Introduction
Google Cloud’s answer to secrets management is deceptively simple: Google Secret Manager. Launched in 2020 and now GA, it is Google’s managed service for storing API keys, passwords, certificates, and other sensitive data within the GCP ecosystem.
For teams already deep in Google Cloud — using GKE, Cloud Run, Cloud Functions, or BigQuery — Secret Manager offers a frictionless, IAM-integrated solution. But how does it compare when the conversation turns to enterprise-grade requirements?
In this CyberSecurityO review, we evaluate Google Secret Manager from the ground up: features, architecture, pricing, limitations, and who it’s built for.
Company Overview
Google Cloud launched Secret Manager in February 2020, making it one of the newer major cloud providers’ secrets management services. While AWS and Azure had their offerings earlier (2018 and 2015 respectively), Google built Secret Manager with simplicity and developer experience as core priorities.
Google Cloud holds approximately 11% of the cloud market (as of 2024), making it the third-largest cloud provider behind AWS and Azure. Its developer-friendly APIs, global network, and AI integrations make it a growing platform for modern application development.
What Is Google Secret Manager?
Google Secret Manager is a fully managed service on Google Cloud Platform (GCP) for storing, managing, and accessing secrets — such as API keys, passwords, certificates, and other sensitive configuration data.
Key design principles:
- Simple API — create, access, and delete secrets with minimal API surface
- IAM-native access control — Google Cloud IAM governs all secret access
- Versioned secrets — maintain multiple versions with enable/disable/destroy lifecycle
- Regional or global replication for secrets data
It’s intentionally focused — Secret Manager does one thing (store and retrieve secrets) and does it with Google’s reliability and security.
Key Features
1. Secret Versioning
Every secret has multiple versions. You can:
- Add new versions (new secret values)
- Enable/disable specific versions
- Destroy versions to permanently delete data
- Access the latest version or pin to a specific version number
2. Replication Policies
- Automatic (Multi-region): Google automatically replicates the secret across multiple regions — best for most use cases
- User-managed: Choose specific regions for compliance/data residency requirements
3. IAM-Based Access Control
Access is controlled via Google Cloud IAM roles:
roles/secretmanager.admin— Full controlroles/secretmanager.secretAccessor— Read secret valuesroles/secretmanager.viewer— View metadata (not values)roles/secretmanager.secretVersionManager— Manage versions
4. Workload Identity Integration
GKE pods, Cloud Run services, and Cloud Functions can use Workload Identity to authenticate to Secret Manager without storing service account keys — the gold standard for GCP secrets access.
5. CMEK (Customer-Managed Encryption Keys)
Secrets can be encrypted with Customer-Managed Encryption Keys via Cloud KMS — enabling key rotation and custody for regulated environments.
6. Secret Rotation Notifications
Secret Manager can publish Pub/Sub notifications when secrets are about to expire or have been rotated — enabling automated rotation workflows via Cloud Functions.
7. Audit Logging via Cloud Audit Logs
All access events (access, create, delete, update) are logged in Cloud Audit Logs — queryable in Cloud Logging and exportable to BigQuery or third-party SIEMs.
8. VPC Service Controls
Secret Manager supports VPC Service Controls — restricting secret access to requests originating from within a defined perimeter (private network), preventing data exfiltration.
Architecture
In-progress
Use Cases
Cloud Run / Cloud Functions
Serverless workloads retrieve secrets at startup using the Secret Manager client library. With Workload Identity, there are zero credentials to manage — the service identity is automatically federated.
GKE Kubernetes Workloads
The Secret Manager add-on for GKE (via Secrets Store CSI Driver) mounts secrets directly into pods. Alternatively, the External Secrets Operator supports Secret Manager as a backend for Kubernetes-native secret objects.
CI/CD with Cloud Build
Cloud Build steps authenticate to Secret Manager via the build service account, retrieving secrets at pipeline runtime. GitHub Actions can also use OIDC federation with GCP to access Secret Manager without stored credentials.
Data Pipeline Security (Dataflow / BigQuery)
Data engineering pipelines retrieve database credentials, API tokens, and service credentials at job startup — eliminating hardcoded values in pipeline code or Dataflow templates.
Terraform on GCP
Terraform’s google_secret_manager_secret_version data source retrieves secrets at plan/apply time — enabling secret-free Terraform configurations in GCP-native infrastructure.
Pricing
| Component | Price |
|---|---|
| **Active secret versions** | $0.06 per version per month |
| **Access operations** | $0.03 per 10,000 operations |
| **Rotation notifications** (Pub/Sub) | Standard Pub/Sub pricing |
Example: 50 active secret versions + 500,000 access operations/month = $4.50/month — extremely affordable.
Free tier: 6 active secret versions free, 10,000 access operations free per month.
> Note: Destroyed secret versions are not billed. Disabling a version still incurs storage cost.
Pros & Cons
✅ Pros
- Extremely simple — minimal learning curve, clean API
- Generous free tier — 6 versions + 10,000 operations free monthly
- Workload Identity integration is excellent — zero credential management for GCP services
- VPC Service Controls for network-isolated secret access
- CMEK support for regulated workloads
- Pub/Sub rotation notifications enable automated rotation workflows
- Global availability with automatic multi-region replication
❌ Cons
- GCP-only — no meaningful multi-cloud or on-premises support
- No dynamic secrets — stored values only, no just-in-time credential generation
- No built-in rotation — you must build rotation with Cloud Functions + Pub/Sub
- No certificate lifecycle management — unlike Azure Key Vault or HashiCorp Vault PKI
- No HSM-backed keys — uses Cloud KMS (software or HSM via Cloud HSM, separate service)
- Limited secret size — 64KB maximum per version
- Fewer enterprise features than HashiCorp Vault or CyberArk
Competitors Comparison
| Feature | Google Secret Manager | AWS Secrets Manager | Azure Key Vault | HashiCorp Vault |
|---|---|---|---|---|
| Cloud-Native | ✅ (GCP) | ✅ (AWS) | ✅ (Azure) | ✅ (Any) |
| Free Tier | ✅ | ❌ | ❌ | ✅ (OSS) |
| Dynamic Secrets | ❌ | ❌ | ❌ | ✅ |
| Certificate Mgmt | ❌ | ⚠️ | ✅ | ✅ |
| Auto-Rotation Built-in | ❌ (Pub/Sub trigger) | ✅ (RDS) | ✅ (Certs) | ✅ |
| Workload Identity | ✅ | ✅ (IRSA) | ✅ (Managed ID) | ⚠️ |
| Multi-Cloud | ❌ | ❌ | ❌ | ✅ |
Best Practices
- Always use Workload Identity — never store service account key files in containers, pipelines, or source code.
- Set expiration on secret versions and subscribe to rotation notification topics via Pub/Sub.
- Use user-managed replication for data residency compliance (e.g., secrets must remain in EU regions).
- Implement CMEK for secrets in regulated industries — use Cloud HSM-backed keys for highest assurance.
- Enable Data Access audit logs for Secret Manager in Cloud Audit Logs —
secretmanager.googleapis.comdata access is not enabled by default. - Apply VPC Service Controls perimeters around Secret Manager for sensitive production environments.
- Destroy old secret versions when no longer needed — avoid version sprawl and reduce cost.
- Use labels on secrets for ownership tracking, environment tagging, and cost allocation.
FAQs
Q1: Does Google Secret Manager have a free tier?
Yes — 6 active secret versions and 10,000 access operations per month are free. This is useful for development environments and small projects.
Q2: Can Google Secret Manager rotate secrets automatically?
Not natively. Google provides rotation notification infrastructure via Pub/Sub — your application or Cloud Function must implement the actual rotation logic. This is less turnkey than AWS Secrets Manager’s RDS rotation.
Q3: Is Google Secret Manager suitable for multi-cloud environments?
It’s designed for GCP. While secrets can be accessed via API from anywhere, it’s not recommended as a multi-cloud secrets store. For multi-cloud, use HashiCorp Vault or Akeyless.
Q4: How does Google Secret Manager handle encryption?
Secrets are encrypted at rest using Google-managed encryption keys by default (AES-256). CMEK allows you to supply your own Cloud KMS keys, including HSM-backed keys via Cloud HSM.
Q5: What is the maximum secret size in Google Secret Manager?
64 KB per secret version — the same as AWS Secrets Manager. Sufficient for credentials, certificates, and JSON configuration blobs.
Q6: How do I monitor unusual access to secrets?
Enable Data Access audit logs for the Secret Manager API. Export to Cloud Logging, set up log-based alerts in Cloud Monitoring, or stream to Chronicle SIEM for behavioral analysis.
Q7: Is Google Secret Manager PCI DSS or HIPAA compliant?
Google Cloud Secret Manager is covered under GCP’s compliance certifications including PCI DSS, HIPAA BAA, SOC 1/2/3, ISO 27001, and FedRAMP. Use CMEK with Cloud HSM for highest compliance posture.
Conclusion
Google Secret Manager excels at what it’s designed for: simple, reliable, developer-friendly secrets management for GCP workloads. Its Workload Identity integration, VPC Service Controls, CMEK support, and generous free tier make it a no-brainer for GCP-native teams.
Its limitations are by design — it’s not trying to replace HashiCorp Vault’s dynamic secrets engine or CyberArk’s enterprise governance platform. It’s a clean, focused service that eliminates hardcoded credentials in GCP environments without operational overhead.
If your workloads are GCP-native: start with Secret Manager. If you need dynamic secrets, certificate management, or multi-cloud coverage: layer HashiCorp Vault or Akeyless on top.
CyberSecurityO Rating: 7.8 / 10 ⭐⭐⭐⭐
Alternative Searches
- Google Secret Manager Review 2025 2026: Simple, Affordable, and GCP-Native
- Google Secret Manager vs AWS Secrets Manager: Which Cloud Wins?
- How Google Secret Manager Works: A Deep Dive for GCP Security Teams
- Google Secret Manager Pricing, Limits & Best Practices (2026 Guide)
- Is Google Secret Manager Enough for Enterprise Security? An IAM Expert’s View
Follow Identity Pulse on LinkedIn for weekly deep dives on IAM, secrets management, and cloud identity security — curated for security engineers by CyberSecurityO.
Join our IAM Professional Community:
