Table: gcp_secret_manager_secret - Query Google Cloud Platform Secret Manager Secrets using SQL
A Secret Manager Secret in Google Cloud Platform is a secure place to store and manage sensitive information, such as API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud.
Table Usage Guide
The gcp_secret_manager_secret table provides insights into secrets stored within the Google Cloud Secret Manager. As a security engineer, you can explore secret-specific details through this table, including the associated project, creation time, expiration time, and other metadata. Utilize it to understand the distribution and lifecycle of secrets for better management and security.
Examples
List all secrets in a specific project
Identify all the secrets stored within a specific Google Cloud project. This is useful for auditing and managing secrets within your project.
select name, project, create_time, expire_timefrom gcp_secret_manager_secretwhere project = 'my-gcp-project';select name, project, create_time, expire_timefrom gcp_secret_manager_secretwhere project = 'my-gcp-project';Find secrets that are about to expire
Identify secrets that are nearing their expiration date. This is useful for proactively managing and rotating secrets to maintain security.
select name, project, expire_timefrom gcp_secret_manager_secretwhere expire_time < now() + interval '30 days';select name, project, expire_timefrom gcp_secret_manager_secretwhere expire_time < datetime('now', '+30 days');Get details of a specific secret
Retrieve detailed information about a specific secret, including its labels, annotations, and replication policy.
select name, labels, annotations, replication, ttlfrom gcp_secret_manager_secretwhere name = 'my-secret';select name, labels, annotations, replication, ttlfrom gcp_secret_manager_secretwhere name = 'my-secret';Get user managed replication details of secrets
Retrieve replication details about the secrets.
select name, create_time, replication -> 'userManaged' -> 'replicas' as user_managed_replicasfrom gcp_secret_manager_secret;select name, create_time, json_extract(replication, '$.userManaged.replicas') as user_managed_replicasfrom gcp_secret_manager_secret;Schema for gcp_secret_manager_secret
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| annotations | jsonb | Custom metadata about the secret. Annotations are distinct from various forms of labels. | |
| create_time | timestamp with time zone | The time at which the secret was created. | |
| etag | text | Etag of the currently stored Secret. | |
| expire_time | timestamp with time zone | The expiration time of the secret. | |
| labels | jsonb | The labels assigned to the secret. | |
| name | text | = | The resource name of the secret. |
| project | text | =, !=, ~~, ~~*, !~~, !~~* | The GCP Project in which the resource is located. |
| replication | jsonb | The replication policy of the secret. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| title | text | Title of the resource. | |
| topics | jsonb | A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions. | |
| ttl | text | The TTL of the secret. | |
| version_aliases | jsonb | Mapping from version alias to version name. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcpYou can pass the configuration to the command with the --config argument:
steampipe_export_gcp --config '<your_config>' gcp_secret_manager_secret