1// Copyright 2024 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.secretmanager.v1; 18 19import "google/api/field_behavior.proto"; 20import "google/api/resource.proto"; 21import "google/protobuf/duration.proto"; 22import "google/protobuf/timestamp.proto"; 23 24option cc_enable_arenas = true; 25option csharp_namespace = "Google.Cloud.SecretManager.V1"; 26option go_package = "cloud.google.com/go/secretmanager/apiv1/secretmanagerpb;secretmanagerpb"; 27option java_multiple_files = true; 28option java_outer_classname = "ResourcesProto"; 29option java_package = "com.google.cloud.secretmanager.v1"; 30option objc_class_prefix = "GSM"; 31option php_namespace = "Google\\Cloud\\SecretManager\\V1"; 32option ruby_package = "Google::Cloud::SecretManager::V1"; 33 34// A [Secret][google.cloud.secretmanager.v1.Secret] is a logical secret whose 35// value and versions can be accessed. 36// 37// A [Secret][google.cloud.secretmanager.v1.Secret] is made up of zero or more 38// [SecretVersions][google.cloud.secretmanager.v1.SecretVersion] that represent 39// the secret data. 40message Secret { 41 option (google.api.resource) = { 42 type: "secretmanager.googleapis.com/Secret" 43 pattern: "projects/{project}/secrets/{secret}" 44 pattern: "projects/{project}/locations/{location}/secrets/{secret}" 45 plural: "secrets" 46 singular: "secret" 47 }; 48 49 // Output only. The resource name of the 50 // [Secret][google.cloud.secretmanager.v1.Secret] in the format 51 // `projects/*/secrets/*`. 52 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 53 54 // Optional. Immutable. The replication policy of the secret data attached to 55 // the [Secret][google.cloud.secretmanager.v1.Secret]. 56 // 57 // The replication policy cannot be changed after the Secret has been created. 58 Replication replication = 2 [ 59 (google.api.field_behavior) = IMMUTABLE, 60 (google.api.field_behavior) = OPTIONAL 61 ]; 62 63 // Output only. The time at which the 64 // [Secret][google.cloud.secretmanager.v1.Secret] was created. 65 google.protobuf.Timestamp create_time = 3 66 [(google.api.field_behavior) = OUTPUT_ONLY]; 67 68 // The labels assigned to this Secret. 69 // 70 // Label keys must be between 1 and 63 characters long, have a UTF-8 encoding 71 // of maximum 128 bytes, and must conform to the following PCRE regular 72 // expression: `[\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62}` 73 // 74 // Label values must be between 0 and 63 characters long, have a UTF-8 75 // encoding of maximum 128 bytes, and must conform to the following PCRE 76 // regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}` 77 // 78 // No more than 64 labels can be assigned to a given resource. 79 map<string, string> labels = 4; 80 81 // Optional. A list of up to 10 Pub/Sub topics to which messages are published 82 // when control plane operations are called on the secret or its versions. 83 repeated Topic topics = 5 [(google.api.field_behavior) = OPTIONAL]; 84 85 // Expiration policy attached to the 86 // [Secret][google.cloud.secretmanager.v1.Secret]. If specified the 87 // [Secret][google.cloud.secretmanager.v1.Secret] and all 88 // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion] will be 89 // automatically deleted at expiration. Expired secrets are irreversibly 90 // deleted. 91 // 92 // Expiration is *not* the recommended way to set time-based permissions. [IAM 93 // Conditions](https://cloud.google.com/secret-manager/docs/access-control#conditions) 94 // is recommended for granting time-based permissions because the operation 95 // can be reversed. 96 oneof expiration { 97 // Optional. Timestamp in UTC when the 98 // [Secret][google.cloud.secretmanager.v1.Secret] is scheduled to expire. 99 // This is always provided on output, regardless of what was sent on input. 100 google.protobuf.Timestamp expire_time = 6 101 [(google.api.field_behavior) = OPTIONAL]; 102 103 // Input only. The TTL for the 104 // [Secret][google.cloud.secretmanager.v1.Secret]. 105 google.protobuf.Duration ttl = 7 [(google.api.field_behavior) = INPUT_ONLY]; 106 } 107 108 // Optional. Etag of the currently stored 109 // [Secret][google.cloud.secretmanager.v1.Secret]. 110 string etag = 8 [(google.api.field_behavior) = OPTIONAL]; 111 112 // Optional. Rotation policy attached to the 113 // [Secret][google.cloud.secretmanager.v1.Secret]. May be excluded if there is 114 // no rotation policy. 115 Rotation rotation = 9 [(google.api.field_behavior) = OPTIONAL]; 116 117 // Optional. Mapping from version alias to version name. 118 // 119 // A version alias is a string with a maximum length of 63 characters and can 120 // contain uppercase and lowercase letters, numerals, and the hyphen (`-`) 121 // and underscore ('_') characters. An alias string must start with a 122 // letter and cannot be the string 'latest' or 'NEW'. 123 // No more than 50 aliases can be assigned to a given secret. 124 // 125 // Version-Alias pairs will be viewable via GetSecret and modifiable via 126 // UpdateSecret. Access by alias is only be supported on 127 // GetSecretVersion and AccessSecretVersion. 128 map<string, int64> version_aliases = 11 129 [(google.api.field_behavior) = OPTIONAL]; 130 131 // Optional. Custom metadata about the secret. 132 // 133 // Annotations are distinct from various forms of labels. 134 // Annotations exist to allow client tools to store their own state 135 // information without requiring a database. 136 // 137 // Annotation keys must be between 1 and 63 characters long, have a UTF-8 138 // encoding of maximum 128 bytes, begin and end with an alphanumeric character 139 // ([a-z0-9A-Z]), and may have dashes (-), underscores (_), dots (.), and 140 // alphanumerics in between these symbols. 141 // 142 // The total size of annotation keys and values must be less than 16KiB. 143 map<string, string> annotations = 13 [(google.api.field_behavior) = OPTIONAL]; 144 145 // Optional. Secret Version TTL after destruction request 146 // 147 // This is a part of the Delayed secret version destroy feature. 148 // For secret with TTL>0, version destruction doesn't happen immediately 149 // on calling destroy instead the version goes to a disabled state and 150 // destruction happens after the TTL expires. 151 google.protobuf.Duration version_destroy_ttl = 14 152 [(google.api.field_behavior) = OPTIONAL]; 153 154 // Optional. The customer-managed encryption configuration of the Regionalised 155 // Secrets. If no configuration is provided, Google-managed default encryption 156 // is used. 157 // 158 // Updates to the [Secret][google.cloud.secretmanager.v1.Secret] encryption 159 // configuration only apply to 160 // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion] added 161 // afterwards. They do not apply retroactively to existing 162 // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion]. 163 CustomerManagedEncryption customer_managed_encryption = 15 164 [(google.api.field_behavior) = OPTIONAL]; 165} 166 167// A secret version resource in the Secret Manager API. 168message SecretVersion { 169 option (google.api.resource) = { 170 type: "secretmanager.googleapis.com/SecretVersion" 171 pattern: "projects/{project}/secrets/{secret}/versions/{secret_version}" 172 pattern: "projects/{project}/locations/{location}/secrets/{secret}/versions/{secret_version}" 173 plural: "secretVersions" 174 singular: "secretVersion" 175 }; 176 177 // The state of a 178 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion], indicating if 179 // it can be accessed. 180 enum State { 181 // Not specified. This value is unused and invalid. 182 STATE_UNSPECIFIED = 0; 183 184 // The [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] may be 185 // accessed. 186 ENABLED = 1; 187 188 // The [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] may not 189 // be accessed, but the secret data is still available and can be placed 190 // back into the 191 // [ENABLED][google.cloud.secretmanager.v1.SecretVersion.State.ENABLED] 192 // state. 193 DISABLED = 2; 194 195 // The [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] is 196 // destroyed and the secret data is no longer stored. A version may not 197 // leave this state once entered. 198 DESTROYED = 3; 199 } 200 201 // Output only. The resource name of the 202 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] in the format 203 // `projects/*/secrets/*/versions/*`. 204 // 205 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] IDs in a 206 // [Secret][google.cloud.secretmanager.v1.Secret] start at 1 and are 207 // incremented for each subsequent version of the secret. 208 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 209 210 // Output only. The time at which the 211 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] was created. 212 google.protobuf.Timestamp create_time = 2 213 [(google.api.field_behavior) = OUTPUT_ONLY]; 214 215 // Output only. The time this 216 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] was destroyed. 217 // Only present if [state][google.cloud.secretmanager.v1.SecretVersion.state] 218 // is 219 // [DESTROYED][google.cloud.secretmanager.v1.SecretVersion.State.DESTROYED]. 220 google.protobuf.Timestamp destroy_time = 3 221 [(google.api.field_behavior) = OUTPUT_ONLY]; 222 223 // Output only. The current state of the 224 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. 225 State state = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 226 227 // The replication status of the 228 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. 229 ReplicationStatus replication_status = 5; 230 231 // Output only. Etag of the currently stored 232 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. 233 string etag = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 234 235 // Output only. True if payload checksum specified in 236 // [SecretPayload][google.cloud.secretmanager.v1.SecretPayload] object has 237 // been received by 238 // [SecretManagerService][google.cloud.secretmanager.v1.SecretManagerService] 239 // on 240 // [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.AddSecretVersion]. 241 bool client_specified_payload_checksum = 7 242 [(google.api.field_behavior) = OUTPUT_ONLY]; 243 244 // Optional. Output only. Scheduled destroy time for secret version. 245 // This is a part of the Delayed secret version destroy feature. For a 246 // Secret with a valid version destroy TTL, when a secert version is 247 // destroyed, the version is moved to disabled state and it is scheduled for 248 // destruction. The version is destroyed only after the 249 // `scheduled_destroy_time`. 250 google.protobuf.Timestamp scheduled_destroy_time = 8 251 [(google.api.field_behavior) = OUTPUT_ONLY]; 252 253 // Output only. The customer-managed encryption status of the 254 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. Only 255 // populated if customer-managed encryption is used and 256 // [Secret][google.cloud.secretmanager.v1.Secret] is a Regionalised Secret. 257 CustomerManagedEncryptionStatus customer_managed_encryption = 9 258 [(google.api.field_behavior) = OUTPUT_ONLY]; 259} 260 261// A policy that defines the replication and encryption configuration of data. 262message Replication { 263 // A replication policy that replicates the 264 // [Secret][google.cloud.secretmanager.v1.Secret] payload without any 265 // restrictions. 266 message Automatic { 267 // Optional. The customer-managed encryption configuration of the 268 // [Secret][google.cloud.secretmanager.v1.Secret]. If no configuration is 269 // provided, Google-managed default encryption is used. 270 // 271 // Updates to the [Secret][google.cloud.secretmanager.v1.Secret] encryption 272 // configuration only apply to 273 // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion] added 274 // afterwards. They do not apply retroactively to existing 275 // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion]. 276 CustomerManagedEncryption customer_managed_encryption = 1 277 [(google.api.field_behavior) = OPTIONAL]; 278 } 279 280 // A replication policy that replicates the 281 // [Secret][google.cloud.secretmanager.v1.Secret] payload into the locations 282 // specified in [Secret.replication.user_managed.replicas][] 283 message UserManaged { 284 // Represents a Replica for this 285 // [Secret][google.cloud.secretmanager.v1.Secret]. 286 message Replica { 287 // The canonical IDs of the location to replicate data. 288 // For example: `"us-east1"`. 289 string location = 1; 290 291 // Optional. The customer-managed encryption configuration of the 292 // [User-Managed Replica][Replication.UserManaged.Replica]. If no 293 // configuration is provided, Google-managed default encryption is used. 294 // 295 // Updates to the [Secret][google.cloud.secretmanager.v1.Secret] 296 // encryption configuration only apply to 297 // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion] added 298 // afterwards. They do not apply retroactively to existing 299 // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion]. 300 CustomerManagedEncryption customer_managed_encryption = 2 301 [(google.api.field_behavior) = OPTIONAL]; 302 } 303 304 // Required. The list of Replicas for this 305 // [Secret][google.cloud.secretmanager.v1.Secret]. 306 // 307 // Cannot be empty. 308 repeated Replica replicas = 1 [(google.api.field_behavior) = REQUIRED]; 309 } 310 311 // The replication policy for this secret. 312 oneof replication { 313 // The [Secret][google.cloud.secretmanager.v1.Secret] will automatically be 314 // replicated without any restrictions. 315 Automatic automatic = 1; 316 317 // The [Secret][google.cloud.secretmanager.v1.Secret] will only be 318 // replicated into the locations specified. 319 UserManaged user_managed = 2; 320 } 321} 322 323// Configuration for encrypting secret payloads using customer-managed 324// encryption keys (CMEK). 325message CustomerManagedEncryption { 326 // Required. The resource name of the Cloud KMS CryptoKey used to encrypt 327 // secret payloads. 328 // 329 // For secrets using the 330 // [UserManaged][google.cloud.secretmanager.v1.Replication.UserManaged] 331 // replication policy type, Cloud KMS CryptoKeys must reside in the same 332 // location as the [replica location][Secret.UserManaged.Replica.location]. 333 // 334 // For secrets using the 335 // [Automatic][google.cloud.secretmanager.v1.Replication.Automatic] 336 // replication policy type, Cloud KMS CryptoKeys must reside in `global`. 337 // 338 // The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 339 string kms_key_name = 1 [(google.api.field_behavior) = REQUIRED]; 340} 341 342// The replication status of a 343// [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. 344message ReplicationStatus { 345 // The replication status of a 346 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] using 347 // automatic replication. 348 // 349 // Only populated if the parent [Secret][google.cloud.secretmanager.v1.Secret] 350 // has an automatic replication policy. 351 message AutomaticStatus { 352 // Output only. The customer-managed encryption status of the 353 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. Only 354 // populated if customer-managed encryption is used. 355 CustomerManagedEncryptionStatus customer_managed_encryption = 1 356 [(google.api.field_behavior) = OUTPUT_ONLY]; 357 } 358 359 // The replication status of a 360 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] using 361 // user-managed replication. 362 // 363 // Only populated if the parent [Secret][google.cloud.secretmanager.v1.Secret] 364 // has a user-managed replication policy. 365 message UserManagedStatus { 366 // Describes the status of a user-managed replica for the 367 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. 368 message ReplicaStatus { 369 // Output only. The canonical ID of the replica location. 370 // For example: `"us-east1"`. 371 string location = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 372 373 // Output only. The customer-managed encryption status of the 374 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. Only 375 // populated if customer-managed encryption is used. 376 CustomerManagedEncryptionStatus customer_managed_encryption = 2 377 [(google.api.field_behavior) = OUTPUT_ONLY]; 378 } 379 380 // Output only. The list of replica statuses for the 381 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. 382 repeated ReplicaStatus replicas = 1 383 [(google.api.field_behavior) = OUTPUT_ONLY]; 384 } 385 386 // The replication status of the 387 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. 388 oneof replication_status { 389 // Describes the replication status of a 390 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] with 391 // automatic replication. 392 // 393 // Only populated if the parent 394 // [Secret][google.cloud.secretmanager.v1.Secret] has an automatic 395 // replication policy. 396 AutomaticStatus automatic = 1; 397 398 // Describes the replication status of a 399 // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] with 400 // user-managed replication. 401 // 402 // Only populated if the parent 403 // [Secret][google.cloud.secretmanager.v1.Secret] has a user-managed 404 // replication policy. 405 UserManagedStatus user_managed = 2; 406 } 407} 408 409// Describes the status of customer-managed encryption. 410message CustomerManagedEncryptionStatus { 411 // Required. The resource name of the Cloud KMS CryptoKeyVersion used to 412 // encrypt the secret payload, in the following format: 413 // `projects/*/locations/*/keyRings/*/cryptoKeys/*/versions/*`. 414 string kms_key_version_name = 1 [(google.api.field_behavior) = REQUIRED]; 415} 416 417// A Pub/Sub topic which Secret Manager will publish to when control plane 418// events occur on this secret. 419message Topic { 420 option (google.api.resource) = { 421 type: "pubsub.googleapis.com/Topic" 422 pattern: "projects/{project}/topics/{topic}" 423 }; 424 425 // Required. The resource name of the Pub/Sub topic that will be published to, 426 // in the following format: `projects/*/topics/*`. For publication to succeed, 427 // the Secret Manager service agent must have the `pubsub.topic.publish` 428 // permission on the topic. The Pub/Sub Publisher role 429 // (`roles/pubsub.publisher`) includes this permission. 430 string name = 1 [(google.api.field_behavior) = REQUIRED]; 431} 432 433// The rotation time and period for a 434// [Secret][google.cloud.secretmanager.v1.Secret]. At next_rotation_time, Secret 435// Manager will send a Pub/Sub notification to the topics configured on the 436// Secret. [Secret.topics][google.cloud.secretmanager.v1.Secret.topics] must be 437// set to configure rotation. 438message Rotation { 439 // Optional. Timestamp in UTC at which the 440 // [Secret][google.cloud.secretmanager.v1.Secret] is scheduled to rotate. 441 // Cannot be set to less than 300s (5 min) in the future and at most 442 // 3153600000s (100 years). 443 // 444 // [next_rotation_time][google.cloud.secretmanager.v1.Rotation.next_rotation_time] 445 // MUST be set if 446 // [rotation_period][google.cloud.secretmanager.v1.Rotation.rotation_period] 447 // is set. 448 google.protobuf.Timestamp next_rotation_time = 1 449 [(google.api.field_behavior) = OPTIONAL]; 450 451 // Input only. The Duration between rotation notifications. Must be in seconds 452 // and at least 3600s (1h) and at most 3153600000s (100 years). 453 // 454 // If 455 // [rotation_period][google.cloud.secretmanager.v1.Rotation.rotation_period] 456 // is set, 457 // [next_rotation_time][google.cloud.secretmanager.v1.Rotation.next_rotation_time] 458 // must be set. 459 // [next_rotation_time][google.cloud.secretmanager.v1.Rotation.next_rotation_time] 460 // will be advanced by this period when the service automatically sends 461 // rotation notifications. 462 google.protobuf.Duration rotation_period = 2 463 [(google.api.field_behavior) = INPUT_ONLY]; 464} 465 466// A secret payload resource in the Secret Manager API. This contains the 467// sensitive secret payload that is associated with a 468// [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. 469message SecretPayload { 470 // The secret data. Must be no larger than 64KiB. 471 bytes data = 1; 472 473 // Optional. If specified, 474 // [SecretManagerService][google.cloud.secretmanager.v1.SecretManagerService] 475 // will verify the integrity of the received 476 // [data][google.cloud.secretmanager.v1.SecretPayload.data] on 477 // [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.AddSecretVersion] 478 // calls using the crc32c checksum and store it to include in future 479 // [SecretManagerService.AccessSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion] 480 // responses. If a checksum is not provided in the 481 // [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.AddSecretVersion] 482 // request, the 483 // [SecretManagerService][google.cloud.secretmanager.v1.SecretManagerService] 484 // will generate and store one for you. 485 // 486 // The CRC32C value is encoded as a Int64 for compatibility, and can be 487 // safely downconverted to uint32 in languages that support this type. 488 // https://cloud.google.com/apis/design/design_patterns#integer_types 489 optional int64 data_crc32c = 2 [(google.api.field_behavior) = OPTIONAL]; 490} 491