Add samples for secret expiration - create, update, and delete #10225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

dhavalbhensdadiya-crest wants to merge 11 commits into GoogleCloudPlatform:main from dhavalbhensdadiya-crest:feature/expiration-create-update-delete

secretmanager/README.md

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -12,14 +12,16 @@ the Secret Manager API using the Google Java API Client Libraries.
  
    ### Enable the API

    You must [enable the Secret Manager API](https://console.cloud.google.com/flows/enableapi?apiid=secretmanager.googleapis.com) for your project in order to use these samples

    You must enable the [Secret Manager API](https://console.cloud.google.com/flows/enableapi?apiid=secretmanager.googleapis.com) and [Cloud KMS API](https://console.cloud.google.com/flows/enableapi?apiid=cloudkms.googleapis.com) for your project in order to use these samples

    ### Set Environment Variables

    You must set your project ID in order to run the tests

    You must set your project ID, KMS Keys (Global and Regional) in order to run the tests

    ```text

    $ export GOOGLE_CLOUD_PROJECT=<your-project-id-here>

    $ export GOOGLE_CLOUD_REGIONAL_KMS_KEY=<full-name-of-regional-kms-key> (region same as location)

    $ export GOOGLE_CLOUD_KMS_KEY=<full-name-of-global-kms-key>

    ```

    ### Grant Permissions

    @@ -28,5 +30,6 @@ You must ensure that the [user account or service account](https://cloud.google.
  
    * Secret Manager Admin (`roles/secretmanager.admin`)

    * Secret Manager Secret Accessor (`roles/secretmanager.secretAccessor`)

    * Cloud KMS Encrypter / Decrypter (`roles/cloudkms.cryptoKeyEncrypterDecrypter`) on the regional and global KMS key used for testing

    More information can be found in the [Secret Manager Docs](https://cloud.google.com/secret-manager/docs/access-control)

secretmanager/src/main/java/secretmanager/BindSecretTag.java

-Original file line number
+Diff line change
@@ -0,0 +1,64 @@
+    /*
+     * Copyright 2026 Google LLC
+     *
+     * Licensed under the Apache License, Version 2.0 (the "License");
+     * you may not use this file except in compliance with the License.
+     * You may obtain a copy of the License at
+     *
+     * http://www.apache.org/licenses/LICENSE-2.0
+     *
+     * Unless required by applicable law or agreed to in writing, software
+     * distributed under the License is distributed on an "AS IS" BASIS,
+     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     * See the License for the specific language governing permissions and
+     * limitations under the License.
+     */
+    package secretmanager;
+    // [START secretmanager_bind_secret_tag]
+    import com.google.cloud.resourcemanager.v3.CreateTagBindingRequest;
+    import com.google.cloud.resourcemanager.v3.TagBinding;
+    import com.google.cloud.resourcemanager.v3.TagBindingsClient;
+    import java.io.IOException;
+    import java.util.concurrent.ExecutionException;
+    public class BindSecretTag {
+      public static void main(String[] args) throws Exception {
+        // TODO(developer): replace these variables before running the sample.
+        // This is the id of the GCP project
+        String projectId = "your-project-id";
+        // This is the id of the secret to act on
+        String secretId = "your-secret-id";
+        // Tag value to bind, e.g. "tagValues/123"
+        String tagValueName = "your-tag-value";
+        bindSecretTag(projectId, secretId, tagValueName);
+      }
+      // Bind a TagValue to a Secret by creating a TagBinding.
+      public static TagBinding bindSecretTag(String projectId, String secretId, String tagValueName)
+          throws IOException, InterruptedException, ExecutionException {
+        String parent = String.format("//secretmanager.googleapis.com/projects/%s/secrets/%s",
+            projectId, secretId);
+        try (TagBindingsClient tagBindingsClient = TagBindingsClient.create()) {
+          TagBinding tagBinding = TagBinding.newBuilder()
+              .setTagValue(tagValueName)
+              .setParent(parent)
+              .build();
+          CreateTagBindingRequest request = CreateTagBindingRequest.newBuilder()
+              .setTagBinding(tagBinding)
+              .build();
+          TagBinding created = tagBindingsClient.createTagBindingAsync(request).get();
+          System.out.printf("Created TagBinding: %s\n", created.getName());
+          return created;
+        }
+      }
+    }
+    // [END secretmanager_bind_secret_tag]

secretmanager/src/main/java/secretmanager/CreateSecretWithCmek.java

-Original file line number
+Diff line change
@@ -0,0 +1,75 @@
+    /*
+     * Copyright 2026 Google LLC
+     *
+     * Licensed under the Apache License, Version 2.0 (the "License");
+     * you may not use this file except in compliance with the License.
+     * You may obtain a copy of the License at
+     *
+     * http://www.apache.org/licenses/LICENSE-2.0
+     *
+     * Unless required by applicable law or agreed to in writing, software
+     * distributed under the License is distributed on an "AS IS" BASIS,
+     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     * See the License for the specific language governing permissions and
+     * limitations under the License.
+     */
+    package secretmanager;
+    // [START secretmanager_create_secret_with_cmek]
+    import com.google.cloud.secretmanager.v1.CustomerManagedEncryption;
+    import com.google.cloud.secretmanager.v1.ProjectName;
+    import com.google.cloud.secretmanager.v1.Replication;
+    import com.google.cloud.secretmanager.v1.Secret;
+    import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+    import java.io.IOException;
+    public class CreateSecretWithCmek {
+      public static void main(String[] args) throws IOException {
+        // TODO(developer): Replace these variables before running the sample.
+        // This is the id of the GCP project
+        String projectId = "your-project-id";
+        // This is the id of the secret to act on
+        String secretId = "your-secret-id";
+        // This is the Full kms key name to be used for Cmek.
+        String kmsKeyName = "your-kms-key-name";
+        createSecretWithCmek(projectId, secretId, kmsKeyName);
+      }
+      // Create a secret with a customer-managed encryption key (CMEK).
+      public static Secret createSecretWithCmek(String projectId, String secretId, String kmsKeyName)
+          throws IOException {
+        // Initialize client that will be used to send requests. This client only needs to be created
+        // once, and can be reused for multiple requests.
+        try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
+          // Build the secret name.
+          ProjectName projectName = ProjectName.of(projectId);
+          // Build the Cmek configuration.
+          CustomerManagedEncryption customerManagedEncryption =
+              CustomerManagedEncryption.newBuilder().setKmsKeyName(kmsKeyName).build();
+          // Build the replication using Cmek.
+          Replication secretReplication =
+              Replication.newBuilder()
+                  .setAutomatic(
+                      Replication.Automatic.newBuilder()
+                          .setCustomerManagedEncryption(customerManagedEncryption)
+                          .build())
+                  .build();
+          // Build the secret to create with the replication policy.
+          Secret secret = Secret.newBuilder().setReplication(secretReplication).build();
+          // Create the secret.
+          Secret createdSecret = client.createSecret(projectName, secretId, secret);
+          System.out.printf("Created secret %s\n", createdSecret.getName());
+          return createdSecret;
+        }
+      }
+    }
+    // [END secretmanager_create_secret_with_cmek]

secretmanager/src/main/java/secretmanager/CreateSecretWithExpiration.java

-Original file line number
+Diff line change
@@ -0,0 +1,77 @@
+    /*
+     * Copyright 2026 Google LLC
+     *
+     * Licensed under the Apache License, Version 2.0 (the "License");
+     * you may not use this file except in compliance with the License.
+     * You may obtain a copy of the License at
+     *
+     * http://www.apache.org/licenses/LICENSE-2.0
+     *
+     * Unless required by applicable law or agreed to in writing, software
+     * distributed under the License is distributed on an "AS IS" BASIS,
+     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     * See the License for the specific language governing permissions and
+     * limitations under the License.
+     */
+    package secretmanager;
+    // [START secretmanager_create_secret_with_expiration]
+    import com.google.cloud.secretmanager.v1.ProjectName;
+    import com.google.cloud.secretmanager.v1.Replication;
+    import com.google.cloud.secretmanager.v1.Secret;
+    import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+    import com.google.protobuf.Timestamp;
+    import java.io.IOException;
+    import java.time.Instant;
+    public class CreateSecretWithExpiration {
+      public static void main(String[] args) throws IOException {
+        // TODO(developer): Replace these variables before running the sample.
+        // This is the id of the GCP project
+        String projectId = "your-project-id";
+        // This is the id of the secret to create
+        String secretId = "your-secret-id";
+        // This is the time in seconds from now when the secret will expire
+        long expireTimeSeconds = 86400; // 24 hours
+        createSecretWithExpiration(projectId, secretId, expireTimeSeconds);
+      }
+      // Create a new secret with an expiration time.
+      public static Secret createSecretWithExpiration(
+          String projectId, String secretId, long expireTimeSeconds) throws IOException {
+        // Initialize client that will be used to send requests. This client only needs to be created
+        // once, and can be reused for multiple requests. After completing all of your requests, call
+        // the "close" method on the client to safely clean up any remaining background resources.
+        try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
+          // Build the parent name from the project.
+          ProjectName projectName = ProjectName.of(projectId);
+          // Calculate the expiration time.
+          Instant expireTime = Instant.now().plusSeconds(expireTimeSeconds);
+          Timestamp expireTimestamp = Timestamp.newBuilder()
+              .setSeconds(expireTime.getEpochSecond())
+              .setNanos(expireTime.getNano())
+              .build();
+          // Build the secret to create with expiration time.
+          Secret secret =
+              Secret.newBuilder()
+                  .setReplication(
+                      Replication.newBuilder()
+                          .setAutomatic(Replication.Automatic.newBuilder().build())
+                          .build())
+                  .setExpireTime(expireTimestamp)
+                  .build();
+          // Create the secret.
+          Secret createdSecret = client.createSecret(projectName, secretId, secret);
+          System.out.printf("Created secret %s with expire time\n", createdSecret.getName());
+          return createdSecret;
+        }
+      }
+    }
+    // [END secretmanager_create_secret_with_expiration]

secretmanager/src/main/java/secretmanager/DeleteSecretAnnotations.java

-Original file line number
+Diff line change
@@ -0,0 +1,69 @@
+    /*
+     * Copyright 2026 Google LLC
+     *
+     * Licensed under the Apache License, Version 2.0 (the "License");
+     * you may not use this file except in compliance with the License.
+     * You may obtain a copy of the License at
+     *
+     * http://www.apache.org/licenses/LICENSE-2.0
+     *
+     * Unless required by applicable law or agreed to in writing, software
+     * distributed under the License is distributed on an "AS IS" BASIS,
+     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     * See the License for the specific language governing permissions and
+     * limitations under the License.
+     */
+    package secretmanager;
+    // [START secretmanager_delete_secret_annotations]
+    import com.google.cloud.secretmanager.v1.Secret;
+    import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+    import com.google.cloud.secretmanager.v1.SecretName;
+    import com.google.protobuf.FieldMask;
+    import com.google.protobuf.util.FieldMaskUtil;
+    import java.io.IOException;
+    import java.util.HashMap;
+    public class DeleteSecretAnnotations {
+      public static void main(String[] args) throws IOException {
+        // TODO(developer): Replace these variables before running the sample.
+        // This is the id of the GCP project
+        String projectId = "your-project-id";
+        // This is the id of the secret to act on
+        String secretId = "your-secret-id";
+        deleteSecretAnnotations(projectId, secretId);
+      }
+      // Delete annotations from an existing secret.
+      public static Secret deleteSecretAnnotations(String projectId, String secretId)
+          throws IOException {
+        // Initialize client that will be used to send requests. This client only needs
+        // to be created
+        // once, and can be reused for multiple requests.
+        try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
+          // Build the name of the secret.
+          SecretName secretName = SecretName.of(projectId, secretId);
+          // Build the updated secret with an empty annotations map.
+          Secret secret =
+              Secret.newBuilder()
+                  .setName(secretName.toString())
+                  .putAllAnnotations(new HashMap<>())
+                  .build();
+          // Create the field mask for updating only the annotations
+          FieldMask fieldMask = FieldMaskUtil.fromString("annotations");
+          // Update the secret.
+          Secret updatedSecret = client.updateSecret(secret, fieldMask);
+          System.out.printf("Deleted annotations from %s\n", updatedSecret.getName());
+          return updatedSecret;
+        }
+      }
+    }
+    // [END secretmanager_delete_secret_annotations]

secretmanager/src/main/java/secretmanager/DeleteSecretExpiration.java

-Original file line number
+Diff line change
@@ -0,0 +1,66 @@
+    /*
+     * Copyright 2026 Google LLC
+     *
+     * Licensed under the Apache License, Version 2.0 (the "License");
+     * you may not use this file except in compliance with the License.
+     * You may obtain a copy of the License at
+     *
+     * http://www.apache.org/licenses/LICENSE-2.0
+     *
+     * Unless required by applicable law or agreed to in writing, software
+     * distributed under the License is distributed on an "AS IS" BASIS,
+     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     * See the License for the specific language governing permissions and
+     * limitations under the License.
+     */
+    package secretmanager;
+    // [START secretmanager_delete_secret_expiration]
+    import com.google.cloud.secretmanager.v1.Secret;
+    import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+    import com.google.cloud.secretmanager.v1.SecretName;
+    import com.google.protobuf.FieldMask;
+    import com.google.protobuf.util.FieldMaskUtil;
+    import java.io.IOException;
+    public class DeleteSecretExpiration {
+      public static void main(String[] args) throws IOException {
+        // TODO(developer): Replace these variables before running the sample.
+        // This is the id of the GCP project
+        String projectId = "your-project-id";
+        // This is the id of the secret to update
+        String secretId = "your-secret-id";
+        deleteSecretExpiration(projectId, secretId);
+      }
+      // Delete the expiration time from an existing secret.
+      public static Secret deleteSecretExpiration(String projectId, String secretId)
+          throws IOException {
+        // Initialize client that will be used to send requests. This client only needs to be created
+        // once, and can be reused for multiple requests. After completing all of your requests, call
+        // the "close" method on the client to safely clean up any remaining background resources.
+        try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
+          // Build the secret name.
+          SecretName secretName = SecretName.of(projectId, secretId);
+          // Build the updated secret without expiration time.
+          Secret secret =
+              Secret.newBuilder()
+                  .setName(secretName.toString())
+                  .build();
+          // Build the field mask to clear the expiration time.
+          FieldMask fieldMask = FieldMaskUtil.fromString("expire_time");
+          // Update the secret to remove expiration.
+          Secret updatedSecret = client.updateSecret(secret, fieldMask);
+          System.out.printf("Deleted expiration from secret %s\n", updatedSecret.getName());
+          return updatedSecret;
+        }
+      }
+    }
+    // [END secretmanager_delete_secret_expiration]

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add samples for secret expiration - create, update, and delete #10225

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Add samples for secret expiration - create, update, and delete #10225

Are you sure you want to change the base?

Uh oh!

Add samples for secret expiration - create, update, and delete #10225

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!