GoogleCloudPlatform · dhavalbhensdadiya-crest · Jan 21, 2026 · Jan 21, 2026 · Jan 21, 2026 · Jan 22, 2026
@@ -12,14 +12,16 @@ the Secret Manager API using the Google Java API Client Libraries.
 
 ### Enable the API
 
-You must [enable the Secret Manager API](https://console.cloud.google.com/flows/enableapi?apiid=secretmanager.googleapis.com) for your project in order to use these samples
+You must enable the [Secret Manager API](https://console.cloud.google.com/flows/enableapi?apiid=secretmanager.googleapis.com) and [Cloud KMS API](https://console.cloud.google.com/flows/enableapi?apiid=cloudkms.googleapis.com) for your project in order to use these samples
 
 ### Set Environment Variables
 
-You must set your project ID in order to run the tests
+You must set your project ID, KMS Keys (Global and Regional) in order to run the tests
 
 ```text
 $ export GOOGLE_CLOUD_PROJECT=<your-project-id-here>
+$ export GOOGLE_CLOUD_REGIONAL_KMS_KEY=<full-name-of-regional-kms-key> (region same as location)
+$ export GOOGLE_CLOUD_KMS_KEY=<full-name-of-global-kms-key>
 ```
 
 ### Grant Permissions
@@ -28,5 +30,6 @@ You must ensure that the [user account or service account](https://cloud.google.
 
 * Secret Manager Admin (`roles/secretmanager.admin`)
 * Secret Manager Secret Accessor (`roles/secretmanager.secretAccessor`)
+* Cloud KMS Encrypter / Decrypter (`roles/cloudkms.cryptoKeyEncrypterDecrypter`) on the regional and global KMS key used for testing
 
 More information can be found in the [Secret Manager Docs](https://cloud.google.com/secret-manager/docs/access-control)
@@ -0,0 +1,64 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package secretmanager;
+
+// [START secretmanager_bind_secret_tag]
+import com.google.cloud.resourcemanager.v3.CreateTagBindingRequest;
+import com.google.cloud.resourcemanager.v3.TagBinding;
+import com.google.cloud.resourcemanager.v3.TagBindingsClient;
+import java.io.IOException;
+import java.util.concurrent.ExecutionException;
+
+public class BindSecretTag {
+
+  public static void main(String[] args) throws Exception {
+    // TODO(developer): replace these variables before running the sample.
+
+    // This is the id of the GCP project
+    String projectId = "your-project-id";
+    // This is the id of the secret to act on
+    String secretId = "your-secret-id";
+    // Tag value to bind, e.g. "tagValues/123"
+    String tagValueName = "your-tag-value";
+
+    bindSecretTag(projectId, secretId, tagValueName);
+  }
+
+  // Bind a TagValue to a Secret by creating a TagBinding.
+  public static TagBinding bindSecretTag(String projectId, String secretId, String tagValueName)
+      throws IOException, InterruptedException, ExecutionException {
+
+    String parent = String.format("//secretmanager.googleapis.com/projects/%s/secrets/%s",
+        projectId, secretId);
+
+    try (TagBindingsClient tagBindingsClient = TagBindingsClient.create()) {
+      TagBinding tagBinding = TagBinding.newBuilder()
+          .setTagValue(tagValueName)
+          .setParent(parent)
+          .build();
+
+      CreateTagBindingRequest request = CreateTagBindingRequest.newBuilder()
+          .setTagBinding(tagBinding)
+          .build();
+
+      TagBinding created = tagBindingsClient.createTagBindingAsync(request).get();
+      System.out.printf("Created TagBinding: %s\n", created.getName());
+      return created;
+    }
+  }
+}
+// [END secretmanager_bind_secret_tag]
@@ -0,0 +1,76 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package secretmanager;
+
+// [START secretmanager_create_secret_with_cmek]
+import com.google.cloud.secretmanager.v1.CustomerManagedEncryption;
+import com.google.cloud.secretmanager.v1.ProjectName;
+import com.google.cloud.secretmanager.v1.Replication;
+import com.google.cloud.secretmanager.v1.Secret;
+import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+import java.io.IOException;
+
+public class CreateSecretWithCmek {
+
+  public static void main(String[] args) throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+
+    // This is the id of the GCP project
+    String projectId = "your-project-id";
+    // This is the id of the secret to act on
+    String secretId = "your-secret-id";
+    // This is the Full kms key name to be used for Cmek.
+    String kmsKeyName = "your-kms-key-name";
+    createSecretWithCmek(projectId, secretId, kmsKeyName);
+  }
+
+  // Create a secret with a customer-managed encryption key (CMEK).
+  public static Secret createSecretWithCmek(String projectId, String secretId, String kmsKeyName)
+      throws IOException {
+
+    // Initialize client that will be used to send requests. This client only needs
+    // to be created
+    // once, and can be reused for multiple requests.
+    try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
+
+      // Build the secret name.
+      ProjectName projectName = ProjectName.of(projectId);
+
+      // Build the Cmek configuration.
+      CustomerManagedEncryption customerManagedEncryption =
+          CustomerManagedEncryption.newBuilder().setKmsKeyName(kmsKeyName).build();
+
+      // Build the replication using Cmek.
+      Replication secretReplication =
+          Replication.newBuilder()
+              .setAutomatic(
+                  Replication.Automatic.newBuilder()
+                      .setCustomerManagedEncryption(customerManagedEncryption)
+                      .build())
+              .build();
+
+      // Build the secret to create with the replication policy.
+      Secret secret = Secret.newBuilder().setReplication(secretReplication).build();
+
+      // Create the secret.
+      Secret createdSecret = client.createSecret(projectName, secretId, secret);
+      System.out.printf("Created secret %s\n", createdSecret.getName());
+      return createdSecret;
+    }
+  }
+}
+// [END secretmanager_create_secret_with_cmek]
@@ -0,0 +1,69 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package secretmanager;
+
+// [START secretmanager_delete_secret_annotations]
+import com.google.cloud.secretmanager.v1.Secret;
+import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+import com.google.cloud.secretmanager.v1.SecretName;
+import com.google.protobuf.FieldMask;
+import com.google.protobuf.util.FieldMaskUtil;
+import java.io.IOException;
+import java.util.HashMap;
+
+public class DeleteSecretAnnotations {
+
+
+  public static void main(String[] args) throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+
+    // This is the id of the GCP project
+    String projectId = "your-project-id";
+    // This is the id of the secret to act on
+    String secretId = "your-secret-id";
+    deleteSecretAnnotations(projectId, secretId);
+  }
+
+  // Delete annotations from an existing secret.
+  public static Secret deleteSecretAnnotations(String projectId, String secretId)
+      throws IOException {
+    // Initialize client that will be used to send requests. This client only needs
+    // to be created
+    // once, and can be reused for multiple requests.
+    try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
+      // Build the name of the secret.
+      SecretName secretName = SecretName.of(projectId, secretId);
+
+      // Build the updated secret with an empty annotations map.
+      Secret secret =
+          Secret.newBuilder()
+              .setName(secretName.toString())
+              .putAllAnnotations(new HashMap<>())
+              .build();
+
+      // Create the field mask for updating only the annotations
+      FieldMask fieldMask = FieldMaskUtil.fromString("annotations");
+
+      // Update the secret.
+      Secret updatedSecret = client.updateSecret(secret, fieldMask);
+      System.out.printf("Deleted annotations from %s\n", updatedSecret.getName());
+
+      return updatedSecret;
+    }
+  }
+}
+// [END secretmanager_delete_secret_annotations]
@@ -0,0 +1,64 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package secretmanager;
+
+// [START secretmanager_delete_secret_tag]
+import com.google.cloud.resourcemanager.v3.ListTagBindingsRequest;
+import com.google.cloud.resourcemanager.v3.TagBinding;
+import com.google.cloud.resourcemanager.v3.TagBindingsClient;
+import java.io.IOException;
+import java.util.concurrent.ExecutionException;
+
+public class DeleteSecretTag {
+
+  public static void main(String[] args) throws Exception {
+    // TODO(developer): replace these variables before running the sample.
+
+    // This is the id of the GCP project
+    String projectId = "your-project-id";
+    // This is the id of the secret to act on
+    String secretId = "your-secret-id";
+    // Tag value to delete, e.g. "tagValues/123"
+    String tagValueName = "your-tag-value";
+
+    deleteSecretTag(projectId, secretId, tagValueName);
+  }
+
+  // Remove a TagValue from a Secret by deleting the TagBinding.
+  public static void deleteSecretTag(String projectId, String secretId, String tagValueName)
+      throws IOException, InterruptedException, ExecutionException {
+
+    String parent = String.format("//secretmanager.googleapis.com/projects/%s/secrets/%s",
+        projectId, secretId);
+
+    try (TagBindingsClient tagBindingsClient = TagBindingsClient.create()) {
+      ListTagBindingsRequest request = 
+          ListTagBindingsRequest.newBuilder().setParent(parent).build();
+
+      // Iterate over tag bindings
+      for (TagBinding binding : tagBindingsClient.listTagBindings(request).iterateAll()) {
+        // Delete the TagBinding if it matches the specified TagValue
+        if (binding.getTagValue().equals(tagValueName)) {
+          tagBindingsClient.deleteTagBindingAsync(binding.getName()).get();
+          System.out.printf("Deleted TagBinding with Name %s and TagValue %s\n",
+              binding.getName(), binding.getTagValue());
+        }
+      }
+    }
+  }
+}
+// [END secretmanager_delete_secret_tag]
@@ -0,0 +1,58 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package secretmanager;
+
+// [START secretmanager_list_secret_tag_bindings]
+import com.google.cloud.resourcemanager.v3.ListTagBindingsRequest;
+import com.google.cloud.resourcemanager.v3.TagBinding;
+import com.google.cloud.resourcemanager.v3.TagBindingsClient;
+import java.io.IOException;
+
+public class ListSecretTagBindings {
+
+  public static void main(String[] args) throws Exception {
+    // TODO(developer): replace these variables before running the sample.
+
+    // This is the id of the GCP project
+    String projectId = "your-project-id";
+    // This is the id of the secret to act on
+    String secretId = "your-secret-id";
+
+    listSecretTagBindings(projectId, secretId);
+  }
+
+  // List tag bindings attached to the secret resource.
+  public static void listSecretTagBindings(String projectId, String secretId)
+      throws IOException {
+
+    // Resource Manager TagBindings are listed under a parent such as the project.
+    String parent = String.format("//secretmanager.googleapis.com/projects/%s/secrets/%s",
+        projectId, secretId);
+
+    try (TagBindingsClient tagBindingsClient = TagBindingsClient.create()) {
+      ListTagBindingsRequest request = 
+          ListTagBindingsRequest.newBuilder().setParent(parent).build();
+
+      // Iterate over tag bindings
+      for (TagBinding binding : tagBindingsClient.listTagBindings(request).iterateAll()) {
+        System.out.printf("Found TagBinding with Name %s and TagValue %s\n",
+            binding.getName(), binding.getTagValue());
+      }
+    }
+  }
+}
+// [END secretmanager_list_secret_tag_bindings]