diff options
author | Google APIs <noreply@google.com> | 2024-04-21 10:22:28 -0700 |
---|---|---|
committer | Copybara-Service <copybara-worker@google.com> | 2024-04-21 10:23:24 -0700 |
commit | 034570432b14b429c5f597701132b6d9ceb553a2 (patch) | |
tree | 714c6d4100862287ed65d15a3799d9599ee3706a | |
parent | c1624aee4d7998f516b5b42b6740538b7b8b1cf3 (diff) | |
download | googleapis-034570432b14b429c5f597701132b6d9ceb553a2.tar.gz |
feat: Add Secret Version Delayed Destroy changes for client libraries
docs: Users can now enable secret version delayed destruction
PiperOrigin-RevId: 626820938
-rw-r--r-- | google/cloud/secretmanager/v1/BUILD.bazel | 4 | ||||
-rw-r--r-- | google/cloud/secretmanager/v1/resources.proto | 54 | ||||
-rw-r--r-- | google/cloud/secretmanager/v1/secretmanager_v1.yaml | 54 | ||||
-rw-r--r-- | google/cloud/secretmanager/v1/service.proto | 106 |
4 files changed, 184 insertions, 34 deletions
diff --git a/google/cloud/secretmanager/v1/BUILD.bazel b/google/cloud/secretmanager/v1/BUILD.bazel index 96e89cf11..ef9e07f48 100644 --- a/google/cloud/secretmanager/v1/BUILD.bazel +++ b/google/cloud/secretmanager/v1/BUILD.bazel @@ -76,12 +76,15 @@ java_gapic_library( rest_numeric_enums = True, service_yaml = "secretmanager_v1.yaml", test_deps = [ + "//google/cloud/location:location_java_grpc", ":secretmanager_java_grpc", "//google/iam/v1:iam_java_grpc", ], transport = "grpc+rest", deps = [ ":secretmanager_java_proto", + "//google/api:api_java_proto", + "//google/cloud/location:location_java_proto", "//google/iam/v1:iam_java_proto", ], ) @@ -141,6 +144,7 @@ go_gapic_library( transport = "grpc+rest", deps = [ ":secretmanager_go_proto", + "//google/cloud/location:location_go_proto", "//google/iam/v1:iam_go_proto", "@io_bazel_rules_go//proto/wkt:duration_go_proto", ], diff --git a/google/cloud/secretmanager/v1/resources.proto b/google/cloud/secretmanager/v1/resources.proto index 7268accfe..7adce715a 100644 --- a/google/cloud/secretmanager/v1/resources.proto +++ b/google/cloud/secretmanager/v1/resources.proto @@ -41,6 +41,9 @@ message Secret { option (google.api.resource) = { type: "secretmanager.googleapis.com/Secret" pattern: "projects/{project}/secrets/{secret}" + pattern: "projects/{project}/locations/{location}/secrets/{secret}" + plural: "secrets" + singular: "secret" }; // Output only. The resource name of the @@ -48,13 +51,13 @@ message Secret { // `projects/*/secrets/*`. string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; - // Required. Immutable. The replication policy of the secret data attached to + // Optional. Immutable. The replication policy of the secret data attached to // the [Secret][google.cloud.secretmanager.v1.Secret]. // // The replication policy cannot be changed after the Secret has been created. Replication replication = 2 [ (google.api.field_behavior) = IMMUTABLE, - (google.api.field_behavior) = REQUIRED + (google.api.field_behavior) = OPTIONAL ]; // Output only. The time at which the @@ -120,7 +123,7 @@ message Secret { // No more than 50 aliases can be assigned to a given secret. // // Version-Alias pairs will be viewable via GetSecret and modifiable via - // UpdateSecret. At launch access by alias will only be supported on + // UpdateSecret. Access by alias is only be supported on // GetSecretVersion and AccessSecretVersion. map<string, int64> version_aliases = 11 [(google.api.field_behavior) = OPTIONAL]; @@ -138,6 +141,27 @@ message Secret { // // The total size of annotation keys and values must be less than 16KiB. map<string, string> annotations = 13 [(google.api.field_behavior) = OPTIONAL]; + + // Optional. Secret Version TTL after destruction request + // + // This is a part of the Delayed secret version destroy feature. + // For secret with TTL>0, version destruction doesn't happen immediately + // on calling destroy instead the version goes to a disabled state and + // destruction happens after the TTL expires. + google.protobuf.Duration version_destroy_ttl = 14 + [(google.api.field_behavior) = OPTIONAL]; + + // Optional. The customer-managed encryption configuration of the Regionalised + // Secrets. If no configuration is provided, Google-managed default encryption + // is used. + // + // Updates to the [Secret][google.cloud.secretmanager.v1.Secret] encryption + // configuration only apply to + // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion] added + // afterwards. They do not apply retroactively to existing + // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion]. + CustomerManagedEncryption customer_managed_encryption = 15 + [(google.api.field_behavior) = OPTIONAL]; } // A secret version resource in the Secret Manager API. @@ -145,6 +169,9 @@ message SecretVersion { option (google.api.resource) = { type: "secretmanager.googleapis.com/SecretVersion" pattern: "projects/{project}/secrets/{secret}/versions/{secret_version}" + pattern: "projects/{project}/locations/{location}/secrets/{secret}/versions/{secret_version}" + plural: "secretVersions" + singular: "secretVersion" }; // The state of a @@ -213,6 +240,22 @@ message SecretVersion { // [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.AddSecretVersion]. bool client_specified_payload_checksum = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Optional. Output only. Scheduled destroy time for secret version. + // This is a part of the Delayed secret version destroy feature. For a + // Secret with a valid version destroy TTL, when a secert version is + // destroyed, the version is moved to disabled state and it is scheduled for + // destruction. The version is destroyed only after the + // `scheduled_destroy_time`. + google.protobuf.Timestamp scheduled_destroy_time = 8 + [(google.api.field_behavior) = OUTPUT_ONLY]; + + // Output only. The customer-managed encryption status of the + // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. Only + // populated if customer-managed encryption is used and + // [Secret][google.cloud.secretmanager.v1.Secret] is a Regionalised Secret. + CustomerManagedEncryptionStatus customer_managed_encryption = 9 + [(google.api.field_behavior) = OUTPUT_ONLY]; } // A policy that defines the replication and encryption configuration of data. @@ -381,8 +424,9 @@ message Topic { // Required. The resource name of the Pub/Sub topic that will be published to, // in the following format: `projects/*/topics/*`. For publication to succeed, - // the Secret Manager P4SA must have `pubsub.publisher` permissions on the - // topic. + // the Secret Manager service agent must have the `pubsub.topic.publish` + // permission on the topic. The Pub/Sub Publisher role + // (`roles/pubsub.publisher`) includes this permission. string name = 1 [(google.api.field_behavior) = REQUIRED]; } diff --git a/google/cloud/secretmanager/v1/secretmanager_v1.yaml b/google/cloud/secretmanager/v1/secretmanager_v1.yaml index b269b2981..cf3328feb 100644 --- a/google/cloud/secretmanager/v1/secretmanager_v1.yaml +++ b/google/cloud/secretmanager/v1/secretmanager_v1.yaml @@ -4,6 +4,7 @@ name: secretmanager.googleapis.com title: Secret Manager API apis: +- name: google.cloud.location.Locations - name: google.cloud.secretmanager.v1.SecretManagerService documentation: @@ -18,15 +19,6 @@ documentation: - selector: google.cloud.location.Locations.ListLocations description: Lists information about the supported locations for this service. -backend: - rules: - - selector: google.cloud.location.Locations.GetLocation - deadline: 60.0 - - selector: google.cloud.location.Locations.ListLocations - deadline: 60.0 - - selector: 'google.cloud.secretmanager.v1.SecretManagerService.*' - deadline: 60.0 - http: rules: - selector: google.cloud.location.Locations.GetLocation @@ -48,3 +40,47 @@ authentication: oauth: canonical_scopes: |- https://www.googleapis.com/auth/cloud-platform + +publishing: + new_issue_uri: https://issuetracker.google.com/issues/new?component=784854&template=1380926 + documentation_uri: https://cloud.google.com/secret-manager/docs/overview + api_short_name: secretmanager + github_label: 'api: secretmanager' + doc_tag_prefix: secretmanager + organization: CLOUD + library_settings: + - version: google.cloud.secretmanager.v1 + launch_stage: GA + java_settings: + common: + destinations: + - PACKAGE_MANAGER + cpp_settings: + common: + destinations: + - PACKAGE_MANAGER + php_settings: + common: + destinations: + - PACKAGE_MANAGER + python_settings: + common: + destinations: + - PACKAGE_MANAGER + node_settings: + common: + destinations: + - PACKAGE_MANAGER + dotnet_settings: + common: + destinations: + - PACKAGE_MANAGER + ruby_settings: + common: + destinations: + - PACKAGE_MANAGER + go_settings: + common: + destinations: + - PACKAGE_MANAGER + proto_reference_documentation_uri: https://cloud.google.com/secret-manager/docs/reference/rpc diff --git a/google/cloud/secretmanager/v1/service.proto b/google/cloud/secretmanager/v1/service.proto index a079e9e36..ad23183b0 100644 --- a/google/cloud/secretmanager/v1/service.proto +++ b/google/cloud/secretmanager/v1/service.proto @@ -52,6 +52,7 @@ service SecretManagerService { rpc ListSecrets(ListSecretsRequest) returns (ListSecretsResponse) { option (google.api.http) = { get: "/v1/{parent=projects/*}/secrets" + additional_bindings { get: "/v1/{parent=projects/*/locations/*}/secrets" } }; option (google.api.method_signature) = "parent"; } @@ -62,6 +63,10 @@ service SecretManagerService { option (google.api.http) = { post: "/v1/{parent=projects/*}/secrets" body: "secret" + additional_bindings { + post: "/v1/{parent=projects/*/locations/*}/secrets" + body: "secret" + } }; option (google.api.method_signature) = "parent,secret_id,secret"; } @@ -73,6 +78,10 @@ service SecretManagerService { option (google.api.http) = { post: "/v1/{parent=projects/*/secrets/*}:addVersion" body: "*" + additional_bindings { + post: "/v1/{parent=projects/*/locations/*/secrets/*}:addVersion" + body: "*" + } }; option (google.api.method_signature) = "parent,payload"; } @@ -81,6 +90,7 @@ service SecretManagerService { rpc GetSecret(GetSecretRequest) returns (Secret) { option (google.api.http) = { get: "/v1/{name=projects/*/secrets/*}" + additional_bindings { get: "/v1/{name=projects/*/locations/*/secrets/*}" } }; option (google.api.method_signature) = "name"; } @@ -91,6 +101,10 @@ service SecretManagerService { option (google.api.http) = { patch: "/v1/{secret.name=projects/*/secrets/*}" body: "secret" + additional_bindings { + patch: "/v1/{secret.name=projects/*/locations/*/secrets/*}" + body: "secret" + } }; option (google.api.method_signature) = "secret,update_mask"; } @@ -99,6 +113,9 @@ service SecretManagerService { rpc DeleteSecret(DeleteSecretRequest) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/v1/{name=projects/*/secrets/*}" + additional_bindings { + delete: "/v1/{name=projects/*/locations/*/secrets/*}" + } }; option (google.api.method_signature) = "name"; } @@ -109,6 +126,9 @@ service SecretManagerService { returns (ListSecretVersionsResponse) { option (google.api.http) = { get: "/v1/{parent=projects/*/secrets/*}/versions" + additional_bindings { + get: "/v1/{parent=projects/*/locations/*/secrets/*}/versions" + } }; option (google.api.method_signature) = "parent"; } @@ -121,6 +141,9 @@ service SecretManagerService { rpc GetSecretVersion(GetSecretVersionRequest) returns (SecretVersion) { option (google.api.http) = { get: "/v1/{name=projects/*/secrets/*/versions/*}" + additional_bindings { + get: "/v1/{name=projects/*/locations/*/secrets/*/versions/*}" + } }; option (google.api.method_signature) = "name"; } @@ -134,6 +157,9 @@ service SecretManagerService { returns (AccessSecretVersionResponse) { option (google.api.http) = { get: "/v1/{name=projects/*/secrets/*/versions/*}:access" + additional_bindings { + get: "/v1/{name=projects/*/locations/*/secrets/*/versions/*}:access" + } }; option (google.api.method_signature) = "name"; } @@ -148,6 +174,10 @@ service SecretManagerService { option (google.api.http) = { post: "/v1/{name=projects/*/secrets/*/versions/*}:disable" body: "*" + additional_bindings { + post: "/v1/{name=projects/*/locations/*/secrets/*/versions/*}:disable" + body: "*" + } }; option (google.api.method_signature) = "name"; } @@ -161,6 +191,10 @@ service SecretManagerService { option (google.api.http) = { post: "/v1/{name=projects/*/secrets/*/versions/*}:enable" body: "*" + additional_bindings { + post: "/v1/{name=projects/*/locations/*/secrets/*/versions/*}:enable" + body: "*" + } }; option (google.api.method_signature) = "name"; } @@ -176,6 +210,10 @@ service SecretManagerService { option (google.api.http) = { post: "/v1/{name=projects/*/secrets/*/versions/*}:destroy" body: "*" + additional_bindings { + post: "/v1/{name=projects/*/locations/*/secrets/*/versions/*}:destroy" + body: "*" + } }; option (google.api.method_signature) = "name"; } @@ -192,6 +230,10 @@ service SecretManagerService { option (google.api.http) = { post: "/v1/{resource=projects/*/secrets/*}:setIamPolicy" body: "*" + additional_bindings { + post: "/v1/{resource=projects/*/locations/*/secrets/*}:setIamPolicy" + body: "*" + } }; } @@ -201,6 +243,9 @@ service SecretManagerService { returns (google.iam.v1.Policy) { option (google.api.http) = { get: "/v1/{resource=projects/*/secrets/*}:getIamPolicy" + additional_bindings { + get: "/v1/{resource=projects/*/locations/*/secrets/*}:getIamPolicy" + } }; } @@ -216,6 +261,10 @@ service SecretManagerService { option (google.api.http) = { post: "/v1/{resource=projects/*/secrets/*}:testIamPermissions" body: "*" + additional_bindings { + post: "/v1/{resource=projects/*/locations/*/secrets/*}:testIamPermissions" + body: "*" + } }; } } @@ -224,12 +273,12 @@ service SecretManagerService { // [SecretManagerService.ListSecrets][google.cloud.secretmanager.v1.SecretManagerService.ListSecrets]. message ListSecretsRequest { // Required. The resource name of the project associated with the - // [Secrets][google.cloud.secretmanager.v1.Secret], in the format - // `projects/*`. + // [Secrets][google.cloud.secretmanager.v1.Secret], in the format `projects/*` + // or `projects/*/locations/*` string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { - type: "cloudresourcemanager.googleapis.com/Project" + child_type: "secretmanager.googleapis.com/Secret" } ]; @@ -262,7 +311,10 @@ message ListSecretsResponse { // to retrieve the next page. string next_page_token = 2; - // The total number of [Secrets][google.cloud.secretmanager.v1.Secret]. + // The total number of [Secrets][google.cloud.secretmanager.v1.Secret] but 0 + // when the + // [ListSecretsRequest.filter][google.cloud.secretmanager.v1.ListSecretsRequest.filter] + // field is set. int32 total_size = 3; } @@ -270,11 +322,12 @@ message ListSecretsResponse { // [SecretManagerService.CreateSecret][google.cloud.secretmanager.v1.SecretManagerService.CreateSecret]. message CreateSecretRequest { // Required. The resource name of the project to associate with the - // [Secret][google.cloud.secretmanager.v1.Secret], in the format `projects/*`. + // [Secret][google.cloud.secretmanager.v1.Secret], in the format `projects/*` + // or `projects/*/locations/*`. string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { - type: "cloudresourcemanager.googleapis.com/Project" + child_type: "secretmanager.googleapis.com/Secret" } ]; @@ -296,7 +349,7 @@ message AddSecretVersionRequest { // Required. The resource name of the // [Secret][google.cloud.secretmanager.v1.Secret] to associate with the // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] in the format - // `projects/*/secrets/*`. + // `projects/*/secrets/*` or `projects/*/locations/*/secrets/*`. string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { @@ -314,7 +367,7 @@ message AddSecretVersionRequest { message GetSecretRequest { // Required. The resource name of the // [Secret][google.cloud.secretmanager.v1.Secret], in the format - // `projects/*/secrets/*`. + // `projects/*/secrets/*` or `projects/*/locations/*/secrets/*`. string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { @@ -329,7 +382,7 @@ message ListSecretVersionsRequest { // Required. The resource name of the // [Secret][google.cloud.secretmanager.v1.Secret] associated with the // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion] to list, in - // the format `projects/*/secrets/*`. + // the format `projects/*/secrets/*` or `projects/*/locations/*/secrets/*`. string parent = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { @@ -367,7 +420,10 @@ message ListSecretVersionsResponse { string next_page_token = 2; // The total number of - // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion]. + // [SecretVersions][google.cloud.secretmanager.v1.SecretVersion] but 0 when + // the + // [ListSecretsRequest.filter][google.cloud.secretmanager.v1.ListSecretsRequest.filter] + // field is set. int32 total_size = 3; } @@ -376,10 +432,13 @@ message ListSecretVersionsResponse { message GetSecretVersionRequest { // Required. The resource name of the // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] in the format - // `projects/*/secrets/*/versions/*`. + // `projects/*/secrets/*/versions/*` or + // `projects/*/locations/*/secrets/*/versions/*`. // - // `projects/*/secrets/*/versions/latest` is an alias to the most recently - // created [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. + // `projects/*/secrets/*/versions/latest` or + // `projects/*/locations/*/secrets/*/versions/latest` is an alias to the most + // recently created + // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { @@ -405,10 +464,13 @@ message UpdateSecretRequest { message AccessSecretVersionRequest { // Required. The resource name of the // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] in the format - // `projects/*/secrets/*/versions/*`. + // `projects/*/secrets/*/versions/*` or + // `projects/*/locations/*/secrets/*/versions/*`. // - // `projects/*/secrets/*/versions/latest` is an alias to the most recently - // created [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. + // `projects/*/secrets/*/versions/latest` or + // `projects/*/locations/*/secrets/*/versions/latest` is an alias to the most + // recently created + // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion]. string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { @@ -422,7 +484,8 @@ message AccessSecretVersionRequest { message AccessSecretVersionResponse { // The resource name of the // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] in the format - // `projects/*/secrets/*/versions/*`. + // `projects/*/secrets/*/versions/*` or + // `projects/*/locations/*/secrets/*/versions/*`. string name = 1 [(google.api.resource_reference) = { type: "secretmanager.googleapis.com/SecretVersion" }]; @@ -455,7 +518,8 @@ message DeleteSecretRequest { message DisableSecretVersionRequest { // Required. The resource name of the // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] to disable in - // the format `projects/*/secrets/*/versions/*`. + // the format `projects/*/secrets/*/versions/*` or + // `projects/*/locations/*/secrets/*/versions/*`. string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { @@ -475,7 +539,8 @@ message DisableSecretVersionRequest { message EnableSecretVersionRequest { // Required. The resource name of the // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] to enable in - // the format `projects/*/secrets/*/versions/*`. + // the format `projects/*/secrets/*/versions/*` or + // `projects/*/locations/*/secrets/*/versions/*`. string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { @@ -495,7 +560,8 @@ message EnableSecretVersionRequest { message DestroySecretVersionRequest { // Required. The resource name of the // [SecretVersion][google.cloud.secretmanager.v1.SecretVersion] to destroy in - // the format `projects/*/secrets/*/versions/*`. + // the format `projects/*/secrets/*/versions/*` or + // `projects/*/locations/*/secrets/*/versions/*`. string name = 1 [ (google.api.field_behavior) = REQUIRED, (google.api.resource_reference) = { |