1*d5c09012SAndroid Build Coastguard Worker// Copyright 2024 Google LLC 2*d5c09012SAndroid Build Coastguard Worker// 3*d5c09012SAndroid Build Coastguard Worker// Licensed under the Apache License, Version 2.0 (the "License"); 4*d5c09012SAndroid Build Coastguard Worker// you may not use this file except in compliance with the License. 5*d5c09012SAndroid Build Coastguard Worker// You may obtain a copy of the License at 6*d5c09012SAndroid Build Coastguard Worker// 7*d5c09012SAndroid Build Coastguard Worker// http://www.apache.org/licenses/LICENSE-2.0 8*d5c09012SAndroid Build Coastguard Worker// 9*d5c09012SAndroid Build Coastguard Worker// Unless required by applicable law or agreed to in writing, software 10*d5c09012SAndroid Build Coastguard Worker// distributed under the License is distributed on an "AS IS" BASIS, 11*d5c09012SAndroid Build Coastguard Worker// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*d5c09012SAndroid Build Coastguard Worker// See the License for the specific language governing permissions and 13*d5c09012SAndroid Build Coastguard Worker// limitations under the License. 14*d5c09012SAndroid Build Coastguard Worker 15*d5c09012SAndroid Build Coastguard Workersyntax = "proto3"; 16*d5c09012SAndroid Build Coastguard Worker 17*d5c09012SAndroid Build Coastguard Workerpackage google.cloud.secretmanager.v1beta2; 18*d5c09012SAndroid Build Coastguard Worker 19*d5c09012SAndroid Build Coastguard Workerimport "google/api/field_behavior.proto"; 20*d5c09012SAndroid Build Coastguard Workerimport "google/api/resource.proto"; 21*d5c09012SAndroid Build Coastguard Workerimport "google/protobuf/duration.proto"; 22*d5c09012SAndroid Build Coastguard Workerimport "google/protobuf/timestamp.proto"; 23*d5c09012SAndroid Build Coastguard Worker 24*d5c09012SAndroid Build Coastguard Workeroption cc_enable_arenas = true; 25*d5c09012SAndroid Build Coastguard Workeroption csharp_namespace = "Google.Cloud.SecretManager.V1Beta2"; 26*d5c09012SAndroid Build Coastguard Workeroption go_package = "cloud.google.com/go/secretmanager/apiv1beta2/secretmanagerpb;secretmanagerpb"; 27*d5c09012SAndroid Build Coastguard Workeroption java_multiple_files = true; 28*d5c09012SAndroid Build Coastguard Workeroption java_outer_classname = "ResourcesProto"; 29*d5c09012SAndroid Build Coastguard Workeroption java_package = "com.google.cloud.secretmanager.v1beta2"; 30*d5c09012SAndroid Build Coastguard Workeroption objc_class_prefix = "GSM"; 31*d5c09012SAndroid Build Coastguard Workeroption php_namespace = "Google\\Cloud\\SecretManager\\V1beta2"; 32*d5c09012SAndroid Build Coastguard Workeroption ruby_package = "Google::Cloud::SecretManager::V1beta2"; 33*d5c09012SAndroid Build Coastguard Worker 34*d5c09012SAndroid Build Coastguard Worker// A [Secret][google.cloud.secretmanager.v1beta2.Secret] is a logical secret 35*d5c09012SAndroid Build Coastguard Worker// whose value and versions can be accessed. 36*d5c09012SAndroid Build Coastguard Worker// 37*d5c09012SAndroid Build Coastguard Worker// A [Secret][google.cloud.secretmanager.v1beta2.Secret] is made up of zero or 38*d5c09012SAndroid Build Coastguard Worker// more [SecretVersions][google.cloud.secretmanager.v1beta2.SecretVersion] that 39*d5c09012SAndroid Build Coastguard Worker// represent the secret data. 40*d5c09012SAndroid Build Coastguard Workermessage Secret { 41*d5c09012SAndroid Build Coastguard Worker option (google.api.resource) = { 42*d5c09012SAndroid Build Coastguard Worker type: "secretmanager.googleapis.com/Secret" 43*d5c09012SAndroid Build Coastguard Worker pattern: "projects/{project}/secrets/{secret}" 44*d5c09012SAndroid Build Coastguard Worker pattern: "projects/{project}/locations/{location}/secrets/{secret}" 45*d5c09012SAndroid Build Coastguard Worker plural: "secrets" 46*d5c09012SAndroid Build Coastguard Worker singular: "secret" 47*d5c09012SAndroid Build Coastguard Worker }; 48*d5c09012SAndroid Build Coastguard Worker 49*d5c09012SAndroid Build Coastguard Worker // Output only. The resource name of the 50*d5c09012SAndroid Build Coastguard Worker // [Secret][google.cloud.secretmanager.v1beta2.Secret] in the format 51*d5c09012SAndroid Build Coastguard Worker // `projects/*/secrets/*`. 52*d5c09012SAndroid Build Coastguard Worker string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 53*d5c09012SAndroid Build Coastguard Worker 54*d5c09012SAndroid Build Coastguard Worker // Optional. Immutable. The replication policy of the secret data attached to 55*d5c09012SAndroid Build Coastguard Worker // the [Secret][google.cloud.secretmanager.v1beta2.Secret]. 56*d5c09012SAndroid Build Coastguard Worker // 57*d5c09012SAndroid Build Coastguard Worker // The replication policy cannot be changed after the Secret has been created. 58*d5c09012SAndroid Build Coastguard Worker Replication replication = 2 [ 59*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = IMMUTABLE, 60*d5c09012SAndroid Build Coastguard Worker (google.api.field_behavior) = OPTIONAL 61*d5c09012SAndroid Build Coastguard Worker ]; 62*d5c09012SAndroid Build Coastguard Worker 63*d5c09012SAndroid Build Coastguard Worker // Output only. The time at which the 64*d5c09012SAndroid Build Coastguard Worker // [Secret][google.cloud.secretmanager.v1beta2.Secret] was created. 65*d5c09012SAndroid Build Coastguard Worker google.protobuf.Timestamp create_time = 3 66*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 67*d5c09012SAndroid Build Coastguard Worker 68*d5c09012SAndroid Build Coastguard Worker // The labels assigned to this Secret. 69*d5c09012SAndroid Build Coastguard Worker // 70*d5c09012SAndroid Build Coastguard Worker // Label keys must be between 1 and 63 characters long, have a UTF-8 encoding 71*d5c09012SAndroid Build Coastguard Worker // of maximum 128 bytes, and must conform to the following PCRE regular 72*d5c09012SAndroid Build Coastguard Worker // expression: `[\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62}` 73*d5c09012SAndroid Build Coastguard Worker // 74*d5c09012SAndroid Build Coastguard Worker // Label values must be between 0 and 63 characters long, have a UTF-8 75*d5c09012SAndroid Build Coastguard Worker // encoding of maximum 128 bytes, and must conform to the following PCRE 76*d5c09012SAndroid Build Coastguard Worker // regular expression: `[\p{Ll}\p{Lo}\p{N}_-]{0,63}` 77*d5c09012SAndroid Build Coastguard Worker // 78*d5c09012SAndroid Build Coastguard Worker // No more than 64 labels can be assigned to a given resource. 79*d5c09012SAndroid Build Coastguard Worker map<string, string> labels = 4; 80*d5c09012SAndroid Build Coastguard Worker 81*d5c09012SAndroid Build Coastguard Worker // Optional. A list of up to 10 Pub/Sub topics to which messages are published 82*d5c09012SAndroid Build Coastguard Worker // when control plane operations are called on the secret or its versions. 83*d5c09012SAndroid Build Coastguard Worker repeated Topic topics = 5 [(google.api.field_behavior) = OPTIONAL]; 84*d5c09012SAndroid Build Coastguard Worker 85*d5c09012SAndroid Build Coastguard Worker // Expiration policy attached to the 86*d5c09012SAndroid Build Coastguard Worker // [Secret][google.cloud.secretmanager.v1beta2.Secret]. If specified the 87*d5c09012SAndroid Build Coastguard Worker // [Secret][google.cloud.secretmanager.v1beta2.Secret] and all 88*d5c09012SAndroid Build Coastguard Worker // [SecretVersions][google.cloud.secretmanager.v1beta2.SecretVersion] will be 89*d5c09012SAndroid Build Coastguard Worker // automatically deleted at expiration. Expired secrets are irreversibly 90*d5c09012SAndroid Build Coastguard Worker // deleted. 91*d5c09012SAndroid Build Coastguard Worker // 92*d5c09012SAndroid Build Coastguard Worker // Expiration is *not* the recommended way to set time-based permissions. [IAM 93*d5c09012SAndroid Build Coastguard Worker // Conditions](https://cloud.google.com/secret-manager/docs/access-control#conditions) 94*d5c09012SAndroid Build Coastguard Worker // is recommended for granting time-based permissions because the operation 95*d5c09012SAndroid Build Coastguard Worker // can be reversed. 96*d5c09012SAndroid Build Coastguard Worker oneof expiration { 97*d5c09012SAndroid Build Coastguard Worker // Optional. Timestamp in UTC when the 98*d5c09012SAndroid Build Coastguard Worker // [Secret][google.cloud.secretmanager.v1beta2.Secret] is scheduled to 99*d5c09012SAndroid Build Coastguard Worker // expire. This is always provided on output, regardless of what was sent on 100*d5c09012SAndroid Build Coastguard Worker // input. 101*d5c09012SAndroid Build Coastguard Worker google.protobuf.Timestamp expire_time = 6 102*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OPTIONAL]; 103*d5c09012SAndroid Build Coastguard Worker 104*d5c09012SAndroid Build Coastguard Worker // Input only. The TTL for the 105*d5c09012SAndroid Build Coastguard Worker // [Secret][google.cloud.secretmanager.v1beta2.Secret]. 106*d5c09012SAndroid Build Coastguard Worker google.protobuf.Duration ttl = 7 [(google.api.field_behavior) = INPUT_ONLY]; 107*d5c09012SAndroid Build Coastguard Worker } 108*d5c09012SAndroid Build Coastguard Worker 109*d5c09012SAndroid Build Coastguard Worker // Optional. Etag of the currently stored 110*d5c09012SAndroid Build Coastguard Worker // [Secret][google.cloud.secretmanager.v1beta2.Secret]. 111*d5c09012SAndroid Build Coastguard Worker string etag = 8 [(google.api.field_behavior) = OPTIONAL]; 112*d5c09012SAndroid Build Coastguard Worker 113*d5c09012SAndroid Build Coastguard Worker // Optional. Rotation policy attached to the 114*d5c09012SAndroid Build Coastguard Worker // [Secret][google.cloud.secretmanager.v1beta2.Secret]. May be excluded if 115*d5c09012SAndroid Build Coastguard Worker // there is no rotation policy. 116*d5c09012SAndroid Build Coastguard Worker Rotation rotation = 9 [(google.api.field_behavior) = OPTIONAL]; 117*d5c09012SAndroid Build Coastguard Worker 118*d5c09012SAndroid Build Coastguard Worker // Optional. Mapping from version alias to version name. 119*d5c09012SAndroid Build Coastguard Worker // 120*d5c09012SAndroid Build Coastguard Worker // A version alias is a string with a maximum length of 63 characters and can 121*d5c09012SAndroid Build Coastguard Worker // contain uppercase and lowercase letters, numerals, and the hyphen (`-`) 122*d5c09012SAndroid Build Coastguard Worker // and underscore ('_') characters. An alias string must start with a 123*d5c09012SAndroid Build Coastguard Worker // letter and cannot be the string 'latest' or 'NEW'. 124*d5c09012SAndroid Build Coastguard Worker // No more than 50 aliases can be assigned to a given secret. 125*d5c09012SAndroid Build Coastguard Worker // 126*d5c09012SAndroid Build Coastguard Worker // Version-Alias pairs will be viewable via GetSecret and modifiable via 127*d5c09012SAndroid Build Coastguard Worker // UpdateSecret. Access by alias is only supported for 128*d5c09012SAndroid Build Coastguard Worker // GetSecretVersion and AccessSecretVersion. 129*d5c09012SAndroid Build Coastguard Worker map<string, int64> version_aliases = 11 130*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OPTIONAL]; 131*d5c09012SAndroid Build Coastguard Worker 132*d5c09012SAndroid Build Coastguard Worker // Optional. Custom metadata about the secret. 133*d5c09012SAndroid Build Coastguard Worker // 134*d5c09012SAndroid Build Coastguard Worker // Annotations are distinct from various forms of labels. 135*d5c09012SAndroid Build Coastguard Worker // Annotations exist to allow client tools to store their own state 136*d5c09012SAndroid Build Coastguard Worker // information without requiring a database. 137*d5c09012SAndroid Build Coastguard Worker // 138*d5c09012SAndroid Build Coastguard Worker // Annotation keys must be between 1 and 63 characters long, have a UTF-8 139*d5c09012SAndroid Build Coastguard Worker // encoding of maximum 128 bytes, begin and end with an alphanumeric character 140*d5c09012SAndroid Build Coastguard Worker // ([a-z0-9A-Z]), and may have dashes (-), underscores (_), dots (.), and 141*d5c09012SAndroid Build Coastguard Worker // alphanumerics in between these symbols. 142*d5c09012SAndroid Build Coastguard Worker // 143*d5c09012SAndroid Build Coastguard Worker // The total size of annotation keys and values must be less than 16KiB. 144*d5c09012SAndroid Build Coastguard Worker map<string, string> annotations = 13 [(google.api.field_behavior) = OPTIONAL]; 145*d5c09012SAndroid Build Coastguard Worker 146*d5c09012SAndroid Build Coastguard Worker // Optional. Secret Version TTL after destruction request 147*d5c09012SAndroid Build Coastguard Worker // 148*d5c09012SAndroid Build Coastguard Worker // This is a part of the Delayed secret version destroy feature. 149*d5c09012SAndroid Build Coastguard Worker // For secret with TTL>0, version destruction doesn't happen immediately 150*d5c09012SAndroid Build Coastguard Worker // on calling destroy instead the version goes to a disabled state and 151*d5c09012SAndroid Build Coastguard Worker // destruction happens after the TTL expires. 152*d5c09012SAndroid Build Coastguard Worker google.protobuf.Duration version_destroy_ttl = 14 153*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OPTIONAL]; 154*d5c09012SAndroid Build Coastguard Worker 155*d5c09012SAndroid Build Coastguard Worker // Optional. The customer-managed encryption configuration of the Regionalised 156*d5c09012SAndroid Build Coastguard Worker // Secrets. If no configuration is provided, Google-managed default encryption 157*d5c09012SAndroid Build Coastguard Worker // is used. 158*d5c09012SAndroid Build Coastguard Worker // 159*d5c09012SAndroid Build Coastguard Worker // Updates to the [Secret][google.cloud.secretmanager.v1beta2.Secret] 160*d5c09012SAndroid Build Coastguard Worker // encryption configuration only apply to 161*d5c09012SAndroid Build Coastguard Worker // [SecretVersions][google.cloud.secretmanager.v1beta2.SecretVersion] added 162*d5c09012SAndroid Build Coastguard Worker // afterwards. They do not apply retroactively to existing 163*d5c09012SAndroid Build Coastguard Worker // [SecretVersions][google.cloud.secretmanager.v1beta2.SecretVersion]. 164*d5c09012SAndroid Build Coastguard Worker CustomerManagedEncryption customer_managed_encryption = 15 165*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OPTIONAL]; 166*d5c09012SAndroid Build Coastguard Worker} 167*d5c09012SAndroid Build Coastguard Worker 168*d5c09012SAndroid Build Coastguard Worker// A secret version resource in the Secret Manager API. 169*d5c09012SAndroid Build Coastguard Workermessage SecretVersion { 170*d5c09012SAndroid Build Coastguard Worker option (google.api.resource) = { 171*d5c09012SAndroid Build Coastguard Worker type: "secretmanager.googleapis.com/SecretVersion" 172*d5c09012SAndroid Build Coastguard Worker pattern: "projects/{project}/secrets/{secret}/versions/{secret_version}" 173*d5c09012SAndroid Build Coastguard Worker pattern: "projects/{project}/locations/{location}/secrets/{secret}/versions/{secret_version}" 174*d5c09012SAndroid Build Coastguard Worker plural: "secretVersions" 175*d5c09012SAndroid Build Coastguard Worker singular: "secretVersion" 176*d5c09012SAndroid Build Coastguard Worker }; 177*d5c09012SAndroid Build Coastguard Worker 178*d5c09012SAndroid Build Coastguard Worker // The state of a 179*d5c09012SAndroid Build Coastguard Worker // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion], 180*d5c09012SAndroid Build Coastguard Worker // indicating if it can be accessed. 181*d5c09012SAndroid Build Coastguard Worker enum State { 182*d5c09012SAndroid Build Coastguard Worker // Not specified. This value is unused and invalid. 183*d5c09012SAndroid Build Coastguard Worker STATE_UNSPECIFIED = 0; 184*d5c09012SAndroid Build Coastguard Worker 185*d5c09012SAndroid Build Coastguard Worker // The [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] may 186*d5c09012SAndroid Build Coastguard Worker // be accessed. 187*d5c09012SAndroid Build Coastguard Worker ENABLED = 1; 188*d5c09012SAndroid Build Coastguard Worker 189*d5c09012SAndroid Build Coastguard Worker // The [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] may 190*d5c09012SAndroid Build Coastguard Worker // not be accessed, but the secret data is still available and can be placed 191*d5c09012SAndroid Build Coastguard Worker // back into the 192*d5c09012SAndroid Build Coastguard Worker // [ENABLED][google.cloud.secretmanager.v1beta2.SecretVersion.State.ENABLED] 193*d5c09012SAndroid Build Coastguard Worker // state. 194*d5c09012SAndroid Build Coastguard Worker DISABLED = 2; 195*d5c09012SAndroid Build Coastguard Worker 196*d5c09012SAndroid Build Coastguard Worker // The [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] is 197*d5c09012SAndroid Build Coastguard Worker // destroyed and the secret data is no longer stored. A version may not 198*d5c09012SAndroid Build Coastguard Worker // leave this state once entered. 199*d5c09012SAndroid Build Coastguard Worker DESTROYED = 3; 200*d5c09012SAndroid Build Coastguard Worker } 201*d5c09012SAndroid Build Coastguard Worker 202*d5c09012SAndroid Build Coastguard Worker // Output only. The resource name of the 203*d5c09012SAndroid Build Coastguard Worker // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] in the 204*d5c09012SAndroid Build Coastguard Worker // format `projects/*/secrets/*/versions/*`. 205*d5c09012SAndroid Build Coastguard Worker // 206*d5c09012SAndroid Build Coastguard Worker // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] IDs in a 207*d5c09012SAndroid Build Coastguard Worker // [Secret][google.cloud.secretmanager.v1beta2.Secret] start at 1 and are 208*d5c09012SAndroid Build Coastguard Worker // incremented for each subsequent version of the secret. 209*d5c09012SAndroid Build Coastguard Worker string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 210*d5c09012SAndroid Build Coastguard Worker 211*d5c09012SAndroid Build Coastguard Worker // Output only. The time at which the 212*d5c09012SAndroid Build Coastguard Worker // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] was 213*d5c09012SAndroid Build Coastguard Worker // created. 214*d5c09012SAndroid Build Coastguard Worker google.protobuf.Timestamp create_time = 2 215*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 216*d5c09012SAndroid Build Coastguard Worker 217*d5c09012SAndroid Build Coastguard Worker // Output only. The time this 218*d5c09012SAndroid Build Coastguard Worker // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] was 219*d5c09012SAndroid Build Coastguard Worker // destroyed. Only present if 220*d5c09012SAndroid Build Coastguard Worker // [state][google.cloud.secretmanager.v1beta2.SecretVersion.state] is 221*d5c09012SAndroid Build Coastguard Worker // [DESTROYED][google.cloud.secretmanager.v1beta2.SecretVersion.State.DESTROYED]. 222*d5c09012SAndroid Build Coastguard Worker google.protobuf.Timestamp destroy_time = 3 223*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 224*d5c09012SAndroid Build Coastguard Worker 225*d5c09012SAndroid Build Coastguard Worker // Output only. The current state of the 226*d5c09012SAndroid Build Coastguard Worker // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. 227*d5c09012SAndroid Build Coastguard Worker State state = 4 [(google.api.field_behavior) = OUTPUT_ONLY]; 228*d5c09012SAndroid Build Coastguard Worker 229*d5c09012SAndroid Build Coastguard Worker // The replication status of the 230*d5c09012SAndroid Build Coastguard Worker // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. 231*d5c09012SAndroid Build Coastguard Worker ReplicationStatus replication_status = 5; 232*d5c09012SAndroid Build Coastguard Worker 233*d5c09012SAndroid Build Coastguard Worker // Output only. Etag of the currently stored 234*d5c09012SAndroid Build Coastguard Worker // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. 235*d5c09012SAndroid Build Coastguard Worker string etag = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 236*d5c09012SAndroid Build Coastguard Worker 237*d5c09012SAndroid Build Coastguard Worker // Output only. True if payload checksum specified in 238*d5c09012SAndroid Build Coastguard Worker // [SecretPayload][google.cloud.secretmanager.v1beta2.SecretPayload] object 239*d5c09012SAndroid Build Coastguard Worker // has been received by 240*d5c09012SAndroid Build Coastguard Worker // [SecretManagerService][google.cloud.secretmanager.v1beta2.SecretManagerService] 241*d5c09012SAndroid Build Coastguard Worker // on 242*d5c09012SAndroid Build Coastguard Worker // [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1beta2.SecretManagerService.AddSecretVersion]. 243*d5c09012SAndroid Build Coastguard Worker bool client_specified_payload_checksum = 7 244*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 245*d5c09012SAndroid Build Coastguard Worker 246*d5c09012SAndroid Build Coastguard Worker // Optional. Output only. Scheduled destroy time for secret version. 247*d5c09012SAndroid Build Coastguard Worker // This is a part of the Delayed secret version destroy feature. For a 248*d5c09012SAndroid Build Coastguard Worker // Secret with a valid version destroy TTL, when a secert version is 249*d5c09012SAndroid Build Coastguard Worker // destroyed, version is moved to disabled state and it is scheduled for 250*d5c09012SAndroid Build Coastguard Worker // destruction Version is destroyed only after the scheduled_destroy_time. 251*d5c09012SAndroid Build Coastguard Worker google.protobuf.Timestamp scheduled_destroy_time = 8 252*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 253*d5c09012SAndroid Build Coastguard Worker 254*d5c09012SAndroid Build Coastguard Worker // Output only. The customer-managed encryption status of the 255*d5c09012SAndroid Build Coastguard Worker // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. Only 256*d5c09012SAndroid Build Coastguard Worker // populated if customer-managed encryption is used and 257*d5c09012SAndroid Build Coastguard Worker // [Secret][google.cloud.secretmanager.v1beta2.Secret] is a Regionalised 258*d5c09012SAndroid Build Coastguard Worker // Secret. 259*d5c09012SAndroid Build Coastguard Worker CustomerManagedEncryptionStatus customer_managed_encryption = 9 260*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 261*d5c09012SAndroid Build Coastguard Worker} 262*d5c09012SAndroid Build Coastguard Worker 263*d5c09012SAndroid Build Coastguard Worker// A policy that defines the replication and encryption configuration of data. 264*d5c09012SAndroid Build Coastguard Workermessage Replication { 265*d5c09012SAndroid Build Coastguard Worker // A replication policy that replicates the 266*d5c09012SAndroid Build Coastguard Worker // [Secret][google.cloud.secretmanager.v1beta2.Secret] payload without any 267*d5c09012SAndroid Build Coastguard Worker // restrictions. 268*d5c09012SAndroid Build Coastguard Worker message Automatic { 269*d5c09012SAndroid Build Coastguard Worker // Optional. The customer-managed encryption configuration of the 270*d5c09012SAndroid Build Coastguard Worker // [Secret][google.cloud.secretmanager.v1beta2.Secret]. If no configuration 271*d5c09012SAndroid Build Coastguard Worker // is provided, Google-managed default encryption is used. 272*d5c09012SAndroid Build Coastguard Worker // 273*d5c09012SAndroid Build Coastguard Worker // Updates to the [Secret][google.cloud.secretmanager.v1beta2.Secret] 274*d5c09012SAndroid Build Coastguard Worker // encryption configuration only apply to 275*d5c09012SAndroid Build Coastguard Worker // [SecretVersions][google.cloud.secretmanager.v1beta2.SecretVersion] added 276*d5c09012SAndroid Build Coastguard Worker // afterwards. They do not apply retroactively to existing 277*d5c09012SAndroid Build Coastguard Worker // [SecretVersions][google.cloud.secretmanager.v1beta2.SecretVersion]. 278*d5c09012SAndroid Build Coastguard Worker CustomerManagedEncryption customer_managed_encryption = 1 279*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OPTIONAL]; 280*d5c09012SAndroid Build Coastguard Worker } 281*d5c09012SAndroid Build Coastguard Worker 282*d5c09012SAndroid Build Coastguard Worker // A replication policy that replicates the 283*d5c09012SAndroid Build Coastguard Worker // [Secret][google.cloud.secretmanager.v1beta2.Secret] payload into the 284*d5c09012SAndroid Build Coastguard Worker // locations specified in [Secret.replication.user_managed.replicas][] 285*d5c09012SAndroid Build Coastguard Worker message UserManaged { 286*d5c09012SAndroid Build Coastguard Worker // Represents a Replica for this 287*d5c09012SAndroid Build Coastguard Worker // [Secret][google.cloud.secretmanager.v1beta2.Secret]. 288*d5c09012SAndroid Build Coastguard Worker message Replica { 289*d5c09012SAndroid Build Coastguard Worker // The canonical IDs of the location to replicate data. 290*d5c09012SAndroid Build Coastguard Worker // For example: `"us-east1"`. 291*d5c09012SAndroid Build Coastguard Worker string location = 1; 292*d5c09012SAndroid Build Coastguard Worker 293*d5c09012SAndroid Build Coastguard Worker // Optional. The customer-managed encryption configuration of the 294*d5c09012SAndroid Build Coastguard Worker // [User-Managed Replica][Replication.UserManaged.Replica]. If no 295*d5c09012SAndroid Build Coastguard Worker // configuration is provided, Google-managed default encryption is used. 296*d5c09012SAndroid Build Coastguard Worker // 297*d5c09012SAndroid Build Coastguard Worker // Updates to the [Secret][google.cloud.secretmanager.v1beta2.Secret] 298*d5c09012SAndroid Build Coastguard Worker // encryption configuration only apply to 299*d5c09012SAndroid Build Coastguard Worker // [SecretVersions][google.cloud.secretmanager.v1beta2.SecretVersion] 300*d5c09012SAndroid Build Coastguard Worker // added afterwards. They do not apply retroactively to existing 301*d5c09012SAndroid Build Coastguard Worker // [SecretVersions][google.cloud.secretmanager.v1beta2.SecretVersion]. 302*d5c09012SAndroid Build Coastguard Worker CustomerManagedEncryption customer_managed_encryption = 2 303*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OPTIONAL]; 304*d5c09012SAndroid Build Coastguard Worker } 305*d5c09012SAndroid Build Coastguard Worker 306*d5c09012SAndroid Build Coastguard Worker // Required. The list of Replicas for this 307*d5c09012SAndroid Build Coastguard Worker // [Secret][google.cloud.secretmanager.v1beta2.Secret]. 308*d5c09012SAndroid Build Coastguard Worker // 309*d5c09012SAndroid Build Coastguard Worker // Cannot be empty. 310*d5c09012SAndroid Build Coastguard Worker repeated Replica replicas = 1 [(google.api.field_behavior) = REQUIRED]; 311*d5c09012SAndroid Build Coastguard Worker } 312*d5c09012SAndroid Build Coastguard Worker 313*d5c09012SAndroid Build Coastguard Worker // The replication policy for this secret. 314*d5c09012SAndroid Build Coastguard Worker oneof replication { 315*d5c09012SAndroid Build Coastguard Worker // The [Secret][google.cloud.secretmanager.v1beta2.Secret] will 316*d5c09012SAndroid Build Coastguard Worker // automatically be replicated without any restrictions. 317*d5c09012SAndroid Build Coastguard Worker Automatic automatic = 1; 318*d5c09012SAndroid Build Coastguard Worker 319*d5c09012SAndroid Build Coastguard Worker // The [Secret][google.cloud.secretmanager.v1beta2.Secret] will only be 320*d5c09012SAndroid Build Coastguard Worker // replicated into the locations specified. 321*d5c09012SAndroid Build Coastguard Worker UserManaged user_managed = 2; 322*d5c09012SAndroid Build Coastguard Worker } 323*d5c09012SAndroid Build Coastguard Worker} 324*d5c09012SAndroid Build Coastguard Worker 325*d5c09012SAndroid Build Coastguard Worker// Configuration for encrypting secret payloads using customer-managed 326*d5c09012SAndroid Build Coastguard Worker// encryption keys (CMEK). 327*d5c09012SAndroid Build Coastguard Workermessage CustomerManagedEncryption { 328*d5c09012SAndroid Build Coastguard Worker // Required. The resource name of the Cloud KMS CryptoKey used to encrypt 329*d5c09012SAndroid Build Coastguard Worker // secret payloads. 330*d5c09012SAndroid Build Coastguard Worker // 331*d5c09012SAndroid Build Coastguard Worker // For secrets using the 332*d5c09012SAndroid Build Coastguard Worker // [UserManaged][google.cloud.secretmanager.v1beta2.Replication.UserManaged] 333*d5c09012SAndroid Build Coastguard Worker // replication policy type, Cloud KMS CryptoKeys must reside in the same 334*d5c09012SAndroid Build Coastguard Worker // location as the [replica location][Secret.UserManaged.Replica.location]. 335*d5c09012SAndroid Build Coastguard Worker // 336*d5c09012SAndroid Build Coastguard Worker // For secrets using the 337*d5c09012SAndroid Build Coastguard Worker // [Automatic][google.cloud.secretmanager.v1beta2.Replication.Automatic] 338*d5c09012SAndroid Build Coastguard Worker // replication policy type, Cloud KMS CryptoKeys must reside in `global`. 339*d5c09012SAndroid Build Coastguard Worker // 340*d5c09012SAndroid Build Coastguard Worker // The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*`. 341*d5c09012SAndroid Build Coastguard Worker string kms_key_name = 1 [(google.api.field_behavior) = REQUIRED]; 342*d5c09012SAndroid Build Coastguard Worker} 343*d5c09012SAndroid Build Coastguard Worker 344*d5c09012SAndroid Build Coastguard Worker// The replication status of a 345*d5c09012SAndroid Build Coastguard Worker// [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. 346*d5c09012SAndroid Build Coastguard Workermessage ReplicationStatus { 347*d5c09012SAndroid Build Coastguard Worker // The replication status of a 348*d5c09012SAndroid Build Coastguard Worker // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] using 349*d5c09012SAndroid Build Coastguard Worker // automatic replication. 350*d5c09012SAndroid Build Coastguard Worker // 351*d5c09012SAndroid Build Coastguard Worker // Only populated if the parent 352*d5c09012SAndroid Build Coastguard Worker // [Secret][google.cloud.secretmanager.v1beta2.Secret] has an automatic 353*d5c09012SAndroid Build Coastguard Worker // replication policy. 354*d5c09012SAndroid Build Coastguard Worker message AutomaticStatus { 355*d5c09012SAndroid Build Coastguard Worker // Output only. The customer-managed encryption status of the 356*d5c09012SAndroid Build Coastguard Worker // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. Only 357*d5c09012SAndroid Build Coastguard Worker // populated if customer-managed encryption is used. 358*d5c09012SAndroid Build Coastguard Worker CustomerManagedEncryptionStatus customer_managed_encryption = 1 359*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 360*d5c09012SAndroid Build Coastguard Worker } 361*d5c09012SAndroid Build Coastguard Worker 362*d5c09012SAndroid Build Coastguard Worker // The replication status of a 363*d5c09012SAndroid Build Coastguard Worker // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] using 364*d5c09012SAndroid Build Coastguard Worker // user-managed replication. 365*d5c09012SAndroid Build Coastguard Worker // 366*d5c09012SAndroid Build Coastguard Worker // Only populated if the parent 367*d5c09012SAndroid Build Coastguard Worker // [Secret][google.cloud.secretmanager.v1beta2.Secret] has a user-managed 368*d5c09012SAndroid Build Coastguard Worker // replication policy. 369*d5c09012SAndroid Build Coastguard Worker message UserManagedStatus { 370*d5c09012SAndroid Build Coastguard Worker // Describes the status of a user-managed replica for the 371*d5c09012SAndroid Build Coastguard Worker // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. 372*d5c09012SAndroid Build Coastguard Worker message ReplicaStatus { 373*d5c09012SAndroid Build Coastguard Worker // Output only. The canonical ID of the replica location. 374*d5c09012SAndroid Build Coastguard Worker // For example: `"us-east1"`. 375*d5c09012SAndroid Build Coastguard Worker string location = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 376*d5c09012SAndroid Build Coastguard Worker 377*d5c09012SAndroid Build Coastguard Worker // Output only. The customer-managed encryption status of the 378*d5c09012SAndroid Build Coastguard Worker // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. Only 379*d5c09012SAndroid Build Coastguard Worker // populated if customer-managed encryption is used. 380*d5c09012SAndroid Build Coastguard Worker CustomerManagedEncryptionStatus customer_managed_encryption = 2 381*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 382*d5c09012SAndroid Build Coastguard Worker } 383*d5c09012SAndroid Build Coastguard Worker 384*d5c09012SAndroid Build Coastguard Worker // Output only. The list of replica statuses for the 385*d5c09012SAndroid Build Coastguard Worker // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. 386*d5c09012SAndroid Build Coastguard Worker repeated ReplicaStatus replicas = 1 387*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OUTPUT_ONLY]; 388*d5c09012SAndroid Build Coastguard Worker } 389*d5c09012SAndroid Build Coastguard Worker 390*d5c09012SAndroid Build Coastguard Worker // The replication status of the 391*d5c09012SAndroid Build Coastguard Worker // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. 392*d5c09012SAndroid Build Coastguard Worker oneof replication_status { 393*d5c09012SAndroid Build Coastguard Worker // Describes the replication status of a 394*d5c09012SAndroid Build Coastguard Worker // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] with 395*d5c09012SAndroid Build Coastguard Worker // automatic replication. 396*d5c09012SAndroid Build Coastguard Worker // 397*d5c09012SAndroid Build Coastguard Worker // Only populated if the parent 398*d5c09012SAndroid Build Coastguard Worker // [Secret][google.cloud.secretmanager.v1beta2.Secret] has an automatic 399*d5c09012SAndroid Build Coastguard Worker // replication policy. 400*d5c09012SAndroid Build Coastguard Worker AutomaticStatus automatic = 1; 401*d5c09012SAndroid Build Coastguard Worker 402*d5c09012SAndroid Build Coastguard Worker // Describes the replication status of a 403*d5c09012SAndroid Build Coastguard Worker // [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion] with 404*d5c09012SAndroid Build Coastguard Worker // user-managed replication. 405*d5c09012SAndroid Build Coastguard Worker // 406*d5c09012SAndroid Build Coastguard Worker // Only populated if the parent 407*d5c09012SAndroid Build Coastguard Worker // [Secret][google.cloud.secretmanager.v1beta2.Secret] has a user-managed 408*d5c09012SAndroid Build Coastguard Worker // replication policy. 409*d5c09012SAndroid Build Coastguard Worker UserManagedStatus user_managed = 2; 410*d5c09012SAndroid Build Coastguard Worker } 411*d5c09012SAndroid Build Coastguard Worker} 412*d5c09012SAndroid Build Coastguard Worker 413*d5c09012SAndroid Build Coastguard Worker// Describes the status of customer-managed encryption. 414*d5c09012SAndroid Build Coastguard Workermessage CustomerManagedEncryptionStatus { 415*d5c09012SAndroid Build Coastguard Worker // Required. The resource name of the Cloud KMS CryptoKeyVersion used to 416*d5c09012SAndroid Build Coastguard Worker // encrypt the secret payload, in the following format: 417*d5c09012SAndroid Build Coastguard Worker // `projects/*/locations/*/keyRings/*/cryptoKeys/*/versions/*`. 418*d5c09012SAndroid Build Coastguard Worker string kms_key_version_name = 1 [(google.api.field_behavior) = REQUIRED]; 419*d5c09012SAndroid Build Coastguard Worker} 420*d5c09012SAndroid Build Coastguard Worker 421*d5c09012SAndroid Build Coastguard Worker// A Pub/Sub topic which Secret Manager will publish to when control plane 422*d5c09012SAndroid Build Coastguard Worker// events occur on this secret. 423*d5c09012SAndroid Build Coastguard Workermessage Topic { 424*d5c09012SAndroid Build Coastguard Worker option (google.api.resource) = { 425*d5c09012SAndroid Build Coastguard Worker type: "pubsub.googleapis.com/Topic" 426*d5c09012SAndroid Build Coastguard Worker pattern: "projects/{project}/topics/{topic}" 427*d5c09012SAndroid Build Coastguard Worker }; 428*d5c09012SAndroid Build Coastguard Worker 429*d5c09012SAndroid Build Coastguard Worker // Required. The resource name of the Pub/Sub topic that will be published to, 430*d5c09012SAndroid Build Coastguard Worker // in the following format: `projects/*/topics/*`. For publication to succeed, 431*d5c09012SAndroid Build Coastguard Worker // the Secret Manager service agent must have the `pubsub.topic.publish` 432*d5c09012SAndroid Build Coastguard Worker // permission on the topic. The Pub/Sub Publisher role 433*d5c09012SAndroid Build Coastguard Worker // (`roles/pubsub.publisher`) includes this permission. 434*d5c09012SAndroid Build Coastguard Worker string name = 1 [(google.api.field_behavior) = REQUIRED]; 435*d5c09012SAndroid Build Coastguard Worker} 436*d5c09012SAndroid Build Coastguard Worker 437*d5c09012SAndroid Build Coastguard Worker// The rotation time and period for a 438*d5c09012SAndroid Build Coastguard Worker// [Secret][google.cloud.secretmanager.v1beta2.Secret]. At next_rotation_time, 439*d5c09012SAndroid Build Coastguard Worker// Secret Manager will send a Pub/Sub notification to the topics configured on 440*d5c09012SAndroid Build Coastguard Worker// the Secret. [Secret.topics][google.cloud.secretmanager.v1beta2.Secret.topics] 441*d5c09012SAndroid Build Coastguard Worker// must be set to configure rotation. 442*d5c09012SAndroid Build Coastguard Workermessage Rotation { 443*d5c09012SAndroid Build Coastguard Worker // Optional. Timestamp in UTC at which the 444*d5c09012SAndroid Build Coastguard Worker // [Secret][google.cloud.secretmanager.v1beta2.Secret] is scheduled to rotate. 445*d5c09012SAndroid Build Coastguard Worker // Cannot be set to less than 300s (5 min) in the future and at most 446*d5c09012SAndroid Build Coastguard Worker // 3153600000s (100 years). 447*d5c09012SAndroid Build Coastguard Worker // 448*d5c09012SAndroid Build Coastguard Worker // [next_rotation_time][google.cloud.secretmanager.v1beta2.Rotation.next_rotation_time] 449*d5c09012SAndroid Build Coastguard Worker // MUST be set if 450*d5c09012SAndroid Build Coastguard Worker // [rotation_period][google.cloud.secretmanager.v1beta2.Rotation.rotation_period] 451*d5c09012SAndroid Build Coastguard Worker // is set. 452*d5c09012SAndroid Build Coastguard Worker google.protobuf.Timestamp next_rotation_time = 1 453*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = OPTIONAL]; 454*d5c09012SAndroid Build Coastguard Worker 455*d5c09012SAndroid Build Coastguard Worker // Input only. The Duration between rotation notifications. Must be in seconds 456*d5c09012SAndroid Build Coastguard Worker // and at least 3600s (1h) and at most 3153600000s (100 years). 457*d5c09012SAndroid Build Coastguard Worker // 458*d5c09012SAndroid Build Coastguard Worker // If 459*d5c09012SAndroid Build Coastguard Worker // [rotation_period][google.cloud.secretmanager.v1beta2.Rotation.rotation_period] 460*d5c09012SAndroid Build Coastguard Worker // is set, 461*d5c09012SAndroid Build Coastguard Worker // [next_rotation_time][google.cloud.secretmanager.v1beta2.Rotation.next_rotation_time] 462*d5c09012SAndroid Build Coastguard Worker // must be set. 463*d5c09012SAndroid Build Coastguard Worker // [next_rotation_time][google.cloud.secretmanager.v1beta2.Rotation.next_rotation_time] 464*d5c09012SAndroid Build Coastguard Worker // will be advanced by this period when the service automatically sends 465*d5c09012SAndroid Build Coastguard Worker // rotation notifications. 466*d5c09012SAndroid Build Coastguard Worker google.protobuf.Duration rotation_period = 2 467*d5c09012SAndroid Build Coastguard Worker [(google.api.field_behavior) = INPUT_ONLY]; 468*d5c09012SAndroid Build Coastguard Worker} 469*d5c09012SAndroid Build Coastguard Worker 470*d5c09012SAndroid Build Coastguard Worker// A secret payload resource in the Secret Manager API. This contains the 471*d5c09012SAndroid Build Coastguard Worker// sensitive secret payload that is associated with a 472*d5c09012SAndroid Build Coastguard Worker// [SecretVersion][google.cloud.secretmanager.v1beta2.SecretVersion]. 473*d5c09012SAndroid Build Coastguard Workermessage SecretPayload { 474*d5c09012SAndroid Build Coastguard Worker // The secret data. Must be no larger than 64KiB. 475*d5c09012SAndroid Build Coastguard Worker bytes data = 1; 476*d5c09012SAndroid Build Coastguard Worker 477*d5c09012SAndroid Build Coastguard Worker // Optional. If specified, 478*d5c09012SAndroid Build Coastguard Worker // [SecretManagerService][google.cloud.secretmanager.v1beta2.SecretManagerService] 479*d5c09012SAndroid Build Coastguard Worker // will verify the integrity of the received 480*d5c09012SAndroid Build Coastguard Worker // [data][google.cloud.secretmanager.v1beta2.SecretPayload.data] on 481*d5c09012SAndroid Build Coastguard Worker // [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1beta2.SecretManagerService.AddSecretVersion] 482*d5c09012SAndroid Build Coastguard Worker // calls using the crc32c checksum and store it to include in future 483*d5c09012SAndroid Build Coastguard Worker // [SecretManagerService.AccessSecretVersion][google.cloud.secretmanager.v1beta2.SecretManagerService.AccessSecretVersion] 484*d5c09012SAndroid Build Coastguard Worker // responses. If a checksum is not provided in the 485*d5c09012SAndroid Build Coastguard Worker // [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1beta2.SecretManagerService.AddSecretVersion] 486*d5c09012SAndroid Build Coastguard Worker // request, the 487*d5c09012SAndroid Build Coastguard Worker // [SecretManagerService][google.cloud.secretmanager.v1beta2.SecretManagerService] 488*d5c09012SAndroid Build Coastguard Worker // will generate and store one for you. 489*d5c09012SAndroid Build Coastguard Worker // 490*d5c09012SAndroid Build Coastguard Worker // The CRC32C value is encoded as a Int64 for compatibility, and can be 491*d5c09012SAndroid Build Coastguard Worker // safely downconverted to uint32 in languages that support this type. 492*d5c09012SAndroid Build Coastguard Worker // https://cloud.google.com/apis/design/design_patterns#integer_types 493*d5c09012SAndroid Build Coastguard Worker optional int64 data_crc32c = 2 [(google.api.field_behavior) = OPTIONAL]; 494*d5c09012SAndroid Build Coastguard Worker} 495