Added new samples for CMEK and Annotations #10223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

dhavalbhensdadiya-crest wants to merge 5 commits into GoogleCloudPlatform:main from dhavalbhensdadiya-crest:feature/cmek-annotations

+366 −4

secretmanager/README.md

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -12,14 +12,16 @@ the Secret Manager API using the Google Java API Client Libraries.
  
    ### Enable the API

    You must [enable the Secret Manager API](https://console.cloud.google.com/flows/enableapi?apiid=secretmanager.googleapis.com) for your project in order to use these samples

    You must enable the [Secret Manager API](https://console.cloud.google.com/flows/enableapi?apiid=secretmanager.googleapis.com) and [Cloud KMS API](https://console.cloud.google.com/flows/enableapi?apiid=cloudkms.googleapis.com) for your project in order to use these samples

    ### Set Environment Variables

    You must set your project ID in order to run the tests

    You must set your project ID, KMS Keys (Global and Regional) in order to run the tests

    ```text

    $ export GOOGLE_CLOUD_PROJECT=<your-project-id-here>

    $ export GOOGLE_CLOUD_REGIONAL_KMS_KEY=<full-name-of-regional-kms-key> (region same as location)

    $ export GOOGLE_CLOUD_KMS_KEY=<full-name-of-global-kms-key>

    ```

    ### Grant Permissions

    @@ -28,5 +30,6 @@ You must ensure that the [user account or service account](https://cloud.google.
  
    * Secret Manager Admin (`roles/secretmanager.admin`)

    * Secret Manager Secret Accessor (`roles/secretmanager.secretAccessor`)

    * Cloud KMS Encrypter / Decrypter (`roles/cloudkms.cryptoKeyEncrypterDecrypter`) on the regional and global KMS key used for testing

    More information can be found in the [Secret Manager Docs](https://cloud.google.com/secret-manager/docs/access-control)

secretmanager/src/main/java/secretmanager/CreateSecretWithCmek.java

-Original file line number
+Diff line change
@@ -0,0 +1,76 @@
+    /*
+     * Copyright 2026 Google LLC
+     *
+     * Licensed under the Apache License, Version 2.0 (the "License");
+     * you may not use this file except in compliance with the License.
+     * You may obtain a copy of the License at
+     *
+     * http://www.apache.org/licenses/LICENSE-2.0
+     *
+     * Unless required by applicable law or agreed to in writing, software
+     * distributed under the License is distributed on an "AS IS" BASIS,
+     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     * See the License for the specific language governing permissions and
+     * limitations under the License.
+     */
+    package secretmanager;
+    // [START secretmanager_create_secret_with_cmek]
+    import com.google.cloud.secretmanager.v1.CustomerManagedEncryption;
+    import com.google.cloud.secretmanager.v1.ProjectName;
+    import com.google.cloud.secretmanager.v1.Replication;
+    import com.google.cloud.secretmanager.v1.Secret;
+    import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+    import java.io.IOException;
+    public class CreateSecretWithCmek {
+      public static void main(String[] args) throws IOException {
+        // TODO(developer): Replace these variables before running the sample.
+        // This is the id of the GCP project
+        String projectId = "your-project-id";
+        // This is the id of the secret to act on
+        String secretId = "your-secret-id";
+        // This is the Full kms key name to be used for Cmek.
+        String kmsKeyName = "your-kms-key-name";
+        createSecretWithCmek(projectId, secretId, kmsKeyName);
+      }
+      // Create a secret with a customer-managed encryption key (CMEK).
+      public static Secret createSecretWithCmek(String projectId, String secretId, String kmsKeyName)
+          throws IOException {
+        // Initialize client that will be used to send requests. This client only needs
+        // to be created
+        // once, and can be reused for multiple requests.
+        try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
+          // Build the secret name.
+          ProjectName projectName = ProjectName.of(projectId);
+          // Build the Cmek configuration.
+          CustomerManagedEncryption customerManagedEncryption =
+              CustomerManagedEncryption.newBuilder().setKmsKeyName(kmsKeyName).build();
+          // Build the replication using Cmek.
+          Replication secretReplication =
+              Replication.newBuilder()
+                  .setAutomatic(
+                      Replication.Automatic.newBuilder()
+                          .setCustomerManagedEncryption(customerManagedEncryption)
+                          .build())
+                  .build();
+          // Build the secret to create with the replication policy.
+          Secret secret = Secret.newBuilder().setReplication(secretReplication).build();
+          // Create the secret.
+          Secret createdSecret = client.createSecret(projectName, secretId, secret);
+          System.out.printf("Created secret %s\n", createdSecret.getName());
+          return createdSecret;
+        }
+      }
+    }
+    // [END secretmanager_create_secret_with_cmek]

secretmanager/src/main/java/secretmanager/DeleteSecretAnnotations.java

-Original file line number
+Diff line change
@@ -0,0 +1,69 @@
+    /*
+     * Copyright 2026 Google LLC
+     *
+     * Licensed under the Apache License, Version 2.0 (the "License");
+     * you may not use this file except in compliance with the License.
+     * You may obtain a copy of the License at
+     *
+     * http://www.apache.org/licenses/LICENSE-2.0
+     *
+     * Unless required by applicable law or agreed to in writing, software
+     * distributed under the License is distributed on an "AS IS" BASIS,
+     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     * See the License for the specific language governing permissions and
+     * limitations under the License.
+     */
+    package secretmanager;
+    // [START secretmanager_delete_secret_annotations]
+    import com.google.cloud.secretmanager.v1.Secret;
+    import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+    import com.google.cloud.secretmanager.v1.SecretName;
+    import com.google.protobuf.FieldMask;
+    import com.google.protobuf.util.FieldMaskUtil;
+    import java.io.IOException;
+    import java.util.HashMap;
+    public class DeleteSecretAnnotations {
+      public static void main(String[] args) throws IOException {
+        // TODO(developer): Replace these variables before running the sample.
+        // This is the id of the GCP project
+        String projectId = "your-project-id";
+        // This is the id of the secret to act on
+        String secretId = "your-secret-id";
+        deleteSecretAnnotations(projectId, secretId);
+      }
+      // Delete annotations from an existing secret.
+      public static Secret deleteSecretAnnotations(String projectId, String secretId)
+          throws IOException {
+        // Initialize client that will be used to send requests. This client only needs
+        // to be created
+        // once, and can be reused for multiple requests.
+        try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
+          // Build the name of the secret.
+          SecretName secretName = SecretName.of(projectId, secretId);
+          // Build the updated secret with an empty annotations map.
+          Secret secret =
+              Secret.newBuilder()
+                  .setName(secretName.toString())
+                  .putAllAnnotations(new HashMap<>())
+                  .build();
+          // Create the field mask for updating only the annotations
+          FieldMask fieldMask = FieldMaskUtil.fromString("annotations");
+          // Update the secret.
+          Secret updatedSecret = client.updateSecret(secret, fieldMask);
+          System.out.printf("Deleted annotations from %s\n", updatedSecret.getName());
+          return updatedSecret;
+        }
+      }
+    }
+    // [END secretmanager_delete_secret_annotations]

secretmanager/src/main/java/secretmanager/regionalsamples/CreateRegionalSecretWithCmek.java

-Original file line number
+Diff line change
@@ -0,0 +1,75 @@
+    /*
+     * Copyright 2026 Google LLC
+     *
+     * Licensed under the Apache License, Version 2.0 (the "License");
+     * you may not use this file except in compliance with the License.
+     * You may obtain a copy of the License at
+     *
+     * http://www.apache.org/licenses/LICENSE-2.0
+     *
+     * Unless required by applicable law or agreed to in writing, software
+     * distributed under the License is distributed on an "AS IS" BASIS,
+     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     * See the License for the specific language governing permissions and
+     * limitations under the License.
+     */
+    package secretmanager.regionalsamples;
+    // [START secretmanager_create_regional_secret_with_cmek]
+    import com.google.cloud.secretmanager.v1.CustomerManagedEncryption;
+    import com.google.cloud.secretmanager.v1.LocationName;
+    import com.google.cloud.secretmanager.v1.Secret;
+    import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+    import com.google.cloud.secretmanager.v1.SecretManagerServiceSettings;
+    import java.io.IOException;
+    public class CreateRegionalSecretWithCmek {
+      public static void main(String[] args) throws IOException {
+        // TODO(developer): Replace these variables before running the sample.
+        // This is the id of the GCP project
+        String projectId = "your-project-id";
+        // Location of the secret.
+        String locationId = "your-location-id";
+        // This is the id of the secret to act on
+        String secretId = "your-secret-id";
+        // This is the Full kms key name to be used for Cmek.
+        String kmsKeyName = "your-kms-key-name";
+        createRegionalSecretWithCmek(projectId, locationId, secretId, kmsKeyName);
+      }
+      // Create a new regional secret with customer-managed encryption key.
+      public static Secret createRegionalSecretWithCmek(
+          String projectId, String locationId, String secretId, String kmsKeyName) throws IOException {
+        // Endpoint to call the regional secret manager server
+        String apiEndpoint = String.format("secretmanager.%s.rep.googleapis.com:443", locationId);
+        SecretManagerServiceSettings secretManagerServiceSettings =
+            SecretManagerServiceSettings.newBuilder().setEndpoint(apiEndpoint).build();
+        // Initialize client that will be used to send requests. This client only needs
+        // to be created
+        // once, and can be reused for multiple requests.
+        try (SecretManagerServiceClient client =
+            SecretManagerServiceClient.create(secretManagerServiceSettings)) {
+          // Build the parent name from the project and location.
+          LocationName locationName = LocationName.of(projectId, locationId);
+          // Build the customer-managed encryption configuration.
+          CustomerManagedEncryption customerManagedEncryption =
+              CustomerManagedEncryption.newBuilder().setKmsKeyName(kmsKeyName).build();
+          // Build the secret with customer-managed encryption key.
+          Secret secret =
+              Secret.newBuilder().setCustomerManagedEncryption(customerManagedEncryption).build();
+          // Create the secret.
+          Secret createdSecret = client.createSecret(locationName.toString(), secretId, secret);
+          System.out.printf("Created secret %s\n", createdSecret.getName());
+          return createdSecret;
+        }
+      }
+    }
+    // [END secretmanager_create_regional_secret_with_cmek]

...tmanager/src/main/java/secretmanager/regionalsamples/DeleteRegionalSecretAnnotations.java

-Original file line number
+Diff line change
@@ -0,0 +1,79 @@
+    /*
+     * Copyright 2026 Google LLC
+     *
+     * Licensed under the Apache License, Version 2.0 (the "License");
+     * you may not use this file except in compliance with the License.
+     * You may obtain a copy of the License at
+     *
+     * http://www.apache.org/licenses/LICENSE-2.0
+     *
+     * Unless required by applicable law or agreed to in writing, software
+     * distributed under the License is distributed on an "AS IS" BASIS,
+     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     * See the License for the specific language governing permissions and
+     * limitations under the License.
+     */
+    package secretmanager.regionalsamples;
+    // [START secretmanager_delete_regional_secret_annotations]
+    import com.google.cloud.secretmanager.v1.Secret;
+    import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+    import com.google.cloud.secretmanager.v1.SecretManagerServiceSettings;
+    import com.google.cloud.secretmanager.v1.SecretName;
+    import com.google.protobuf.FieldMask;
+    import com.google.protobuf.util.FieldMaskUtil;
+    import java.io.IOException;
+    import java.util.HashMap;
+    public class DeleteRegionalSecretAnnotations {
+      public static void main(String[] args) throws IOException {
+        // TODO(developer): Replace these variables before running the sample.
+        // This is the id of the GCP project
+        String projectId = "your-project-id";
+        // Location of the secret.
+        String locationId = "your-location-id";
+        // This is the id of the secret to act on
+        String secretId = "your-secret-id";
+        deleteRegionalSecretAnnotations(projectId, locationId, secretId);
+      }
+      // Delete annotations from an existing regional secret.
+      public static Secret deleteRegionalSecretAnnotations(
+          String projectId, String locationId, String secretId) throws IOException {
+        // Endpoint to call the regional secret manager server
+        String apiEndpoint = String.format("secretmanager.%s.rep.googleapis.com:443", locationId);
+        SecretManagerServiceSettings secretManagerServiceSettings =
+            SecretManagerServiceSettings.newBuilder().setEndpoint(apiEndpoint).build();
+        // Initialize client that will be used to send requests. This client only needs
+        // to be created
+        // once, and can be reused for multiple requests.
+        try (SecretManagerServiceClient client =
+            SecretManagerServiceClient.create(secretManagerServiceSettings)) {
+          // Build the name of the secret.
+          SecretName secretName =
+              SecretName.ofProjectLocationSecretName(projectId, locationId, secretId);
+          // Build the updated secret with an empty annotations map.
+          Secret secret =
+              Secret.newBuilder()
+                  .setName(secretName.toString())
+                  .putAllAnnotations(new HashMap<>())
+                  .build();
+          // Create the field mask for updating only the annotations
+          FieldMask fieldMask = FieldMaskUtil.fromString("annotations");
+          // Update the secret.
+          Secret updatedSecret = client.updateSecret(secret, fieldMask);
+          System.out.printf("Deleted annotations from %s\n", updatedSecret.getName());
+          return updatedSecret;
+        }
+      }
+    }
+    // [END secretmanager_delete_regional_secret_annotations]

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Added new samples for CMEK and Annotations #10223

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Added new samples for CMEK and Annotations #10223

Are you sure you want to change the base?

Added new samples for CMEK and Annotations #10223

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!