---
title: GoogleSecretManagerSecretStoreProvider
description: Resource path:
component: pingam
version: 8.1
page_id: pingam:entity-reference:sec-amster-entity-googlesecretmanagersecretstoreprovider
canonical_url: https://docs.pingidentity.com/pingam/8.1/entity-reference/sec-amster-entity-googlesecretmanagersecretstoreprovider.html
section_ids:
sec-amster-entity-googlesecretmanagersecretstoreprovider-realm-ops: Realm Operations
sec-amster-entity-googlesecretmanagersecretstoreprovider-realm-ops-create: create
sec-amster-entity-googlesecretmanagersecretstoreprovider-realm-ops-delete: delete
sec-amster-entity-googlesecretmanagersecretstoreprovider-realm-ops-getalltypes: getAllTypes
sec-amster-entity-googlesecretmanagersecretstoreprovider-realm-ops-getcreatabletypes: getCreatableTypes
sec-amster-entity-googlesecretmanagersecretstoreprovider-realm-ops-nextdescendents: nextdescendents
sec-amster-entity-googlesecretmanagersecretstoreprovider-realm-ops-query: query
sec-amster-entity-googlesecretmanagersecretstoreprovider-realm-ops-read: read
sec-amster-entity-googlesecretmanagersecretstoreprovider-realm-ops-update: update
sec-amster-entity-googlesecretmanagersecretstoreprovider-global-ops: Global Operations
sec-amster-entity-googlesecretmanagersecretstoreprovider-global-ops-create: create
sec-amster-entity-googlesecretmanagersecretstoreprovider-global-ops-delete: delete
sec-amster-entity-googlesecretmanagersecretstoreprovider-global-ops-getalltypes: getAllTypes
sec-amster-entity-googlesecretmanagersecretstoreprovider-global-ops-getcreatabletypes: getCreatableTypes
sec-amster-entity-googlesecretmanagersecretstoreprovider-global-ops-nextdescendents: nextdescendents
sec-amster-entity-googlesecretmanagersecretstoreprovider-global-ops-query: query
sec-amster-entity-googlesecretmanagersecretstoreprovider-global-ops-read: read
sec-amster-entity-googlesecretmanagersecretstoreprovider-global-ops-update: update
---
# GoogleSecretManagerSecretStoreProvider
## Realm Operations
Resource path:
```
/realm-config/secrets/stores/GoogleSecretManagerSecretStoreProvider
```
Resource version: `0.0`
### create
**Usage**
```
am> create GoogleSecretManagerSecretStoreProvider --realm Realm --id id --body body
```
**Parameters**
* *\--id*
The unique identifier for the resource.
* *\--body*
The resource in JSON format, described by the following JSON schema:
```json
{
"type" : "object",
"properties" : {
"serviceAccount" : {
"title" : "GCP Service Account ID",
"description" : "The ID of the GCP service account to use when connecting to Secret Manager.
GCP service accounts can be configured in the global Google Service Account service. The service account must be enabled for this realm otherwise the secret store will fail to load.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"expiryDurationSeconds" : {
"title" : "Expiry Time (seconds)",
"description" : "Maximum time that AM should cache secret values before refreshing them from Google Secret Manager. A longer duration may be more efficient but may take longer for new secret versions to be picked up. This typically only affects operations that use the \"active\" (latest) version of a secret. Operations that use previous versions of a secret will always query Secret Manager to ensure timely revocation.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer",
"exampleValue" : ""
},
"project" : {
"title" : "Project",
"description" : "The GCP project that contains the Secret Manager instance to use.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"secretFormat" : {
"title" : "Secret Format",
"description" : "Indicates what format is used to store the secrets in the files. The available options are: - Plain text: the secrets are stored as UTF-8 encoded text.
- Base64 encoded: the secrets are stored as Base64 encoded binary values.
- Encrypted text: the plain text secrets are encrypted using AM's encryption key.
- Encrypted Base64 encoded: the Base64 encoded binary values are encrypted using AM's encryption key.
- Encrypted with Google KMS: the secrets are encrypted using Google's Key Management Service.
- PEM encoded certificate or key: the secrets are certificates, keys, or passwords, in Privacy Enhanced Mail (PEM) format, such as those produced by OpenSSL and other common tools.
- Encrypted PEM: PEM-encoded objects that are encrypted with AM's server key.
- Google KMS-encrypted PEM: PEM-encoded objects that are encrypted with Google KMS.
The following formats are also supported but are discouraged (use the PEM variants instead):
- Encrypted HMAC key: the Base64 encoded binary representation of the HMAC key is encrypted using AM's encryption key. Use this format when working with non generic secrets.
- Base64 encoded HMAC key: the secrets are binary HMAC keys encoded with Base64.
- Google KMS-encrypted HMAC key: the secrets are binary HMAC keys that have been encrypted with Google's Key Management Service (KMS).
",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"exampleValue" : ""
}
}
}
```
### delete
**Usage**
```
am> delete GoogleSecretManagerSecretStoreProvider --realm Realm --id id
```
**Parameters**
* *\--id*
The unique identifier for the resource.
### getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
**Usage**
```
am> action GoogleSecretManagerSecretStoreProvider --realm Realm --actionName getAllTypes
```
### getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
**Usage**
```
am> action GoogleSecretManagerSecretStoreProvider --realm Realm --actionName getCreatableTypes
```
### nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
**Usage**
```
am> action GoogleSecretManagerSecretStoreProvider --realm Realm --actionName nextdescendents
```
### query
Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.
**Usage**
```
am> query GoogleSecretManagerSecretStoreProvider --realm Realm --filter filter
```
**Parameters**
* *\--filter*
A CREST formatted query filter, where "true" will query all.
### read
**Usage**
```
am> read GoogleSecretManagerSecretStoreProvider --realm Realm --id id
```
**Parameters**
* *\--id*
The unique identifier for the resource.
### update
**Usage**
```
am> update GoogleSecretManagerSecretStoreProvider --realm Realm --id id --body body
```
**Parameters**
* *\--id*
The unique identifier for the resource.
* *\--body*
The resource in JSON format, described by the following JSON schema:
```json
{
"type" : "object",
"properties" : {
"serviceAccount" : {
"title" : "GCP Service Account ID",
"description" : "The ID of the GCP service account to use when connecting to Secret Manager.
GCP service accounts can be configured in the global Google Service Account service. The service account must be enabled for this realm otherwise the secret store will fail to load.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"expiryDurationSeconds" : {
"title" : "Expiry Time (seconds)",
"description" : "Maximum time that AM should cache secret values before refreshing them from Google Secret Manager. A longer duration may be more efficient but may take longer for new secret versions to be picked up. This typically only affects operations that use the \"active\" (latest) version of a secret. Operations that use previous versions of a secret will always query Secret Manager to ensure timely revocation.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer",
"exampleValue" : ""
},
"project" : {
"title" : "Project",
"description" : "The GCP project that contains the Secret Manager instance to use.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"secretFormat" : {
"title" : "Secret Format",
"description" : "Indicates what format is used to store the secrets in the files. The available options are: - Plain text: the secrets are stored as UTF-8 encoded text.
- Base64 encoded: the secrets are stored as Base64 encoded binary values.
- Encrypted text: the plain text secrets are encrypted using AM's encryption key.
- Encrypted Base64 encoded: the Base64 encoded binary values are encrypted using AM's encryption key.
- Encrypted with Google KMS: the secrets are encrypted using Google's Key Management Service.
- PEM encoded certificate or key: the secrets are certificates, keys, or passwords, in Privacy Enhanced Mail (PEM) format, such as those produced by OpenSSL and other common tools.
- Encrypted PEM: PEM-encoded objects that are encrypted with AM's server key.
- Google KMS-encrypted PEM: PEM-encoded objects that are encrypted with Google KMS.
The following formats are also supported but are discouraged (use the PEM variants instead):
- Encrypted HMAC key: the Base64 encoded binary representation of the HMAC key is encrypted using AM's encryption key. Use this format when working with non generic secrets.
- Base64 encoded HMAC key: the secrets are binary HMAC keys encoded with Base64.
- Google KMS-encrypted HMAC key: the secrets are binary HMAC keys that have been encrypted with Google's Key Management Service (KMS).
",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"exampleValue" : ""
}
}
}
```
## Global Operations
Resource path:
```
/global-config/secrets/stores/GoogleSecretManagerSecretStoreProvider
```
Resource version: `1.0`
### create
**Usage**
```
am> create GoogleSecretManagerSecretStoreProvider --global --id id --body body
```
**Parameters**
* *\--id*
The unique identifier for the resource.
* *\--body*
The resource in JSON format, described by the following JSON schema:
```json
{
"type" : "object",
"properties" : {
"secretFormat" : {
"title" : "Secret Format",
"description" : "Indicates what format is used to store the secrets in the files. The available options are: - Plain text: the secrets are stored as UTF-8 encoded text.
- Base64 encoded: the secrets are stored as Base64 encoded binary values.
- Encrypted text: the plain text secrets are encrypted using AM's encryption key.
- Encrypted Base64 encoded: the Base64 encoded binary values are encrypted using AM's encryption key.
- Encrypted with Google KMS: the secrets are encrypted using Google's Key Management Service.
- PEM encoded certificate or key: the secrets are certificates, keys, or passwords, in Privacy Enhanced Mail (PEM) format, such as those produced by OpenSSL and other common tools.
- Encrypted PEM: PEM-encoded objects that are encrypted with AM's server key.
- Google KMS-encrypted PEM: PEM-encoded objects that are encrypted with Google KMS.
The following formats are also supported but are discouraged (use the PEM variants instead):
- Encrypted HMAC key: the Base64 encoded binary representation of the HMAC key is encrypted using AM's encryption key. Use this format when working with non generic secrets.
- Base64 encoded HMAC key: the secrets are binary HMAC keys encoded with Base64.
- Google KMS-encrypted HMAC key: the secrets are binary HMAC keys that have been encrypted with Google's Key Management Service (KMS).
",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"serviceAccount" : {
"title" : "GCP Service Account ID",
"description" : "The ID of the GCP service account to use when connecting to Secret Manager.
GCP service accounts can be configured in the global Google Service Account service. The service account must be enabled for this realm otherwise the secret store will fail to load.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"project" : {
"title" : "Project",
"description" : "The GCP project that contains the Secret Manager instance to use.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"expiryDurationSeconds" : {
"title" : "Expiry Time (seconds)",
"description" : "Maximum time that AM should cache secret values before refreshing them from Google Secret Manager. A longer duration may be more efficient but may take longer for new secret versions to be picked up. This typically only affects operations that use the \"active\" (latest) version of a secret. Operations that use previous versions of a secret will always query Secret Manager to ensure timely revocation.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer",
"exampleValue" : ""
}
}
}
```
### delete
**Usage**
```
am> delete GoogleSecretManagerSecretStoreProvider --global --id id
```
**Parameters**
* *\--id*
The unique identifier for the resource.
### getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
**Usage**
```
am> action GoogleSecretManagerSecretStoreProvider --global --actionName getAllTypes
```
### getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
**Usage**
```
am> action GoogleSecretManagerSecretStoreProvider --global --actionName getCreatableTypes
```
### nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
**Usage**
```
am> action GoogleSecretManagerSecretStoreProvider --global --actionName nextdescendents
```
### query
Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.
**Usage**
```
am> query GoogleSecretManagerSecretStoreProvider --global --filter filter
```
**Parameters**
* *\--filter*
A CREST formatted query filter, where "true" will query all.
### read
**Usage**
```
am> read GoogleSecretManagerSecretStoreProvider --global --id id
```
**Parameters**
* *\--id*
The unique identifier for the resource.
### update
**Usage**
```
am> update GoogleSecretManagerSecretStoreProvider --global --id id --body body
```
**Parameters**
* *\--id*
The unique identifier for the resource.
* *\--body*
The resource in JSON format, described by the following JSON schema:
```json
{
"type" : "object",
"properties" : {
"secretFormat" : {
"title" : "Secret Format",
"description" : "Indicates what format is used to store the secrets in the files. The available options are: - Plain text: the secrets are stored as UTF-8 encoded text.
- Base64 encoded: the secrets are stored as Base64 encoded binary values.
- Encrypted text: the plain text secrets are encrypted using AM's encryption key.
- Encrypted Base64 encoded: the Base64 encoded binary values are encrypted using AM's encryption key.
- Encrypted with Google KMS: the secrets are encrypted using Google's Key Management Service.
- PEM encoded certificate or key: the secrets are certificates, keys, or passwords, in Privacy Enhanced Mail (PEM) format, such as those produced by OpenSSL and other common tools.
- Encrypted PEM: PEM-encoded objects that are encrypted with AM's server key.
- Google KMS-encrypted PEM: PEM-encoded objects that are encrypted with Google KMS.
The following formats are also supported but are discouraged (use the PEM variants instead):
- Encrypted HMAC key: the Base64 encoded binary representation of the HMAC key is encrypted using AM's encryption key. Use this format when working with non generic secrets.
- Base64 encoded HMAC key: the secrets are binary HMAC keys encoded with Base64.
- Google KMS-encrypted HMAC key: the secrets are binary HMAC keys that have been encrypted with Google's Key Management Service (KMS).
",
"propertyOrder" : 300,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"serviceAccount" : {
"title" : "GCP Service Account ID",
"description" : "The ID of the GCP service account to use when connecting to Secret Manager.
GCP service accounts can be configured in the global Google Service Account service. The service account must be enabled for this realm otherwise the secret store will fail to load.",
"propertyOrder" : 200,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"project" : {
"title" : "Project",
"description" : "The GCP project that contains the Secret Manager instance to use.",
"propertyOrder" : 100,
"required" : true,
"type" : "string",
"exampleValue" : ""
},
"expiryDurationSeconds" : {
"title" : "Expiry Time (seconds)",
"description" : "Maximum time that AM should cache secret values before refreshing them from Google Secret Manager. A longer duration may be more efficient but may take longer for new secret versions to be picked up. This typically only affects operations that use the \"active\" (latest) version of a secret. Operations that use previous versions of a secret will always query Secret Manager to ensure timely revocation.",
"propertyOrder" : 400,
"required" : true,
"type" : "integer",
"exampleValue" : ""
}
}
}
```