1// Copyright 2020 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.secrets.v1beta1; 18 19import "google/api/annotations.proto"; 20import "google/api/client.proto"; 21import "google/api/field_behavior.proto"; 22import "google/api/resource.proto"; 23import "google/cloud/secrets/v1beta1/resources.proto"; 24import "google/iam/v1/iam_policy.proto"; 25import "google/iam/v1/policy.proto"; 26import "google/protobuf/empty.proto"; 27import "google/protobuf/field_mask.proto"; 28 29option cc_enable_arenas = true; 30option csharp_namespace = "Google.Cloud.SecretManager.V1Beta1"; 31option go_package = "google.golang.org/genproto/googleapis/cloud/secretmanager/v1beta1;secretmanager"; 32option java_multiple_files = true; 33option java_outer_classname = "ServiceProto"; 34option java_package = "com.google.cloud.secretmanager.v1beta1"; 35option objc_class_prefix = "GSM"; 36option php_namespace = "Google\\Cloud\\SecretManager\\V1beta1"; 37option ruby_package = "Google::Cloud::SecretManager::V1beta1"; 38 39// Secret Manager Service 40// 41// Manages secrets and operations using those secrets. Implements a REST 42// model with the following objects: 43// 44// * [Secret][google.cloud.secrets.v1beta1.Secret] 45// * [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] 46service SecretManagerService { 47 option (google.api.default_host) = "secretmanager.googleapis.com"; 48 option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform"; 49 50 // Lists [Secrets][google.cloud.secrets.v1beta1.Secret]. 51 rpc ListSecrets(ListSecretsRequest) returns (ListSecretsResponse) { 52 option (google.api.http) = { 53 get: "/v1beta1/{parent=projects/*}/secrets" 54 }; 55 option (google.api.method_signature) = "parent"; 56 } 57 58 // Creates a new [Secret][google.cloud.secrets.v1beta1.Secret] containing no [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion]. 59 rpc CreateSecret(CreateSecretRequest) returns (Secret) { 60 option (google.api.http) = { 61 post: "/v1beta1/{parent=projects/*}/secrets" 62 body: "secret" 63 }; 64 option (google.api.method_signature) = "parent,secret_id,secret"; 65 } 66 67 // Creates a new [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] containing secret data and attaches 68 // it to an existing [Secret][google.cloud.secrets.v1beta1.Secret]. 69 rpc AddSecretVersion(AddSecretVersionRequest) returns (SecretVersion) { 70 option (google.api.http) = { 71 post: "/v1beta1/{parent=projects/*/secrets/*}:addVersion" 72 body: "*" 73 }; 74 option (google.api.method_signature) = "parent,payload"; 75 } 76 77 // Gets metadata for a given [Secret][google.cloud.secrets.v1beta1.Secret]. 78 rpc GetSecret(GetSecretRequest) returns (Secret) { 79 option (google.api.http) = { 80 get: "/v1beta1/{name=projects/*/secrets/*}" 81 }; 82 option (google.api.method_signature) = "name"; 83 } 84 85 // Updates metadata of an existing [Secret][google.cloud.secrets.v1beta1.Secret]. 86 rpc UpdateSecret(UpdateSecretRequest) returns (Secret) { 87 option (google.api.http) = { 88 patch: "/v1beta1/{secret.name=projects/*/secrets/*}" 89 body: "secret" 90 }; 91 option (google.api.method_signature) = "secret,update_mask"; 92 } 93 94 // Deletes a [Secret][google.cloud.secrets.v1beta1.Secret]. 95 rpc DeleteSecret(DeleteSecretRequest) returns (google.protobuf.Empty) { 96 option (google.api.http) = { 97 delete: "/v1beta1/{name=projects/*/secrets/*}" 98 }; 99 option (google.api.method_signature) = "name"; 100 } 101 102 // Lists [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion]. This call does not return secret 103 // data. 104 rpc ListSecretVersions(ListSecretVersionsRequest) returns (ListSecretVersionsResponse) { 105 option (google.api.http) = { 106 get: "/v1beta1/{parent=projects/*/secrets/*}/versions" 107 }; 108 option (google.api.method_signature) = "parent"; 109 } 110 111 // Gets metadata for a [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion]. 112 // 113 // `projects/*/secrets/*/versions/latest` is an alias to the `latest` 114 // [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion]. 115 rpc GetSecretVersion(GetSecretVersionRequest) returns (SecretVersion) { 116 option (google.api.http) = { 117 get: "/v1beta1/{name=projects/*/secrets/*/versions/*}" 118 }; 119 option (google.api.method_signature) = "name"; 120 } 121 122 // Accesses a [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion]. This call returns the secret data. 123 // 124 // `projects/*/secrets/*/versions/latest` is an alias to the `latest` 125 // [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion]. 126 rpc AccessSecretVersion(AccessSecretVersionRequest) returns (AccessSecretVersionResponse) { 127 option (google.api.http) = { 128 get: "/v1beta1/{name=projects/*/secrets/*/versions/*}:access" 129 }; 130 option (google.api.method_signature) = "name"; 131 } 132 133 // Disables a [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion]. 134 // 135 // Sets the [state][google.cloud.secrets.v1beta1.SecretVersion.state] of the [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] to 136 // [DISABLED][google.cloud.secrets.v1beta1.SecretVersion.State.DISABLED]. 137 rpc DisableSecretVersion(DisableSecretVersionRequest) returns (SecretVersion) { 138 option (google.api.http) = { 139 post: "/v1beta1/{name=projects/*/secrets/*/versions/*}:disable" 140 body: "*" 141 }; 142 option (google.api.method_signature) = "name"; 143 } 144 145 // Enables a [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion]. 146 // 147 // Sets the [state][google.cloud.secrets.v1beta1.SecretVersion.state] of the [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] to 148 // [ENABLED][google.cloud.secrets.v1beta1.SecretVersion.State.ENABLED]. 149 rpc EnableSecretVersion(EnableSecretVersionRequest) returns (SecretVersion) { 150 option (google.api.http) = { 151 post: "/v1beta1/{name=projects/*/secrets/*/versions/*}:enable" 152 body: "*" 153 }; 154 option (google.api.method_signature) = "name"; 155 } 156 157 // Destroys a [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion]. 158 // 159 // Sets the [state][google.cloud.secrets.v1beta1.SecretVersion.state] of the [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] to 160 // [DESTROYED][google.cloud.secrets.v1beta1.SecretVersion.State.DESTROYED] and irrevocably destroys the 161 // secret data. 162 rpc DestroySecretVersion(DestroySecretVersionRequest) returns (SecretVersion) { 163 option (google.api.http) = { 164 post: "/v1beta1/{name=projects/*/secrets/*/versions/*}:destroy" 165 body: "*" 166 }; 167 option (google.api.method_signature) = "name"; 168 } 169 170 // Sets the access control policy on the specified secret. Replaces any 171 // existing policy. 172 // 173 // Permissions on [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion] are enforced according 174 // to the policy set on the associated [Secret][google.cloud.secrets.v1beta1.Secret]. 175 rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) returns (google.iam.v1.Policy) { 176 option (google.api.http) = { 177 post: "/v1beta1/{resource=projects/*/secrets/*}:setIamPolicy" 178 body: "*" 179 }; 180 } 181 182 // Gets the access control policy for a secret. 183 // Returns empty policy if the secret exists and does not have a policy set. 184 rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) returns (google.iam.v1.Policy) { 185 option (google.api.http) = { 186 get: "/v1beta1/{resource=projects/*/secrets/*}:getIamPolicy" 187 }; 188 } 189 190 // Returns permissions that a caller has for the specified secret. 191 // If the secret does not exist, this call returns an empty set of 192 // permissions, not a NOT_FOUND error. 193 // 194 // Note: This operation is designed to be used for building permission-aware 195 // UIs and command-line tools, not for authorization checking. This operation 196 // may "fail open" without warning. 197 rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) returns (google.iam.v1.TestIamPermissionsResponse) { 198 option (google.api.http) = { 199 post: "/v1beta1/{resource=projects/*/secrets/*}:testIamPermissions" 200 body: "*" 201 }; 202 } 203} 204 205// Request message for [SecretManagerService.ListSecrets][google.cloud.secrets.v1beta1.SecretManagerService.ListSecrets]. 206message ListSecretsRequest { 207 // Required. The resource name of the project associated with the 208 // [Secrets][google.cloud.secrets.v1beta1.Secret], in the format `projects/*`. 209 string parent = 1 [ 210 (google.api.field_behavior) = REQUIRED, 211 (google.api.resource_reference) = { 212 type: "cloudresourcemanager.googleapis.com/Project" 213 } 214 ]; 215 216 // Optional. The maximum number of results to be returned in a single page. If 217 // set to 0, the server decides the number of results to return. If the 218 // number is greater than 25000, it is capped at 25000. 219 int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; 220 221 // Optional. Pagination token, returned earlier via 222 // [ListSecretsResponse.next_page_token][google.cloud.secrets.v1beta1.ListSecretsResponse.next_page_token]. 223 string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; 224} 225 226// Response message for [SecretManagerService.ListSecrets][google.cloud.secrets.v1beta1.SecretManagerService.ListSecrets]. 227message ListSecretsResponse { 228 // The list of [Secrets][google.cloud.secrets.v1beta1.Secret] sorted in reverse by create_time (newest 229 // first). 230 repeated Secret secrets = 1; 231 232 // A token to retrieve the next page of results. Pass this value in 233 // [ListSecretsRequest.page_token][google.cloud.secrets.v1beta1.ListSecretsRequest.page_token] to retrieve the next page. 234 string next_page_token = 2; 235 236 // The total number of [Secrets][google.cloud.secrets.v1beta1.Secret]. 237 int32 total_size = 3; 238} 239 240// Request message for [SecretManagerService.CreateSecret][google.cloud.secrets.v1beta1.SecretManagerService.CreateSecret]. 241message CreateSecretRequest { 242 // Required. The resource name of the project to associate with the 243 // [Secret][google.cloud.secrets.v1beta1.Secret], in the format `projects/*`. 244 string parent = 1 [ 245 (google.api.field_behavior) = REQUIRED, 246 (google.api.resource_reference) = { 247 type: "cloudresourcemanager.googleapis.com/Project" 248 } 249 ]; 250 251 // Required. This must be unique within the project. 252 // 253 // A secret ID is a string with a maximum length of 255 characters and can 254 // contain uppercase and lowercase letters, numerals, and the hyphen (`-`) and 255 // underscore (`_`) characters. 256 string secret_id = 2 [(google.api.field_behavior) = REQUIRED]; 257 258 // Required. A [Secret][google.cloud.secrets.v1beta1.Secret] with initial field values. 259 Secret secret = 3 [(google.api.field_behavior) = REQUIRED]; 260} 261 262// Request message for [SecretManagerService.AddSecretVersion][google.cloud.secrets.v1beta1.SecretManagerService.AddSecretVersion]. 263message AddSecretVersionRequest { 264 // Required. The resource name of the [Secret][google.cloud.secrets.v1beta1.Secret] to associate with the 265 // [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] in the format `projects/*/secrets/*`. 266 string parent = 1 [ 267 (google.api.field_behavior) = REQUIRED, 268 (google.api.resource_reference) = { 269 type: "secretmanager.googleapis.com/Secret" 270 } 271 ]; 272 273 // Required. The secret payload of the [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion]. 274 SecretPayload payload = 2 [(google.api.field_behavior) = REQUIRED]; 275} 276 277// Request message for [SecretManagerService.GetSecret][google.cloud.secrets.v1beta1.SecretManagerService.GetSecret]. 278message GetSecretRequest { 279 // Required. The resource name of the [Secret][google.cloud.secrets.v1beta1.Secret], in the format `projects/*/secrets/*`. 280 string name = 1 [ 281 (google.api.field_behavior) = REQUIRED, 282 (google.api.resource_reference) = { 283 type: "secretmanager.googleapis.com/Secret" 284 } 285 ]; 286} 287 288// Request message for [SecretManagerService.ListSecretVersions][google.cloud.secrets.v1beta1.SecretManagerService.ListSecretVersions]. 289message ListSecretVersionsRequest { 290 // Required. The resource name of the [Secret][google.cloud.secrets.v1beta1.Secret] associated with the 291 // [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion] to list, in the format 292 // `projects/*/secrets/*`. 293 string parent = 1 [ 294 (google.api.field_behavior) = REQUIRED, 295 (google.api.resource_reference) = { 296 type: "secretmanager.googleapis.com/Secret" 297 } 298 ]; 299 300 // Optional. The maximum number of results to be returned in a single page. If 301 // set to 0, the server decides the number of results to return. If the 302 // number is greater than 25000, it is capped at 25000. 303 int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL]; 304 305 // Optional. Pagination token, returned earlier via 306 // ListSecretVersionsResponse.next_page_token][]. 307 string page_token = 3 [(google.api.field_behavior) = OPTIONAL]; 308} 309 310// Response message for [SecretManagerService.ListSecretVersions][google.cloud.secrets.v1beta1.SecretManagerService.ListSecretVersions]. 311message ListSecretVersionsResponse { 312 // The list of [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion] sorted in reverse by 313 // create_time (newest first). 314 repeated SecretVersion versions = 1; 315 316 // A token to retrieve the next page of results. Pass this value in 317 // [ListSecretVersionsRequest.page_token][google.cloud.secrets.v1beta1.ListSecretVersionsRequest.page_token] to retrieve the next page. 318 string next_page_token = 2; 319 320 // The total number of [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion]. 321 int32 total_size = 3; 322} 323 324// Request message for [SecretManagerService.GetSecretVersion][google.cloud.secrets.v1beta1.SecretManagerService.GetSecretVersion]. 325message GetSecretVersionRequest { 326 // Required. The resource name of the [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] in the format 327 // `projects/*/secrets/*/versions/*`. 328 // `projects/*/secrets/*/versions/latest` is an alias to the `latest` 329 // [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion]. 330 string name = 1 [ 331 (google.api.field_behavior) = REQUIRED, 332 (google.api.resource_reference) = { 333 type: "secretmanager.googleapis.com/SecretVersion" 334 } 335 ]; 336} 337 338// Request message for [SecretManagerService.UpdateSecret][google.cloud.secrets.v1beta1.SecretManagerService.UpdateSecret]. 339message UpdateSecretRequest { 340 // Required. [Secret][google.cloud.secrets.v1beta1.Secret] with updated field values. 341 Secret secret = 1 [(google.api.field_behavior) = REQUIRED]; 342 343 // Required. Specifies the fields to be updated. 344 google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED]; 345} 346 347// Request message for [SecretManagerService.AccessSecretVersion][google.cloud.secrets.v1beta1.SecretManagerService.AccessSecretVersion]. 348message AccessSecretVersionRequest { 349 // Required. The resource name of the [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] in the format 350 // `projects/*/secrets/*/versions/*`. 351 string name = 1 [ 352 (google.api.field_behavior) = REQUIRED, 353 (google.api.resource_reference) = { 354 type: "secretmanager.googleapis.com/SecretVersion" 355 } 356 ]; 357} 358 359// Response message for [SecretManagerService.AccessSecretVersion][google.cloud.secrets.v1beta1.SecretManagerService.AccessSecretVersion]. 360message AccessSecretVersionResponse { 361 // The resource name of the [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] in the format 362 // `projects/*/secrets/*/versions/*`. 363 string name = 1 [(google.api.resource_reference) = { 364 type: "secretmanager.googleapis.com/SecretVersion" 365 }]; 366 367 // Secret payload 368 SecretPayload payload = 2; 369} 370 371// Request message for [SecretManagerService.DeleteSecret][google.cloud.secrets.v1beta1.SecretManagerService.DeleteSecret]. 372message DeleteSecretRequest { 373 // Required. The resource name of the [Secret][google.cloud.secrets.v1beta1.Secret] to delete in the format 374 // `projects/*/secrets/*`. 375 string name = 1 [ 376 (google.api.field_behavior) = REQUIRED, 377 (google.api.resource_reference) = { 378 type: "secretmanager.googleapis.com/Secret" 379 } 380 ]; 381} 382 383// Request message for [SecretManagerService.DisableSecretVersion][google.cloud.secrets.v1beta1.SecretManagerService.DisableSecretVersion]. 384message DisableSecretVersionRequest { 385 // Required. The resource name of the [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] to disable in the format 386 // `projects/*/secrets/*/versions/*`. 387 string name = 1 [ 388 (google.api.field_behavior) = REQUIRED, 389 (google.api.resource_reference) = { 390 type: "secretmanager.googleapis.com/SecretVersion" 391 } 392 ]; 393} 394 395// Request message for [SecretManagerService.EnableSecretVersion][google.cloud.secrets.v1beta1.SecretManagerService.EnableSecretVersion]. 396message EnableSecretVersionRequest { 397 // Required. The resource name of the [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] to enable in the format 398 // `projects/*/secrets/*/versions/*`. 399 string name = 1 [ 400 (google.api.field_behavior) = REQUIRED, 401 (google.api.resource_reference) = { 402 type: "secretmanager.googleapis.com/SecretVersion" 403 } 404 ]; 405} 406 407// Request message for [SecretManagerService.DestroySecretVersion][google.cloud.secrets.v1beta1.SecretManagerService.DestroySecretVersion]. 408message DestroySecretVersionRequest { 409 // Required. The resource name of the [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] to destroy in the format 410 // `projects/*/secrets/*/versions/*`. 411 string name = 1 [ 412 (google.api.field_behavior) = REQUIRED, 413 (google.api.resource_reference) = { 414 type: "secretmanager.googleapis.com/SecretVersion" 415 } 416 ]; 417} 418