{"id":165706,"date":"2026-04-11T09:18:19","date_gmt":"2026-04-11T06:18:19","guid":{"rendered":"https:\/\/computingforgeeks.com\/google-cloud-secret-manager-tutorial\/"},"modified":"2026-04-11T09:18:19","modified_gmt":"2026-04-11T06:18:19","slug":"google-cloud-secret-manager-tutorial","status":"publish","type":"post","link":"https:\/\/computingforgeeks.com\/google-cloud-secret-manager-tutorial\/","title":{"rendered":"Google Cloud Secret Manager: Complete Tutorial (2026)"},"content":{"rendered":"\n

The path from “we need to store this database password somewhere” to “we accidentally committed the database password to Git” is alarmingly short. Google Secret Manager is the managed store that closes that loop on GCP. Secrets live in an API-accessible vault, access is granted through IAM, versions are immutable, audit logs show exactly who read what and when, and the price per secret is low enough that nobody needs to cut corners. This guide walks through what Secret Manager actually is, how pricing really works (including the free tier most articles skip), the four IAM roles you need to know, how versioning and the latest<\/code> alias actually behave under rollback (with a gotcha that surprises most teams), rotation via Pub\/Sub, regional vs global secrets, CMEK with the automatic-replication trap, and a tested end-to-end External Secrets Operator integration on GKE that pulls secrets into Kubernetes without a single JSON key.<\/p>\n\n\n\n

Every command was run on a live GCP project in europe-west1<\/code> with the real output captured, including a behavior check on the latest<\/code> alias that contradicts what most blog posts claim. If you are coming from AWS, the final comparison section is a fast map from AWS Secrets Manager to GCP Secret Manager so you can skim the differences in thirty seconds.<\/p>\n\n\n\n

Tested April 2026 on Google Cloud Secret Manager with gcloud 521, GKE Autopilot 1.35.1-gke.1396002, and External Secrets Operator 0.18<\/em><\/p>\n\n\n\n

What Secret Manager Actually Is<\/h2>\n\n\n\n

Secret Manager is a managed key-value store scoped specifically to application secrets. Each secret is a resource with metadata (name, labels, replication policy, rotation config) and zero or more immutable versions<\/strong> holding the actual payload. The payload is binary, up to 64 KiB per version, and encrypted at rest with Google-managed keys by default or a CMEK key from Cloud KMS if you bring your own. Access is granted through IAM the same way you grant access to any other GCP resource, which means you can bind directly to a Kubernetes ServiceAccount via GKE Workload Identity<\/a>, to a GitHub Actions pipeline via Workload Identity Federation, or to a Google Service Account for a Compute Engine VM.<\/p>\n\n\n\n

Secrets are designed around four constraints that make them useful for production. First, versions are immutable. Once you create version 3 you cannot edit it, only disable or destroy it. Second, every access is logged via Cloud Audit Logs Data Access logs (opt-in but free for many workloads). Third, replication is configured at creation time and cannot be changed. Fourth, IAM is granular enough to grant different teams different roles on the same secret without duplicating the secret itself. If you think of it as “etcd for production credentials with IAM in front,” the mental model is accurate.<\/p>\n\n\n\n

Pricing: What It Actually Costs<\/h2>\n\n\n\n

Secret Manager pricing is one of the cheapest line items on a real GCP bill, but the structure has a few sharp edges worth knowing.<\/p>\n\n\n\n

\n\n
Item<\/th>Price<\/th>Free tier (always)<\/th><\/tr><\/thead>\n
Active secret versions<\/td>$0.06 per version per location per month<\/td>6 versions<\/td><\/tr>\n
Destroyed secret versions<\/td>Free<\/td>Unlimited<\/td><\/tr>\n
Access operations<\/td>$0.03 per 10,000 operations<\/td>10,000 operations<\/td><\/tr>\n
Management operations<\/td>Free<\/td>Unlimited<\/td><\/tr>\n
Rotation notifications<\/td>$0.05 per rotation<\/td>3 rotations<\/td><\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n

The “per location” qualifier is where people get caught out. A secret with automatic replication bills as one location regardless of how many regions Google actually replicates it to. A secret with user-managed replication explicitly listing three regions bills as three locations, so a single version costs $0.18<\/code> per month instead of $0.06<\/code>. If you need data residency in specific regions, user-managed replication is the right call. If you just want multi-region durability without thinking about it, automatic wins on cost.<\/p>\n\n\n\n

The free tier covers six active versions and ten thousand access operations per month across the entire billing account. A small project with a handful of secrets that gets queried a few times an hour sits inside the free tier permanently. A production workload with dozens of secrets and continuous reads will pay a few dollars per month. It is almost never a meaningful line item unless somebody builds a bad loop that queries the same secret on every HTTP request instead of caching it in memory.<\/p>\n\n\n\n

Prerequisites<\/h2>\n\n\n\n

Small set of prerequisites. Nothing exotic.<\/p>\n\n\n\n