Overview

In this lab, you use Secret Manager from Cloud Console and the Command Line Interface (CLI) to create and use a secret, replace a secret, and finally, reinstate an older version of a secret.

Secret Manager is available in Cloud Console. It is also available from the command line using the CLI or from a program, using the REST API or one of the supported Software Development Kits (SDKs). Supported SDKs include C#, Go, Node.js, Java, etc. A complete list of available SDKs. Information regarding the REST API.

Objectives

In this lab, you learn to:

• Enable the Secret Manager API.
• Create and use a new secret.
• Create a new version of a secret, and disable the old version(s).
• Reinstate and verify an older version of a secret.

Setup and requirements

For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.

1. Sign in to Qwiklabs using an incognito window.

2. Note the lab's access time (for example, 1:15:00), and make sure you can finish within that time.
   There is no pause feature. You can restart if needed, but you have to start at the beginning.

3. When ready, click Start lab.

4. Note your lab credentials (Username and Password). You will use them to sign in to the Google Cloud Console.

5. Click Open Google Console.

6. Click Use another account and copy/paste credentials for this lab into the prompts.
   If you use other credentials, you'll receive errors or incur charges.

7. Accept the terms and skip the recovery resource page.

Task 1. Enable the Secret Manager API

In this task, you enable the Secret Manager API.

Before you access Secret Manager, you must first enable its API. If you fail to do so, when you attempt to access its features, you will receive an error.

1. In the Navigation menu, Select API & Services.
2. At the top of the page, click + Enable API and Services.
3. In the search box, enter Secret Manager. You should see one result - the Secret Manager API.
4. Click Secret Manager API. On the resulting page, click Enable. If no error occurs - and you see a page with information about this API, you were successful.

Click Check my progress to verify the objective. Enable the Secret Manager API

Task 2. Create a secret

In this task, you create a secret and add the secret value to the password.

1. In the Navigation menu, select Security > Secret Manager.
2. On the Secret Manager main page, click + Create Secret.
3. For the Name, enter password.
4. For the Secret value, enter xyzpdq.
5. Click + Add Label.
6. For the Key, enter team.
7. For the Value, enter acme.
8. Leave all other values at their default setting, and click Create Secret.

Click Check my progress to verify the objective. Create a secret

Task 3. Use a secret

In this task, you use the secrets command to verify the value of the password secret.

1. On the Google Cloud Console title bar, click Activate Cloud Shell () to open Cloud Shell.
2. At the bottom of the page, click Continue. Wait for the Google Cloud Shell machine to provision.
3. At the Cloud Shell Terminal command line, enter:

gcloud secrets versions access 1 --secret="password"

If successful, you should see that the value of the password secret (xyzpdq) is returned at the beginning of the next line, immediately before the command line prompt, similar to what is shown below:

student_00_7413964b6ab0@cloudshell:~ (qwiklabs-gcp-00-f575f732b85b)$ gcloud secrets versions access 1 --secret=" password" xyzpdqstudent_00_7413964b6ab0@cloudshell:~ (qwiklabs-gcp-00-f575f732b85b)$

Task 4. Create and use a new secret version

In this task, you create a new version 2 secret and use the secrets command to verify the version 2 value of the password secret.

1. In the Navigation menu of Google Cloud Console, select Security > Secret Manager. The Secret Manager page shows information about the password secret that you created earlier.
2. Under Actions, click the More actions menu (i.e., the “three dots” menu) and then click Add New Version.
3. For the Secret value, enter abc123.
4. Leave all other values at their default setting, and click Add New Version.

Now, let's use the new secret.

5. At the Cloud Shell Terminal command line, enter:

gcloud secrets versions access 2 --secret="password"

6. If successful, you should see that the value of the password secret (abc123) is returned at the beginning of the next line, immediately before the command line prompt, similar to what is shown in the screenshot below:

student_04_ceff8bd49e59@cloudshell:~ (qwiklabs-gcp-04-60caced57c66)$ gcloud secrets versions access 1 --secret="password" abc123student_04_ceff8bd49e59@cloudshell:~ (qwiklabs-gcp-04-60caced57c66)$

7. At the command line, try the command again - except this time, for the version, use the latest alias, as shown below:

gcloud secrets versions access latest --secret="password"

If successful, you should see that the version 2 value of the password secret (abc123) is returned at the beginning of the next line, immediately before the command line prompt, similar to what is shown in the screenshot below:

student_04_ceff8bd49e59@cloudshell:~ (qwiklabs-gcp-04-60caced57c66)$ gcloud secrets versions access latest --secret="password" abc123student_04_ceff8bd49e59@cloudshell:~ (qwiklabs-gcp-04-60caced57c66)$

Click Check my progress to verify the objective. Create and use a new secret version

Task 5. Create a new secret version (and invalidate previous versions)

In this task, you create a new secret version and disable all the past versions. You also verify that only the latest version is accessible.

1. In the Navigation menu of Google Cloud Console, select Security > Secret Manager. The Secret Manager page shows information about the password secret that you created earlier.
2. Under Actions, click the More actions menu, and then click Add New Version.
3. For the Secret value, enter def123.
4. Select the Disable all past versions checkbox.
5. Leave all other values at their default setting, and click Add New Version.
6. Verify that only the latest version is accessible. To do so, at the Cloud Shell Terminal command line, enter:

gcloud secrets versions access latest --secret="password"

7. If successful, you should see that the value of the password secret (def123) is returned at the beginning of the next line, immediately before the command line prompt, similar to what is shown in the screenshot below:

student_04_ceff8bd49e59@cloudshell:~ (qwiklabs-gcp-04-60caced57c66)$ gcloud secrets versions access latest --secret="password" def123student_04_ceff8bd49e59@cloudshell:~ (qwiklabs-gcp-04-60caced57c66)$

8. At the command line, try the command again - except this time, for the version, use the latest alias, as shown below:

gcloud secrets versions access 2 --secret="password"

This should produce a FAILED PRECONDITION error, informing you that version 2 is in the DISABLED state. (If you tried to access version 1, the same error would be produced.)

Click Check my progress to verify the objective. Create a new secret version (and invalidate previous versions)

Task 6. Reinstate and verify a previous secret version

In this task, you re-enable the version 2 password secret and verify that the version 2 password secret is accessible.

1. In the Navigation menu of Google Cloud Console, select Security > Secret Manager. The Secret Manager page shows information about the password secret that you created earlier.
2. Click the password secret. The Details page for the password secret appears.
3. On the Details page, note that all three versions are shown. In the Status column, you see that version 3 is enabled and versions 1 and 2 are disabled.
4. For the version 2, under Actions, click the More actions menu, and then select Enable.
5. Click Enable Selected Versions. In the Status column, version 2 should now appear as enabled.
6. At the Cloud Shell Terminal command line, enter:

gcloud secrets versions access 2 --secret="password"

If successful, you should see that the version 2 value of the password secret (abc123) is returned at the beginning of the next line, immediately before the command line prompt, similar to what is shown below:

student_04_ceff8bd49e59@cloudshell:~ (qwiklabs-gcp-04-60caced57c66)$ gcloud secrets versions access 2 --secret="password" abc123student_04_ceff8bd49e59@cloudshell:~ (qwiklabs-gcp-04-60caced57c66)$

7. In the upper right corner of Google Console Manager, find and click on the user icon.
8. Click Sign out.

Review

In this lab you did the following:

1. Enabled the Secret Manager API.

2. Created and used a new secret.

3. Created a new version of a secret.

4. Disabled the older version(s).

5. Reinstated and verified the older version of a secret.

End your lab

When you have completed your lab, click End Lab. Google Cloud Skills Boost removes the resources you’ve used and cleans the account for you.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

• 1 star = Very dissatisfied
• 2 stars = Dissatisfied
• 3 stars = Neutral
• 4 stars = Satisfied
• 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.