. A list of up to 10 Pub/Sub topics to which messages are published 79 // when control plane operations are called on the secret or its versions. 80 repeated Topic topics = 5 [(google.api.field_behavior) = OPTIONAL]; 81 82 // Expiration policy attached to the 83 // [Secret][google.cloud.secretmanager.v1.Secret]. If specified the 84 // [Secret][google.cloud.secretmanager.v1.Secret] and all 85 // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion] will be 86 // automatically deleted at expiration. Expired secrets are irreversibly 87 // deleted. 88 // 89 // Expiration is *not* the recommended way to set time-based permissions. [IAM 90 // Conditions](https://cloud.google.com/secret-manager/docs/access-control#conditions) 91 // is recommended for granting time-based permissions because the operation 92 // can be reversed. 93 oneof expiration { 94 // Optional. Timestamp in UTC when the 95 // [Secret][google.cloud.secretmanager.v1.Secret] is scheduled to expire. 96 // This is always provided on output, regardless of what was sent on input. 97 google.protobuf.Timestamp expire_time = 6 98 [(google.api.field_behavior) = OPTIONAL]; 99 100 // Input only. The TTL for the 101 // [Secret][google.cloud.secretmanager.v1.Secret]. 102 google.protobuf.Duration ttl = 7 [(google.api.field_behavior) = INPUT_ONLY]; 103 } 104 105 // Optional. Etag of the currently stored 106 // [Secret][google.cloud.secretmanager.v1.Secret]. 107 string etag = 8 [(google.api.field_behavior) = OPTIONAL]; 108 109 // Optional. Rotation policy attached to the 110 // [Secret][google.cloud.secretmanager.v1.Secret]. May be excluded if there is 111 // no rotation policy. 112 Rotation rotation = 9 [(google.api.field_behavior) = OPTIONAL]; 113 114 // Optional. Mapping from version alias to version name. 115 // 116 // A version alias is a string with a maximum length of 63 characters and can 117 // contain uppercase and lowercase letters, numerals, and the hyphen (`-`) 118 // and underscore ('_') characters. An alias string must start with a 119 // letter and cannot be the string 'latest' or 'NEW'. 120 // No more than 50 aliases can be assigned to a given secret. 121 // 122 // Version-Alias pairs will be viewable via GetSecret and modifiable via 123 // UpdateSecret. At launch access by alias will only be supported on 124 // GetSecretVersion and AccessSecretVersion. 125 map<string, int64> version_aliases = 11 126 [(google.api.field_behavior) = OPTIONAL]; 127 128 // Optional. Custom metadata about the secret. 129 // 130 // Annotations are distinct from various forms of labels. 131 // Annotations exist to allow client tools to store their own state 132 // information without requiring a database. 133 // 134 // Annotation keys must be between 1 and 63 characters long, have a UTF-8 135 // encoding of maximum 128 bytes, begin and end with an alphanumeric character 136 // ([a-z0-9A-Z]), and may have dashes (-), underscores (_), dots (.), and 137 // alphanumerics in between these symbols. 138 // 139 // The total size of annotation keys and values must be less than 16KiB. 140 map<string, string> annotations = 13 [(google.api.field_behavior) = OPTIONAL]; 141} 142 143// A secret version resource in the Secret Manager API. 144message SecretVersion { 145 option (google.api.resource) = { 146 type: "secretmanager.googleapis.com/SecretVersion" 147 pattern: "projects/{project}/secrets/{secret}/versions/{secret_version}" 148 }; 149 150 // The state of a 151 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion], indicating if 152 // it can be accessed. 153 enum State { 154 // Not specified. This value is unused and invalid. 155 STATE_UNSPECIFIED = 0; 156 157 // The [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] may be 158 // accessed. 159 ENABLED = 1; 160 161 // The [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] may not 162 // be accessed, but the secret data is still available and can be placed 163 // back into the 164 // [ENABLED][google.cloud.secretmanager.v1.SecretVersion.State.ENABLED] 165 // state. 166 DISABLED = 2; 167 168 // The [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] is 169 // destroyed and the secret data is no longer stored. A version may not 170 // leave this state once entered. 171 DESTROYED = 3; 172 } 173 174 // Output only. The resource name of the 175 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] in the format 176 // `projects/*/secrets/*/versions/*`. 177 // 178 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] IDs in a 179 // [Secret][google.cloud.secretmanager.v1.Secret] start at 1 and are 180 // incremented for each subsequent version of the secret. 181 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 182 183 // Output only. The time at which the 184 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] was created. 185 google.protobuf.Timestamp create_time = 2 186 [(google.api.field_behavior) = OUTPUT_ONLY]; 187 188 // Output only. The time this 189 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] was destroyed. 190 // Only present if [state][google.cloud.secretmanager.v1.SecretVersion.state] 191 // is 192 // [DESTROYED][google.cloud.secretmanager.v1.SecretVersion.State.DESTROYED]. 193 google.protobuf.Timestamp destroy_time = 3 194 [(google.api.field_behavior) = OUTPUT_ONLY]; 195 196 // Output only. The current state of the 197 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. 198 State state = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 199 200 // The replication status of the 201 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. 202 ReplicationStatus replication_status = 5; 203 204 // Output only. Etag of the currently stored 205 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. 206 string etag = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 207 208 // Output only. True if payload checksum specified in 209 // [SecretPayload][google.cloud.secretmanager.v1.SecretPayload] object has 210 // been received by 211 // [SecretManagerService][google.cloud.secretmanager.v1.SecretManagerService] 212 // on 213 // [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.AddSecretVersion]. 214 bool client_specified_payload_checksum = 7 215 [(google.api.field_behavior) = OUTPUT_ONLY]; 216} 217 218// A policy that defines the replication and encryption configuration of data. 219message Replication { 220 // A replication policy that replicates the 221 // [Secret][google.cloud.secretmanager.v1.Secret] payload without any 222 // restrictions. 223 message Automatic { 224 // Optional. The customer-managed encryption configuration of the 225 // [Secret][google.cloud.secretmanager.v1.Secret]. If no configuration is 226 // provided, Google-managed default encryption is used. 227 // 228 // Updates to the [Secret][google.cloud.secretmanager.v1.Secret] encryption 229 // configuration only apply to 230 // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion] added 231 // afterwards. They do not apply retroactively to existing 232 // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion]. 233 CustomerManagedEncryption customer_managed_encryption = 1 234 [(google.api.field_behavior) = OPTIONAL]; 235 } 236 237 // A replication policy that replicates the 238 // [Secret][google.cloud.secretmanager.v1.Secret] payload into the locations 239 // specified in [Secret.replication.user_managed.replicas][] 240 message UserManaged { 241 // Represents a Replica for this 242 // [Secret][google.cloud.secretmanager.v1.Secret]. 243 message Replica { 244 // The canonical IDs of the location to replicate data. 245 // For example: `"us-east1"`. 246 string location = 1; 247 248 // Optional. The customer-managed encryption configuration of the 249 // [User-Managed Replica][Replication.UserManaged.Replica]. If no 250 // configuration is provided, Google-managed default encryption is used. 251 // 252 // Updates to the [Secret][google.cloud.secretmanager.v1.Secret] 253 // encryption configuration only apply to 254 // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion] added 255 // afterwards. They do not apply retroactively to existing 256 // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion]. 257 CustomerManagedEncryption customer_managed_encryption = 2 258 [(google.api.field_behavior) = OPTIONAL]; 259 } 260 261 // Required. The list of Replicas for this 262 // [Secret][google.cloud.secretmanager.v1.Secret]. 263 // 264 // Cannot be empty. 265 repeated Replica replicas = 1 [(google.api.field_behavior) = REQUIRED]; 266 } 267 268 // The replication policy for this secret. 269 oneof replication { 270 // The [Secret][google.cloud.secretmanager.v1.Secret] will automatically be 271 // replicated without any restrictions. 272 Automatic automatic = 1; 273 274 // The [Secret][google.cloud.secretmanager.v1.Secret] will only be 275 // replicated into the locations specified. 276 UserManaged user_managed = 2; 277 } 278} 279 280// Configuration for encrypting secret payloads using customer-managed 281// encryption keys (CMEK). 282message CustomerManagedEncryption { 283 // Required. The resource name of the Cloud KMS CryptoKey used to encrypt 284 // secret payloads. 285 // 286 // For secrets using the 287 // [UserManaged][google.cloud.secretmanager.v1.Replication.UserManaged] 288 // replication policy type, Cloud KMS CryptoKeys must reside in the same 289 // location as the [replica location][Secret.UserManaged.Replica.location]. 290 // 291 // For secrets using the 292 // [Automatic][google.cloud.secretmanager.v1.Replication.Automatic] 293 // replication policy type, Cloud KMS CryptoKeys must reside in `global`. 294 // 295 // The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 296 string kms_key_name = 1 [(google.api.field_behavior) = REQUIRED]; 297} 298 299// The replication status of a 300// [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. 301message ReplicationStatus { 302 // The replication status of a 303 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] using 304 // automatic replication. 305 // 306 // Only populated if the parent [Secret][google.cloud.secretmanager.v1.Secret] 307 // has an automatic replication policy. 308 message AutomaticStatus { 309 // Output only. The customer-managed encryption status of the 310 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. Only 311 // populated if customer-managed encryption is used. 312 CustomerManagedEncryptionStatus customer_managed_encryption = 1 313 [(google.api.field_behavior) = OUTPUT_ONLY]; 314 } 315 316 // The replication status of a 317 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] using 318 // user-managed replication. 319 // 320 // Only populated if the parent [Secret][google.cloud.secretmanager.v1.Secret] 321 // has a user-managed replication policy. 322 message UserManagedStatus { 323 // Describes the status of a user-managed replica for the 324 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. 325 message ReplicaStatus { 326 // Output only. The canonical ID of the replica location. 327 // For example: `"us-east1"`. 328 string location = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 329 330 // Output only. The customer-managed encryption status of the 331 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. Only 332 // populated if customer-managed encryption is used. 333 CustomerManagedEncryptionStatus customer_managed_encryption = 2 334 [(google.api.field_behavior) = OUTPUT_ONLY]; 335 } 336 337 // Output only. The list of replica statuses for the 338 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. 339 repeated ReplicaStatus replicas = 1 340 [(google.api.field_behavior) = OUTPUT_ONLY]; 341 } 342 343 // The replication status of the 344 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. 345 oneof replication_status { 346 // Describes the replication status of a 347 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] with 348 // automatic replication. 349 // 350 // Only populated if the parent 351 // [Secret][google.cloud.secretmanager.v1.Secret] has an automatic 352 // replication policy. 353 AutomaticStatus automatic = 1; 354 355 // Describes the replication status of a 356 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] with 357 // user-managed replication. 358 // 359 // Only populated if the parent 360 // [Secret][google.cloud.secretmanager.v1.Secret] has a user-managed 361 // replication policy. 362 UserManagedStatus user_managed = 2; 363 } 364} 365 366// Describes the status of customer-managed encryption. 367message CustomerManagedEncryptionStatus { 368 // Required. The resource name of the Cloud KMS CryptoKeyVersion used to 369 // encrypt the secret payload, in the following format: 370 // `projects/*/locations/*/keyRings/*/cryptoKeys/*/versions/*`. 371 string kms_key_version_name = 1 [(google.api.field_behavior) = REQUIRED]; 372} 373 374// A Pub/Sub topic which Secret Manager will publish to when control plane 375// events occur on this secret. 376message Topic { 377 option (google.api.resource) = { 378 type: "pubsub.googleapis.com/Topic" 379 pattern: "projects/{project}/topics/{topic}" 380 }; 381 382 // Required. The resource name of the Pub/Sub topic that will be published to, 383 // in the following format: `projects/*/topics/*`. For publication to succeed, 384 // the Secret Manager P4SA must have `pubsub.publisher` permissions on the 385 // topic. 386 string name = 1 [(google.api.field_behavior) = REQUIRED]; 387} 388 389// The rotation time and period for a 390// [Secret][google.cloud.secretmanager.v1.Secret]. At next_rotation_time, Secret 391// Manager will send a Pub/Sub notification to the topics configured on the 392// Secret. [Secret.topics][google.cloud.secretmanager.v1.Secret.topics] must be 393// set to configure rotation. 394message Rotation { 395 // Optional. Timestamp in UTC at which the 396 // [Secret][google.cloud.secretmanager.v1.Secret] is scheduled to rotate. 397 // Cannot be set to less than 300s (5 min) in the future and at most 398 // 3153600000s (100 years). 399 // 400 // [next_rotation_time][google.cloud.secretmanager.v1.Rotation.next_rotation_time] 401 // MUST be set if 402 // [rotation_period][google.cloud.secretmanager.v1.Rotation.rotation_period] 403 // is set. 404 google.protobuf.Timestamp next_rotation_time = 1 405 [(google.api.field_behavior) = OPTIONAL]; 406 407 // Input only. The Duration between rotation notifications. Must be in seconds 408 // and at least 3600s (1h) and at most 3153600000s (100 years). 409 // 410 // If 411 // [rotation_period][google.cloud.secretmanager.v1.Rotation.rotation_period] 412 // is set, 413 // [next_rotation_time][google.cloud.secretmanager.v1.Rotation.next_rotation_time] 414 // must be set. 415 // [next_rotation_time][google.cloud.secretmanager.v1.Rotation.next_rotation_time] 416 // will be advanced by this period when the service automatically sends 417 // rotation notifications. 418 google.protobuf.Duration rotation_period = 2 419 [(google.api.field_behavior) = INPUT_ONLY]; 420} 421 422// A secret payload resource in the Secret Manager API. This contains the 423// sensitive secret payload that is associated with a 424// [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. 425message SecretPayload { 426 // The secret data. Must be no larger than 64KiB. 427 bytes data = 1; 428 429 // Optional. If specified, 430 // [SecretManagerService][google.cloud.secretmanager.v1.SecretManagerService] 431 // will verify the integrity of the received 432 // [data][google.cloud.secretmanager.v1.SecretPayload.data] on 433 // [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.AddSecretVersion] 434 // calls using the crc32c checksum and store it to include in future 435 // [SecretManagerService.AccessSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion] 436 // responses. If a checksum is not provided in the 437 // [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.AddSecretVersion] 438 // request, the 439 // [SecretManagerService][google.cloud.secretmanager.v1.SecretManagerService] 440 // will generate and store one for you. 441 // 442 // The CRC32C value is encoded as a Int64 for compatibility, and can be 443 // safely downconverted to uint32 in languages that support this type. 444 // https://cloud.google.com/apis/design/design_patterns#integer_types 445 optional int64 data_crc32c = 2 [(google.api.field_behavior) = OPTIONAL]; 446} 447