本頁面由 Cloud Translation API 翻譯而成。

管理密鑰存取權

本頁說明如何管理密鑰的存取權，包括密鑰內容。如要進一步瞭解存取控管和權限，請參閱「使用 IAM 控管存取權」。

重要事項：如要搭配使用 Secret Manager 與在 Compute Engine 或 Google Kubernetes Engine 上執行的工作負載，基礎執行個體或節點必須具備 cloud-platform OAuth 範圍。詳情請參閱存取 Secret Manager API。

必要的角色

如要取得管理密鑰存取權所需的權限，請要求管理員為您授予密鑰、專案、資料夾或機構的Secret Manager 管理員 (roles/secretmanager.admin) IAM 角色。如要進一步瞭解如何授予角色，請參閱「管理專案、資料夾和機構的存取權」。

您或許還可透過自訂角色或其他預先定義的角色取得必要權限。

授予存取權

如要授予密鑰存取權，請使用下列其中一種方法：

控制台

前往 Google Cloud 控制台的「Secret Manager」頁面。

前往 Secret Manager
如要選取密鑰，請在「Secret Manager」頁面中，按一下密鑰名稱旁的核取方塊。
如果面板尚未開啟，請按一下「Show Info Panel」(顯示資訊面板) 開啟面板。
在資訊面板中，按一下「新增主體」。
在「New principals」(新增主體) 欄位中，輸入要新增成員的電子郵件地址。
在「Select a role」(請選擇角色) 清單中，選擇「Secret Manager」，然後選取「Secret Manager Secret Accessor」(Secret Manager 密碼存取者)。

gcloud

使用下方的任何指令資料之前，請先替換以下項目：

SECRET_ID：密鑰的 ID 或密鑰的完整 ID
MEMBER：IAM 成員，例如使用者、群組或服務帳戶

執行下列指令：

Linux、macOS 或 Cloud Shell

gcloud secrets add-iam-policy-binding SECRET_ID \
    --member="MEMBER" \
    --role="roles/secretmanager.secretAccessor"

Windows (PowerShell)

gcloud secrets add-iam-policy-binding SECRET_ID `
    --member="MEMBER" `
    --role="roles/secretmanager.secretAccessor"

Windows (cmd.exe)

gcloud secrets add-iam-policy-binding SECRET_ID ^
    --member="MEMBER" ^
    --role="roles/secretmanager.secretAccessor"

REST

注意：與其他範例不同，這個範例會取代整個 IAM 政策。

使用任何要求資料之前，請先替換以下項目：

PROJECT_ID：包含密碼的 Google Cloud 專案
SECRET_ID：密鑰的 ID 或密鑰的完整 ID
MEMBER：IAM 成員，例如使用者、群組或服務帳戶

HTTP 方法和網址：

POST https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets/SECRET_ID:setIamPolicy

JSON 要求主體：

{"policy": {"bindings": [{"members": ["MEMBER"], "role": "roles/secretmanager.secretAccessor"}]}}

如要傳送要求，請選擇以下其中一個選項：

curl

注意： 下列指令假設您已執行 gcloud init 或 gcloud auth login，透過使用者帳戶登入 gcloud CLI，或使用 Cloud Shell，自動登入 gcloud CLI。您可以執行 gcloud auth list 查看目前有效的帳戶。

將要求主體儲存在名為 request.json 的檔案中，然後執行下列指令：

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets/SECRET_ID:setIamPolicy"

PowerShell

注意： 下列指令假設您已執行 gcloud init 或 gcloud auth login，透過使用者帳戶登入 gcloud CLI。您可以執行 gcloud auth list 查看目前有效的帳戶。

將要求主體儲存在名為 request.json 的檔案中，然後執行下列指令：

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets/SECRET_ID:setIamPolicy" | Select-Object -Expand Content

您應該會收到如下的 JSON 回應：

{
  "version": 1,
  "etag": "BwYhOrAmWFQ=",
  "bindings": [
    {
      "role": "roles/secretmanager.secretAccessor",
      "members": [
        "user:[email protected]"
      ]
    }
  ]
}

C#

如要執行這段程式碼，請先設定 C# 開發環境，然後安裝 Secret Manager C# SDK。在 Compute Engine 或 GKE 上，您必須使用 cloud-platform 範圍進行驗證。


using Google.Cloud.SecretManager.V1;
using Google.Cloud.Iam.V1;

public class IamGrantAccessSample
{
    public Policy IamGrantAccess(
      string projectId = "my-project", string secretId = "my-secret",
      string member = "user:[email protected]")
    {
        // Create the client.
        SecretManagerServiceClient client = SecretManagerServiceClient.Create();

        // Build the resource name.
        SecretName secretName = new SecretName(projectId, secretId);

        // Get current policy.
        Policy policy = client.GetIamPolicy(new GetIamPolicyRequest
        {
            ResourceAsResourceName = secretName,
        });

        // Add the user to the list of bindings.
        policy.AddRoleMember("roles/secretmanager.secretAccessor", member);

        // Save the updated policy.
        policy = client.SetIamPolicy(new SetIamPolicyRequest
        {
            ResourceAsResourceName = secretName,
            Policy = policy,
        });
        return policy;
    }
}

Go

如要執行這段程式碼，請先設定 Go 開發環境，並安裝 Secret Manager Go SDK。在 Compute Engine 或 GKE 上，您必須使用 cloud-platform 範圍進行驗證。

import (
	"context"
	"fmt"
	"io"

	secretmanager "cloud.google.com/go/secretmanager/apiv1"
)

// iamGrantAccess grants the given member access to the secret.
func iamGrantAccess(w io.Writer, name, member string) error {
	// name := "projects/my-project/secrets/my-secret"
	// member := "user:[email protected]"

	// Create the client.
	ctx := context.Background()
	client, err := secretmanager.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create secretmanager client: %w", err)
	}
	defer client.Close()

	// Get the current IAM policy.
	handle := client.IAM(name)
	policy, err := handle.Policy(ctx)
	if err != nil {
		return fmt.Errorf("failed to get policy: %w", err)
	}

	// Grant the member access permissions.
	policy.Add(member, "roles/secretmanager.secretAccessor")
	if err = handle.SetPolicy(ctx, policy); err != nil {
		return fmt.Errorf("failed to save policy: %w", err)
	}

	fmt.Fprintf(w, "Updated IAM policy for %s\n", name)
	return nil
}

Java

如要執行這段程式碼，請先設定 Java 開發環境，並安裝 Secret Manager Java SDK。在 Compute Engine 或 GKE 上，您必須使用 cloud-platform 範圍進行驗證。

import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
import com.google.cloud.secretmanager.v1.SecretName;
import com.google.iam.v1.Binding;
import com.google.iam.v1.GetIamPolicyRequest;
import com.google.iam.v1.Policy;
import com.google.iam.v1.SetIamPolicyRequest;
import java.io.IOException;

public class IamGrantAccess {

  public static void iamGrantAccess() throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String secretId = "your-secret-id";
    String member = "user:[email protected]";
    iamGrantAccess(projectId, secretId, member);
  }

  // Grant a member access to a particular secret.
  public static void iamGrantAccess(String projectId, String secretId, String member)
      throws IOException {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the "close" method on the client to safely clean up any remaining background resources.
    try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
      // Build the name from the version.
      SecretName secretName = SecretName.of(projectId, secretId);

      // Request the current IAM policy.
      Policy currentPolicy =
          client.getIamPolicy(
              GetIamPolicyRequest.newBuilder().setResource(secretName.toString()).build());

      // Build the new binding.
      Binding binding =
          Binding.newBuilder()
              .setRole("roles/secretmanager.secretAccessor")
              .addMembers(member)
              .build();

      // Create a new IAM policy from the current policy, adding the binding.
      Policy newPolicy = Policy.newBuilder().mergeFrom(currentPolicy).addBindings(binding).build();

      // Save the updated IAM policy.
      client.setIamPolicy(
          SetIamPolicyRequest.newBuilder()
              .setResource(secretName.toString())
              .setPolicy(newPolicy)
              .build());

      System.out.printf("Updated IAM policy for %s\n", secretId);
    }
  }
}

Node.js

如要執行這段程式碼，請先設定 Node.js 開發環境，並安裝 Secret Manager Node.js SDK。在 Compute Engine 或 GKE 上，您必須使用 cloud-platform 範圍進行驗證。

/**
 * TODO(developer): Uncomment these variables before running the sample.
 */
// const name = 'projects/my-project/secrets/my-secret';
// const member = 'user:[email protected]';
//
// NOTE: Each member must be prefixed with its type. See the IAM documentation
// for more information: https://cloud.google.com/iam/docs/overview.

// Imports the Secret Manager library
const {SecretManagerServiceClient} = require('@google-cloud/secret-manager');

// Instantiates a client
const client = new SecretManagerServiceClient();

async function grantAccess() {
  // Get the current IAM policy.
  const [policy] = await client.getIamPolicy({
    resource: name,
  });

  // Add the user with accessor permissions to the bindings list.
  policy.bindings.push({
    role: 'roles/secretmanager.secretAccessor',
    members: [member],
  });

  // Save the updated IAM policy.
  await client.setIamPolicy({
    resource: name,
    policy: policy,
  });

  console.log(`Updated IAM policy for ${name}`);
}

grantAccess();

PHP

如要執行這段程式碼，請先瞭解如何在 Google Cloud 上使用 PHP，並安裝 Secret Manager PHP SDK。在 Compute Engine 或 GKE 上，您必須使用 cloud-platform 範圍進行驗證。

// Import the Secret Manager client library.
use Google\Cloud\SecretManager\V1\Client\SecretManagerServiceClient;

// Import the Secret Manager IAM library.
use Google\Cloud\Iam\V1\Binding;
use Google\Cloud\Iam\V1\GetIamPolicyRequest;
use Google\Cloud\Iam\V1\SetIamPolicyRequest;

/**
 * @param string $projectId Your Google Cloud Project ID (e.g. 'my-project')
 * @param string $secretId  Your secret ID (e.g. 'my-secret')
 * @param string $member Your member (e.g. 'user:[email protected]')
 */
function iam_grant_access(string $projectId, string $secretId, string $member): void
{
    // Create the Secret Manager client.
    $client = new SecretManagerServiceClient();

    // Build the resource name of the secret.
    $name = $client->secretName($projectId, $secretId);

    // Get the current IAM policy.
    $policy = $client->getIamPolicy((new GetIamPolicyRequest)->setResource($name));

    // Update the bindings to include the new member.
    $bindings = $policy->getBindings();
    $bindings[] = new Binding([
        'members' => [$member],
        'role' => 'roles/secretmanager.secretAccessor',
    ]);
    $policy->setBindings($bindings);

    // Build the request.
    $request = (new SetIamPolicyRequest)
        ->setResource($name)
        ->setPolicy($policy);

    // Save the updated policy to the server.
    $client->setIamPolicy($request);

    // Print out a success message.
    printf('Updated IAM policy for %s', $secretId);
}

Python

如要執行這段程式碼，請先設定 Python 開發環境，然後安裝 Secret Manager Python SDK。在 Compute Engine 或 GKE 上，您必須使用 cloud-platform 範圍進行驗證。

def iam_grant_access(
    project_id: str, secret_id: str, member: str
) -> iam_policy_pb2.SetIamPolicyRequest:
    """
    Grant the given member access to a secret.
    """

    # Import the Secret Manager client library.
    from google.cloud import secretmanager

    # Create the Secret Manager client.
    client = secretmanager.SecretManagerServiceClient()

    # Build the resource name of the secret.
    name = client.secret_path(project_id, secret_id)

    # Get the current IAM policy.
    policy = client.get_iam_policy(request={"resource": name})

    # Add the given member with access permissions.
    policy.bindings.add(role="roles/secretmanager.secretAccessor", members=[member])

    # Update the IAM Policy.
    new_policy = client.set_iam_policy(request={"resource": name, "policy": policy})

    # Print data about the secret.
    print(f"Updated IAM policy on {secret_id}")

Ruby

如要執行這段程式碼，請先設定 Ruby 開發環境，然後安裝 Secret Manager Ruby SDK。在 Compute Engine 或 GKE 上，您必須使用 cloud-platform 範圍進行驗證。

# project_id = "YOUR-GOOGLE-CLOUD-PROJECT"  # (e.g. "my-project")
# secret_id  = "YOUR-SECRET-ID"             # (e.g. "my-secret")
# member     = "USER-OR-ACCOUNT"            # (e.g. "user:[email protected]")

# Require the Secret Manager client library.
require "google/cloud/secret_manager"

# Create a Secret Manager client.
client = Google::Cloud::SecretManager.secret_manager_service

# Build the resource name of the secret.
name = client.secret_path project: project_id, secret: secret_id

# Get the current IAM policy.
policy = client.get_iam_policy resource: name

# Add new member to current bindings
policy.bindings << Google::Iam::V1::Binding.new(
  members: [member],
  role:    "roles/secretmanager.secretAccessor"
)

# Update IAM policy
new_policy = client.set_iam_policy resource: name, policy: policy

# Print a success message.
puts "Updated IAM policy for #{secret_id}"

Python

如要執行這段程式碼，請先設定 Python 開發環境，然後安裝 Secret Manager Python SDK。在 Compute Engine 或 GKE 上，您必須使用 cloud-platform 範圍進行驗證。

# Import the Secret Manager client library.
from google import iam
from google.cloud import secretmanager_v1


def iam_grant_access_with_regional_secret(
    project_id: str,
    location_id: str,
    secret_id: str,
    member: str,
) -> iam.v1.iam_policy_pb2.SetIamPolicyRequest:
    """
    Grants the given member access to a secret.
    """

    # Endpoint to call the regional secret manager sever.
    api_endpoint = f"secretmanager.{location_id}.rep.googleapis.com"

    # Create the Secret Manager client.
    client = secretmanager_v1.SecretManagerServiceClient(
        client_options={"api_endpoint": api_endpoint},
    )

    # Build the resource name of the secret.
    name = f"projects/{project_id}/locations/{location_id}/secrets/{secret_id}"

    # Get the current IAM policy.
    policy = client.get_iam_policy(request={"resource": name})

    # Add the given member with access permissions.
    policy.bindings.add(role="roles/secretmanager.secretAccessor", members=[member])

    # Update the IAM Policy.
    new_policy = client.set_iam_policy(request={"resource": name, "policy": policy})

    # Print data about the secret.
    print(f"Updated IAM policy on {secret_id}")

    return new_policy

撤銷存取權

如要撤銷密鑰的存取權，請使用下列其中一種方法：

控制台

前往 Google Cloud 控制台的「Secret Manager」頁面。

前往 Secret Manager
如要選取密鑰，請在「Secret Manager」頁面中，按一下密鑰名稱旁的核取方塊。
如果面板尚未開啟，請按一下「Show Info Panel」(顯示資訊面板) 開啟面板。
在資訊面板中，按一下使用者角色旁的展開箭頭，即可查看有權存取該角色的使用者或服務帳戶清單。
如要移除使用者或服務帳戶，請按一下服務帳戶或使用者 ID 旁的「刪除」。
在隨即顯示的確認對話方塊中，按一下「移除」。

gcloud

使用下方的任何指令資料之前，請先替換以下項目：

SECRET_ID：密鑰的 ID 或密鑰的完整 ID
MEMBER：IAM 成員，例如使用者、群組或服務帳戶

執行下列指令：

Linux、macOS 或 Cloud Shell

gcloud secrets remove-iam-policy-binding SECRET_ID \
    --member="MEMBER" \
    --role="roles/secretmanager.secretAccessor"

Windows (PowerShell)

gcloud secrets remove-iam-policy-binding SECRET_ID `
    --member="MEMBER" `
    --role="roles/secretmanager.secretAccessor"

Windows (cmd.exe)

gcloud secrets remove-iam-policy-binding SECRET_ID ^
    --member="MEMBER" ^
    --role="roles/secretmanager.secretAccessor"

REST

注意：與其他範例不同，這個範例會取代整個 IAM 政策。

使用任何要求資料之前，請先替換以下項目：

PROJECT_ID：專案 ID Google Cloud
SECRET_ID：密鑰的 ID 或密鑰的完整 ID

HTTP 方法和網址：

POST https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets/SECRET_ID:setIamPolicy

JSON 要求主體：

{"policy": {"bindings": []}}

如要傳送要求，請選擇以下其中一個選項：

curl

將要求主體儲存在名為 request.json 的檔案中，然後執行下列指令：

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets/SECRET_ID:setIamPolicy"

PowerShell

注意： 下列指令假設您已執行 gcloud init 或 gcloud auth login，透過使用者帳戶登入 gcloud CLI。您可以執行 gcloud auth list 查看目前有效的帳戶。

將要求主體儲存在名為 request.json 的檔案中，然後執行下列指令：

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets/SECRET_ID:setIamPolicy" | Select-Object -Expand Content

您應該會收到如下的 JSON 回應：

{
  "version": 1,
  "etag": "BwYhOtzsOBk="
}

C#

如要執行這段程式碼，請先設定 C# 開發環境，然後安裝 Secret Manager C# SDK。在 Compute Engine 或 GKE 上，您必須使用 cloud-platform 範圍進行驗證。


using Google.Cloud.SecretManager.V1;
using Google.Cloud.Iam.V1;

public class IamRevokeAccessSample
{
    public Policy IamRevokeAccess(
      string projectId = "my-project", string secretId = "my-secret",
      string member = "user:[email protected]")
    {
        // Create the client.
        SecretManagerServiceClient client = SecretManagerServiceClient.Create();

        // Build the resource name.
        SecretName secretName = new SecretName(projectId, secretId);

        // Get current policy.
        Policy policy = client.GetIamPolicy(new GetIamPolicyRequest
        {
            ResourceAsResourceName = secretName,
        });

        // Remove the user to the list of bindings.
        policy.RemoveRoleMember("roles/secretmanager.secretAccessor", member);

        // Save the updated policy.
        policy = client.SetIamPolicy(new SetIamPolicyRequest
        {
            ResourceAsResourceName = secretName,
            Policy = policy,
        });
        return policy;
    }
}

Go

如要執行這段程式碼，請先設定 Go 開發環境，並安裝 Secret Manager Go SDK。在 Compute Engine 或 GKE 上，您必須使用 cloud-platform 範圍進行驗證。

import (
	"context"
	"fmt"
	"io"

	secretmanager "cloud.google.com/go/secretmanager/apiv1"
)

// iamRevokeAccess revokes the given member's access on the secret.
func iamRevokeAccess(w io.Writer, name, member string) error {
	// name := "projects/my-project/secrets/my-secret"
	// member := "user:[email protected]"

	// Create the client.
	ctx := context.Background()
	client, err := secretmanager.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("failed to create secretmanager client: %w", err)
	}
	defer client.Close()

	// Get the current IAM policy.
	handle := client.IAM(name)
	policy, err := handle.Policy(ctx)
	if err != nil {
		return fmt.Errorf("failed to get policy: %w", err)
	}

	// Grant the member access permissions.
	policy.Remove(member, "roles/secretmanager.secretAccessor")
	if err = handle.SetPolicy(ctx, policy); err != nil {
		return fmt.Errorf("failed to save policy: %w", err)
	}

	fmt.Fprintf(w, "Updated IAM policy for %s\n", name)
	return nil
}

Java

如要執行這段程式碼，請先設定 Java 開發環境，並安裝 Secret Manager Java SDK。在 Compute Engine 或 GKE 上，您必須使用 cloud-platform 範圍進行驗證。

import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
import com.google.cloud.secretmanager.v1.SecretName;
import com.google.iam.v1.Binding;
import com.google.iam.v1.GetIamPolicyRequest;
import com.google.iam.v1.Policy;
import com.google.iam.v1.SetIamPolicyRequest;
import java.io.IOException;

public class IamRevokeAccess {

  public static void iamRevokeAccess() throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "your-project-id";
    String secretId = "your-secret-id";
    String member = "user:[email protected]";
    iamRevokeAccess(projectId, secretId, member);
  }

  // Revoke a member access to a particular secret.
  public static void iamRevokeAccess(String projectId, String secretId, String member)
      throws IOException {
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the "close" method on the client to safely clean up any remaining background resources.
    try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
      // Build the name from the version.
      SecretName secretName = SecretName.of(projectId, secretId);

      // Request the current IAM policy.
      Policy policy =
          client.getIamPolicy(
              GetIamPolicyRequest.newBuilder().setResource(secretName.toString()).build());

      // Search through bindings and remove matches.
      String roleToFind = "roles/secretmanager.secretAccessor";
      for (Binding binding : policy.getBindingsList()) {
        if (binding.getRole() == roleToFind && binding.getMembersList().contains(member)) {
          binding.getMembersList().remove(member);
        }
      }

      // Save the updated IAM policy.
      client.setIamPolicy(
          SetIamPolicyRequest.newBuilder()
              .setResource(secretName.toString())
              .setPolicy(policy)
              .build());

      System.out.printf("Updated IAM policy for %s\n", secretId);
    }
  }
}

Node.js

如要執行這段程式碼，請先設定 Node.js 開發環境，並安裝 Secret Manager Node.js SDK。在 Compute Engine 或 GKE 上，您必須使用 cloud-platform 範圍進行驗證。

/**
 * TODO(developer): Uncomment these variables before running the sample.
 */
// const name = 'projects/my-project/secrets/my-secret';
// const member = 'user:[email protected]';
//
// NOTE: Each member must be prefixed with its type. See the IAM documentation
// for more information: https://cloud.google.com/iam/docs/overview.

// Imports the Secret Manager library
const {SecretManagerServiceClient} = require('@google-cloud/secret-manager');

// Instantiates a client
const client = new SecretManagerServiceClient();

async function grantAccess() {
  // Get the current IAM policy.
  const [policy] = await client.getIamPolicy({
    resource: name,
  });

  // Build a new list of policy bindings with the user excluded.
  for (const i in policy.bindings) {
    const binding = policy.bindings[i];
    if (binding.role !== 'roles/secretmanager.secretAccessor') {
      continue;
    }

    const idx = binding.members.indexOf(member);
    if (idx !== -1) {
      binding.members.splice(idx, 1);
    }
  }

  // Save the updated IAM policy.
  await client.setIamPolicy({
    resource: name,
    policy: policy,
  });

  console.log(`Updated IAM policy for ${name}`);
}

grantAccess();

PHP

// Import the Secret Manager client library.
use Google\Cloud\SecretManager\V1\Client\SecretManagerServiceClient;
use Google\Cloud\Iam\V1\GetIamPolicyRequest;
use Google\Cloud\Iam\V1\SetIamPolicyRequest;

/**
 * @param string $projectId Your Google Cloud Project ID (e.g. 'my-project')
 * @param string $secretId  Your secret ID (e.g. 'my-secret')
 * @param string $member Your member (e.g. 'user:[email protected]')
 */
function iam_revoke_access(string $projectId, string $secretId, string $member): void
{
    // Create the Secret Manager client.
    $client = new SecretManagerServiceClient();

    // Build the resource name of the secret.
    $name = $client->secretName($projectId, $secretId);

    // Get the current IAM policy.
    $policy = $client->getIamPolicy((new GetIamPolicyRequest)->setResource($name));

    // Remove the member from the list of bindings.
    foreach ($policy->getBindings() as $binding) {
        if ($binding->getRole() == 'roles/secretmanager.secretAccessor') {
            $members = $binding->getMembers();
            foreach ($members as $i => $existingMember) {
                if ($member == $existingMember) {
                    unset($members[$i]);
                    $binding->setMembers($members);
                    break;
                }
            }
        }
    }

    // Build the request.
    $request = (new SetIamPolicyRequest)
        ->setResource($name)
        ->setPolicy($policy);

    // Save the updated policy to the server.
    $client->setIamPolicy($request);

    // Print out a success message.
    printf('Updated IAM policy for %s', $secretId);
}

Python

如要執行這段程式碼，請先設定 Python 開發環境，然後安裝 Secret Manager Python SDK。在 Compute Engine 或 GKE 上，您必須使用 cloud-platform 範圍進行驗證。

def iam_revoke_access(
    project_id: str, secret_id: str, member: str
) -> iam_policy_pb2.SetIamPolicyRequest:
    """
    Revoke the given member access to a secret.
    """

    # Import the Secret Manager client library.
    from google.cloud import secretmanager

    # Create the Secret Manager client.
    client = secretmanager.SecretManagerServiceClient()

    # Build the resource name of the secret.
    name = client.secret_path(project_id, secret_id)

    # Get the current IAM policy.
    policy = client.get_iam_policy(request={"resource": name})

    # Remove the given member's access permissions.
    accessRole = "roles/secretmanager.secretAccessor"
    for b in list(policy.bindings):
        if b.role == accessRole and member in b.members:
            b.members.remove(member)

    # Update the IAM Policy.
    new_policy = client.set_iam_policy(request={"resource": name, "policy": policy})

    # Print data about the secret.
    print(f"Updated IAM policy on {secret_id}")

Ruby

如要執行這段程式碼，請先設定 Ruby 開發環境，然後安裝 Secret Manager Ruby SDK。在 Compute Engine 或 GKE 上，您必須使用 cloud-platform 範圍進行驗證。

# project_id = "YOUR-GOOGLE-CLOUD-PROJECT"  # (e.g. "my-project")
# secret_id  = "YOUR-SECRET-ID"             # (e.g. "my-secret")
# member     = "USER-OR-ACCOUNT"            # (e.g. "user:[email protected]")

# Require the Secret Manager client library.
require "google/cloud/secret_manager"

# Create a Secret Manager client.
client = Google::Cloud::SecretManager.secret_manager_service

# Build the resource name of the secret.
name = client.secret_path project: project_id, secret: secret_id

# Get the current IAM policy.
policy = client.get_iam_policy resource: name

# Remove the member from the current bindings
policy.bindings.each do |bind|
  if bind.role == "roles/secretmanager.secretAccessor"
    bind.members.delete member
  end
end

# Update IAM policy
new_policy = client.set_iam_policy resource: name, policy: policy

# Print a success message.
puts "Updated IAM policy for #{secret_id}"

後續步驟

瞭解如何設定密鑰的到期日。
瞭解如何設定密鑰的輪替排程。
瞭解如何設定密鑰通知。

管理密鑰存取權 透過集合功能整理內容 你可以依據偏好儲存及分類內容。

必要的角色

授予存取權

控制台

gcloud

Linux、macOS 或 Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

C#

Go

Java

Node.js

PHP

Python

Ruby

Python

撤銷存取權

控制台

gcloud

Linux、macOS 或 Cloud Shell

Windows (PowerShell)

Windows (cmd.exe)

REST

curl

PowerShell

C#

Go

Java

Node.js

PHP

Python

Ruby

後續步驟

管理密鑰存取權