1// Copyright 2024 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.secretmanager.v1beta2; 18 19import "google/api/field_behavior.proto"; 20import "google/api/resource.proto"; 21import "google/protobuf/duration.proto"; 22import "google/protobuf/timestamp.proto"; 23 24option cc_enable_arenas = true; 25option csharp_namespace = "Google.Cloud.SecretManager.V1Beta2"; 26option go_package = "cloud.google.com/go/secretmanager/apiv1beta2/secretmanagerpb;secretmanagerpb"; 27option java_multiple_files = true; 28option java_outer_classname = "ResourcesProto"; 29option java_package = "com.google.cloud.secretmanager.v1beta2"; 30option objc_class_prefix = "GSM"; 31option php_namespace = "Google\\Cloud\\SecretManager\\V1beta2"; 32option ruby_package = "Google::Cloud::SecretManager::V1beta2"; 33 34// A [Secret][google.cloud.secretmanager.v1beta2.Secret] is a logical secret 35// whose value and versions can be accessed. 36// 37// A [Secret][google.cloud.secretmanager.v1beta2.Secret] is made up of zero or 38// more [SecretVersions][google.cloud.secretmanager.v1beta2.SecretVersion] that 39// represent the secret data. 40message Secret { 41 option (google.api.resource) = { 42 type: "secretmanager.googleapis.com/Secret" 43 pattern: "projects/{project}/secrets/{secret}" 44 pattern: "projects/{project}/locations/{location}/secrets/{secret}" 45 plural: "secrets" 46 singular: "secret" 47 }; 48 49 // Output only. The resource name of the 50 // [Secret][google.cloud.secretmanager.v1beta2.Secret] in the format 51 // `projects/*/secrets/*`. 52 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 53 54 // Optional. Immutable. The replication policy of the secret data attached to 55 // the [Secret][google.cloud.secretmanager.v1beta2.Secret]. 56 // 57 // The replication policy cannot be changed after the Secret has been created. 58 Replication replication = 2 [ 59 (google.api.field_behavior) = IMMUTABLE, 60 (google.api.field_behavior) = OPTIONAL 61 ]; 62 63 // Output only. The time at which the 64 // [Secret][google.cloud.secretmanager.v1beta2.Secret] was created. 65 google.protobuf.Timestamp create_time = 3 66 [(google.api.field_behavior) = OUTPUT_ONLY]; 67 68 // The labels assigned to this Secret. 69 // 70 // Label keys must be between 1 and 63 characters long, have a UTF-8 encoding 71 // of maximum 128 bytes, and must conform to the following PCRE regular 72 // expression: `[\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62}` 73 // 74 // Label values must be between 0 and 63 characters long, have a UTF-8 75 // encoding of maximum 128 bytes, and must conform to the following PCRE 76 // regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}` 77 // 78 // No more than 64 labels can be assigned to a given resource. 79 map<string, string> labels = 4; 80 81 // Optional. A list of up to 10 Pub/Sub topics to which messages are published 82 // when control plane operations are called on the secret or its versions. 83 repeated Topic topics = 5 [(google.api.field_behavior) = OPTIONAL]; 84 85 // Expiration policy attached to the 86 // [Secret][google.cloud.secretmanager.v1beta2.Secret]. If specified the 87 // [Secret][google.cloud.secretmanager.v1beta2.Secret] and all 88 // [SecretVersions][google.cloud.secretmanager.v1beta2.SecretVersion] will be 89 // automatically deleted at expiration. Expired secrets are irreversibly 90 // deleted. 91 // 92 // Expiration is *not* the recommended way to set time-based permissions. [IAM 93 // Conditions](https://cloud.google.com/secret-manager/docs/access-control#conditions) 94 // is recommended for granting time-based permissions because the operation 95 // can be reversed. 96 oneof expiration { 97 // Optional. Timestamp in UTC when the 98 // [Secret][google.cloud.secretmanager.v1beta2.Secret] is scheduled to 99 // expire. This is always provided on output, regardless of what was sent on 100 // input. 101 google.protobuf.Timestamp expire_time = 6 102 [(google.api.field_behavior) = OPTIONAL]; 103 104 // Input only. The TTL for the 105 // [Secret][google.cloud.secretmanager.v1beta2.Secret]. 106 google.protobuf.Duration ttl = 7 [(google.api.field_behavior) = INPUT_ONLY]; 107 } 108 109 // Optional. Etag of the currently stored 110 // [Secret][google.cloud.secretmanager.v1beta2.Secret]. 111 string etag = 8 [(google.api.field_behavior) = OPTIONAL]; 112 113 // Optional. Rotation policy attached to the 114 // [Secret][google.cloud.secretmanager.v1beta2.Secret]. May be excluded if 115 // there is no rotation policy. 116 Rotation rotation = 9 [(google.api.field_behavior) = OPTIONAL]; 117 118 // Optional. Mapping from version alias to version name. 119 // 120 // A version alias is a string with a maximum length of 63 characters and can 121 // contain uppercase and lowercase letters, numerals, and the hyphen (`-`) 122 // and underscore ('_') characters. An alias string must start with a 123 // letter and cannot be the string 'latest' or 'NEW'. 124 // No more than 50 aliases can be assigned to a given secret. 125 // 126 // Version-Alias pairs will be viewable via GetSecret and modifiable via 127 // UpdateSecret. Access by alias is only supported for 128 // GetSecretVersion and AccessSecretVersion. 129 map<string, int64> version_aliases = 11 130 [(google.api.field_behavior) = OPTIONAL]; 131 132 // Optional. Custom metadata about the secret. 133 // 134 // Annotations are distinct from various forms of labels. 135 // Annotations exist to allow client tools to store their own state 136 // information without requiring a database. 137 // 138 // Annotation keys must be between 1 and 63 characters long, have a UTF-8 139 // encoding of maximum 128 bytes, begin and end with an alphanumeric character 140 // ([a-z0-9A-Z]), and may have dashes (-), underscores (_), dots (.), and 141 // alphanumerics in between these symbols. 142 // 143 // The total size of annotation keys and values must be less than 16KiB. 144 map<string, string> annotations = 13 [(google.api.field_behavior) = OPTIONAL]; 145 146 // Optional. Secret Version TTL after destruction request 147 // 148 // This is a part of the Delayed secret version destroy feature. 149 // For secret with TTL>0, version destruction doesn't happen immediately 150 // on calling destroy instead the version goes to a disabled state and 151 // destruction happens after the TTL expires. 152 google.protobuf.Duration version_destroy_ttl = 14 153 [(google.api.field_behavior) = OPTIONAL]; 154 155 // Optional. The customer-managed encryption configuration of the Regionalised 156 // Secrets. If no configuration is provided, Google-managed default encryption 157 // is used. 158 // 159 // Updates to the [Secret][google.cloud.secretmanager.v1beta2.Secret] 160 // encryption configuration only apply to 161 // [SecretVersions][google.cloud.secretmanager.v1beta2.SecretVersion] added 162 // afterwards. They do not apply retroactively to existing 163 // [SecretVersions][google.cloud.secretmanager.v1beta2.SecretVersion]. 164 CustomerManagedEncryption customer_managed_encryption = 15 165 [(google.api.field_behavior) = OPTIONAL]; 166} 167 168// A secret version resource in the Secret Manager API. 169message SecretVersion { 170 option (google.api.resource) = { 171 type: "secretmanager.googleapis.com/SecretVersion" 172 pattern: "projects/{project}/secrets/{secret}/versions/{secret_version}" 173 pattern: "projects/{project}/locations/{location}/secrets/{secret}/versions/{secret_version}" 174 plural: "secretVersions" 175 singular: "secretVersion" 176 }; 177 178 // The state of a 179 // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion], 180 // indicating if it can be accessed. 181 enum State { 182 // Not specified. This value is unused and invalid. 183 STATE_UNSPECIFIED = 0; 184 185 // The [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] may 186 // be accessed. 187 ENABLED = 1; 188 189 // The [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] may 190 // not be accessed, but the secret data is still available and can be placed 191 // back into the 192 // [ENABLED][google.cloud.secretmanager.v1beta2.SecretVersion.State.ENABLED] 193 // state. 194 DISABLED = 2; 195 196 // The [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] is 197 // destroyed and the secret data is no longer stored. A version may not 198 // leave this state once entered. 199 DESTROYED = 3; 200 } 201 202 // Output only. The resource name of the 203 // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] in the 204 // format `projects/*/secrets/*/versions/*`. 205 // 206 // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] IDs in a 207 // [Secret][google.cloud.secretmanager.v1beta2.Secret] start at 1 and are 208 // incremented for each subsequent version of the secret. 209 string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 210 211 // Output only. The time at which the 212 // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] was 213 // created. 214 google.protobuf.Timestamp create_time = 2 215 [(google.api.field_behavior) = OUTPUT_ONLY]; 216 217 // Output only. The time this 218 // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] was 219 // destroyed. Only present if 220 // [state][google.cloud.secretmanager.v1beta2.SecretVersion.state] is 221 // [DESTROYED][google.cloud.secretmanager.v1beta2.SecretVersion.State.DESTROYED]. 222 google.protobuf.Timestamp destroy_time = 3 223 [(google.api.field_behavior) = OUTPUT_ONLY]; 224 225 // Output only. The current state of the 226 // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. 227 State state = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 228 229 // The replication status of the 230 // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. 231 ReplicationStatus replication_status = 5; 232 233 // Output only. Etag of the currently stored 234 // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. 235 string etag = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 236 237 // Output only. True if payload checksum specified in 238 // [SecretPayload][google.cloud.secretmanager.v1beta2.SecretPayload] object 239 // has been received by 240 // [SecretManagerService][google.cloud.secretmanager.v1beta2.SecretManagerService] 241 // on 242 // [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1beta2.SecretManagerService.AddSecretVersion]. 243 bool client_specified_payload_checksum = 7 244 [(google.api.field_behavior) = OUTPUT_ONLY]; 245 246 // Optional. Output only. Scheduled destroy time for secret version. 247 // This is a part of the Delayed secret version destroy feature. For a 248 // Secret with a valid version destroy TTL, when a secert version is 249 // destroyed, version is moved to disabled state and it is scheduled for 250 // destruction Version is destroyed only after the scheduled_destroy_time. 251 google.protobuf.Timestamp scheduled_destroy_time = 8 252 [(google.api.field_behavior) = OUTPUT_ONLY]; 253 254 // Output only. The customer-managed encryption status of the 255 // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. Only 256 // populated if customer-managed encryption is used and 257 // [Secret][google.cloud.secretmanager.v1beta2.Secret] is a Regionalised 258 // Secret. 259 CustomerManagedEncryptionStatus customer_managed_encryption = 9 260 [(google.api.field_behavior) = OUTPUT_ONLY]; 261} 262 263// A policy that defines the replication and encryption configuration of data. 264message Replication { 265 // A replication policy that replicates the 266 // [Secret][google.cloud.secretmanager.v1beta2.Secret] payload without any 267 // restrictions. 268 message Automatic { 269 // Optional. The customer-managed encryption configuration of the 270 // [Secret][google.cloud.secretmanager.v1beta2.Secret]. If no configuration 271 // is provided, Google-managed default encryption is used. 272 // 273 // Updates to the [Secret][google.cloud.secretmanager.v1beta2.Secret] 274 // encryption configuration only apply to 275 // [SecretVersions][google.cloud.secretmanager.v1beta2.SecretVersion] added 276 // afterwards. They do not apply retroactively to existing 277 // [SecretVersions][google.cloud.secretmanager.v1beta2.SecretVersion]. 278 CustomerManagedEncryption customer_managed_encryption = 1 279 [(google.api.field_behavior) = OPTIONAL]; 280 } 281 282 // A replication policy that replicates the 283 // [Secret][google.cloud.secretmanager.v1beta2.Secret] payload into the 284 // locations specified in [Secret.replication.user_managed.replicas][] 285 message UserManaged { 286 // Represents a Replica for this 287 // [Secret][google.cloud.secretmanager.v1beta2.Secret]. 288 message Replica { 289 // The canonical IDs of the location to replicate data. 290 // For example: `"us-east1"`. 291 string location = 1; 292 293 // Optional. The customer-managed encryption configuration of the 294 // [User-Managed Replica][Replication.UserManaged.Replica]. If no 295 // configuration is provided, Google-managed default encryption is used. 296 // 297 // Updates to the [Secret][google.cloud.secretmanager.v1beta2.Secret] 298 // encryption configuration only apply to 299 // [SecretVersions][google.cloud.secretmanager.v1beta2.SecretVersion] 300 // added afterwards. They do not apply retroactively to existing 301 // [SecretVersions][google.cloud.secretmanager.v1beta2.SecretVersion]. 302 CustomerManagedEncryption customer_managed_encryption = 2 303 [(google.api.field_behavior) = OPTIONAL]; 304 } 305 306 // Required. The list of Replicas for this 307 // [Secret][google.cloud.secretmanager.v1beta2.Secret]. 308 // 309 // Cannot be empty. 310 repeated Replica replicas = 1 [(google.api.field_behavior) = REQUIRED]; 311 } 312 313 // The replication policy for this secret. 314 oneof replication { 315 // The [Secret][google.cloud.secretmanager.v1beta2.Secret] will 316 // automatically be replicated without any restrictions. 317 Automatic automatic = 1; 318 319 // The [Secret][google.cloud.secretmanager.v1beta2.Secret] will only be 320 // replicated into the locations specified. 321 UserManaged user_managed = 2; 322 } 323} 324 325// Configuration for encrypting secret payloads using customer-managed 326// encryption keys (CMEK). 327message CustomerManagedEncryption { 328 // Required. The resource name of the Cloud KMS CryptoKey used to encrypt 329 // secret payloads. 330 // 331 // For secrets using the 332 // [UserManaged][google.cloud.secretmanager.v1beta2.Replication.UserManaged] 333 // replication policy type, Cloud KMS CryptoKeys must reside in the same 334 // location as the [replica location][Secret.UserManaged.Replica.location]. 335 // 336 // For secrets using the 337 // [Automatic][google.cloud.secretmanager.v1beta2.Replication.Automatic] 338 // replication policy type, Cloud KMS CryptoKeys must reside in `global`. 339 // 340 // The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 341 string kms_key_name = 1 [(google.api.field_behavior) = REQUIRED]; 342} 343 344// The replication status of a 345// [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. 346message ReplicationStatus { 347 // The replication status of a 348 // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] using 349 // automatic replication. 350 // 351 // Only populated if the parent 352 // [Secret][google.cloud.secretmanager.v1beta2.Secret] has an automatic 353 // replication policy. 354 message AutomaticStatus { 355 // Output only. The customer-managed encryption status of the 356 // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. Only 357 // populated if customer-managed encryption is used. 358 CustomerManagedEncryptionStatus customer_managed_encryption = 1 359 [(google.api.field_behavior) = OUTPUT_ONLY]; 360 } 361 362 // The replication status of a 363 // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] using 364 // user-managed replication. 365 // 366 // Only populated if the parent 367 // [Secret][google.cloud.secretmanager.v1beta2.Secret] has a user-managed 368 // replication policy. 369 message UserManagedStatus { 370 // Describes the status of a user-managed replica for the 371 // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. 372 message ReplicaStatus { 373 // Output only. The canonical ID of the replica location. 374 // For example: `"us-east1"`. 375 string location = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 376 377 // Output only. The customer-managed encryption status of the 378 // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. Only 379 // populated if customer-managed encryption is used. 380 CustomerManagedEncryptionStatus customer_managed_encryption = 2 381 [(google.api.field_behavior) = OUTPUT_ONLY]; 382 } 383 384 // Output only. The list of replica statuses for the 385 // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. 386 repeated ReplicaStatus replicas = 1 387 [(google.api.field_behavior) = OUTPUT_ONLY]; 388 } 389 390 // The replication status of the 391 // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. 392 oneof replication_status { 393 // Describes the replication status of a 394 // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] with 395 // automatic replication. 396 // 397 // Only populated if the parent 398 // [Secret][google.cloud.secretmanager.v1beta2.Secret] has an automatic 399 // replication policy. 400 AutomaticStatus automatic = 1; 401 402 // Describes the replication status of a 403 // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] with 404 // user-managed replication. 405 // 406 // Only populated if the parent 407 // [Secret][google.cloud.secretmanager.v1beta2.Secret] has a user-managed 408 // replication policy. 409 UserManagedStatus user_managed = 2; 410 } 411} 412 413// Describes the status of customer-managed encryption. 414message CustomerManagedEncryptionStatus { 415 // Required. The resource name of the Cloud KMS CryptoKeyVersion used to 416 // encrypt the secret payload, in the following format: 417 // `projects/*/locations/*/keyRings/*/cryptoKeys/*/versions/*`. 418 string kms_key_version_name = 1 [(google.api.field_behavior) = REQUIRED]; 419} 420 421// A Pub/Sub topic which Secret Manager will publish to when control plane 422// events occur on this secret. 423message Topic { 424 option (google.api.resource) = { 425 type: "pubsub.googleapis.com/Topic" 426 pattern: "projects/{project}/topics/{topic}" 427 }; 428 429 // Required. The resource name of the Pub/Sub topic that will be published to, 430 // in the following format: `projects/*/topics/*`. For publication to succeed, 431 // the Secret Manager service agent must have the `pubsub.topic.publish` 432 // permission on the topic. The Pub/Sub Publisher role 433 // (`roles/pubsub.publisher`) includes this permission. 434 string name = 1 [(google.api.field_behavior) = REQUIRED]; 435} 436 437// The rotation time and period for a 438// [Secret][google.cloud.secretmanager.v1beta2.Secret]. At next_rotation_time, 439// Secret Manager will send a Pub/Sub notification to the topics configured on 440// the Secret. [Secret.topics][google.cloud.secretmanager.v1beta2.Secret.topics] 441// must be set to configure rotation. 442message Rotation { 443 // Optional. Timestamp in UTC at which the 444 // [Secret][google.cloud.secretmanager.v1beta2.Secret] is scheduled to rotate. 445 // Cannot be set to less than 300s (5 min) in the future and at most 446 // 3153600000s (100 years). 447 // 448 // [next_rotation_time][google.cloud.secretmanager.v1beta2.Rotation.next_rotation_time] 449 // MUST be set if 450 // [rotation_period][google.cloud.secretmanager.v1beta2.Rotation.rotation_period] 451 // is set. 452 google.protobuf.Timestamp next_rotation_time = 1 453 [(google.api.field_behavior) = OPTIONAL]; 454 455 // Input only. The Duration between rotation notifications. Must be in seconds 456 // and at least 3600s (1h) and at most 3153600000s (100 years). 457 // 458 // If 459 // [rotation_period][google.cloud.secretmanager.v1beta2.Rotation.rotation_period] 460 // is set, 461 // [next_rotation_time][google.cloud.secretmanager.v1beta2.Rotation.next_rotation_time] 462 // must be set. 463 // [next_rotation_time][google.cloud.secretmanager.v1beta2.Rotation.next_rotation_time] 464 // will be advanced by this period when the service automatically sends 465 // rotation notifications. 466 google.protobuf.Duration rotation_period = 2 467 [(google.api.field_behavior) = INPUT_ONLY]; 468} 469 470// A secret payload resource in the Secret Manager API. This contains the 471// sensitive secret payload that is associated with a 472// [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. 473message SecretPayload { 474 // The secret data. Must be no larger than 64KiB. 475 bytes data = 1; 476 477 // Optional. If specified, 478 // [SecretManagerService][google.cloud.secretmanager.v1beta2.SecretManagerService] 479 // will verify the integrity of the received 480 // [data][google.cloud.secretmanager.v1beta2.SecretPayload.data] on 481 // [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1beta2.SecretManagerService.AddSecretVersion] 482 // calls using the crc32c checksum and store it to include in future 483 // [SecretManagerService.AccessSecretVersion][google.cloud.secretmanager.v1beta2.SecretManagerService.AccessSecretVersion] 484 // responses. If a checksum is not provided in the 485 // [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1beta2.SecretManagerService.AddSecretVersion] 486 // request, the 487 // [SecretManagerService][google.cloud.secretmanager.v1beta2.SecretManagerService] 488 // will generate and store one for you. 489 // 490 // The CRC32C value is encoded as a Int64 for compatibility, and can be 491 // safely downconverted to uint32 in languages that support this type. 492 // https://cloud.google.com/apis/design/design_patterns#integer_types 493 optional int64 data_crc32c = 2 [(google.api.field_behavior) = OPTIONAL]; 494} 495