Lockbox API, gRPC: SecretService

Written by

Calls SecretService
Get
List
Create
Update
Delete
Activate
Deactivate
ListVersions
AddVersion
ScheduleVersionDestruction
CancelVersionDestruction
ListOperations
ListAccessBindings
SetAccessBindings
UpdateAccessBindings

A set of methods for managing secrets.

Call	Description
Get	Returns the specified secret.
List	Retrieves the list of secrets in the specified folder.
Create	Creates a secret in the specified folder.
Update	Updates the specified secret.
Delete	Deletes the specified secret.
Activate	Activates the specified secret.
Deactivate	Deactivates the specified secret.
ListVersions	Retrieves the list of versions of the specified secret.
AddVersion	Adds new version based on a previous one.
ScheduleVersionDestruction	Schedules the specified version for destruction.
CancelVersionDestruction	Cancels previously scheduled version destruction, if the version hasn't been destroyed yet.
ListOperations	Lists operations for the specified secret.
ListAccessBindings	Lists existing access bindings for the specified secret.
SetAccessBindings	Sets access bindings for the secret.
UpdateAccessBindings	Updates access bindings for the secret.

Calls SecretService

Get

Returns the specified secret.
To get the list of all available secrets, make a List request. Use PayloadService.Get to get the payload (confidential data themselves) of the secret.

rpc Get (GetSecretRequest) returns (Secret)

GetSecretRequest

Field	Description
secret_id	string Required. ID of the secret to return. To get a secret ID make a List request. The maximum string length in characters is 50.

Secret

Field	Description
id	string ID of the secret.
folder_id	string ID of the folder that the secret belongs to.
created_at	google.protobuf.Timestamp Creation timestamp.
name	string Name of the secret.
description	string Description of the secret.
labels	map<string,string> Custom labels for the secret as `key:value` pairs. Maximum 64 per key.
kms_key_id	string Optional ID of the KMS key will be used to encrypt and decrypt the secret.
status	enum Status Status of the secret. `CREATING`: The secret is being created. `ACTIVE`: The secret is active and the secret payload can be accessed. Can be set to INACTIVE using the SecretService.Deactivate method. `INACTIVE`: The secret is inactive and unusable. Can be set to ACTIVE using the SecretService.Deactivate method.
current_version	Version Current (i.e. the `latest`) version of the secret.
deletion_protection	bool Flag that inhibits deletion of the secret.

Version

Field	Description
id	string ID of the version.
secret_id	string ID of the secret that the version belongs to.
created_at	google.protobuf.Timestamp Time when the version was created.
destroy_at	google.protobuf.Timestamp Time when the version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.
description	string Description of the version.
status	enum Status Status of the secret. `ACTIVE`: The version is active and the secret payload can be accessed. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the Version.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
payload_entry_keys[]	string Keys of the entries contained in the version payload.

List

Retrieves the list of secrets in the specified folder.

rpc List (ListSecretsRequest) returns (ListSecretsResponse)

ListSecretsRequest

Field	Description
folder_id	string Required. ID of the folder to list secrets in. The maximum string length in characters is 50.
page_size	int64 The maximum number of results per page to return. If the number of available results is larger than `page_size`, the service returns a ListSecretsRequest.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. The maximum value is 1000.
page_token	string Page token. To get the next page of results, set `page_token` to the ListSecretsRequest.next_page_token returned by a previous list request. The maximum string length in characters is 100.

ListSecretsResponse

Field	Description
secrets[]	Secret List of secrets in the specified folder.
next_page_token	string This token allows you to get the next page of results for list requests. If the number of results is greater than the specified ListSecretsRequest.page_size, use the `next_page_token` as the value for the ListSecretsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own `next_page_token` to continue paging through the results.

Secret

Field	Description
id	string ID of the secret.
folder_id	string ID of the folder that the secret belongs to.
created_at	google.protobuf.Timestamp Creation timestamp.
name	string Name of the secret.
description	string Description of the secret.
labels	map<string,string> Custom labels for the secret as `key:value` pairs. Maximum 64 per key.
kms_key_id	string Optional ID of the KMS key will be used to encrypt and decrypt the secret.
status	enum Status Status of the secret. `CREATING`: The secret is being created. `ACTIVE`: The secret is active and the secret payload can be accessed. Can be set to INACTIVE using the SecretService.Deactivate method. `INACTIVE`: The secret is inactive and unusable. Can be set to ACTIVE using the SecretService.Deactivate method.
current_version	Version Current (i.e. the `latest`) version of the secret.
deletion_protection	bool Flag that inhibits deletion of the secret.

Version

Field	Description
id	string ID of the version.
secret_id	string ID of the secret that the version belongs to.
created_at	google.protobuf.Timestamp Time when the version was created.
destroy_at	google.protobuf.Timestamp Time when the version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.
description	string Description of the version.
status	enum Status Status of the secret. `ACTIVE`: The version is active and the secret payload can be accessed. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the Version.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
payload_entry_keys[]	string Keys of the entries contained in the version payload.

Create

Creates a secret in the specified folder.

rpc Create (CreateSecretRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:CreateSecretMetadata

Operation.response:Secret

CreateSecretRequest

Field	Description
folder_id	string Required. ID of the folder to create a secret in. The maximum string length in characters is 50.
name	string Name of the secret. The maximum string length in characters is 100.
description	string Description of the secret. The maximum string length in characters is 1024.
labels	map<string,string> Custom labels for the secret as `key:value` pairs. Maximum 64 per key. For example, `"project": "mvp"` or `"source": "dictionary"`. No more than 64 per resource. The maximum string length in characters for each value is 63. Each value must match the regular expression `[-_0-9a-z]`. The maximum string length in characters for each key is 63. Each key must match the regular expression `[a-z][-_0-9a-z]`.
kms_key_id	string Optional ID of the KMS key will be used to encrypt and decrypt the secret. The maximum string length in characters is 50.
version_description	string Description of the first version. The maximum string length in characters is 256.
version_payload_entries[]	PayloadEntryChange Payload entries added to the first version. The maximum number of elements is 32.
deletion_protection	bool Flag that inhibits deletion of the secret.

PayloadEntryChange

Field	Description
key	string Required. Non-confidential key of the entry. The maximum string length in characters is 256. Value must match the regular expression `[-_./\\\\@0-9a-zA-Z]+`.
value	oneof: `text_value` or `binary_value` Confidential value of the entry.
text_value	string Use the field to set a text value. The maximum string length in characters is 65536.
binary_value	bytes Use the field to set a binary value. The maximum string length in characters is 65536.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<CreateSecretMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<Secret> if operation finished successfully.

CreateSecretMetadata

Field	Description
secret_id	string ID of the secret being created.
version_id	string ID of the current version of the secret being created.

Secret

Field	Description
id	string ID of the secret.
folder_id	string ID of the folder that the secret belongs to.
created_at	google.protobuf.Timestamp Creation timestamp.
name	string Name of the secret.
description	string Description of the secret.
labels	map<string,string> Custom labels for the secret as `key:value` pairs. Maximum 64 per key.
kms_key_id	string Optional ID of the KMS key will be used to encrypt and decrypt the secret.
status	enum Status Status of the secret. `CREATING`: The secret is being created. `ACTIVE`: The secret is active and the secret payload can be accessed. Can be set to INACTIVE using the SecretService.Deactivate method. `INACTIVE`: The secret is inactive and unusable. Can be set to ACTIVE using the SecretService.Deactivate method.
current_version	Version Current (i.e. the `latest`) version of the secret.
deletion_protection	bool Flag that inhibits deletion of the secret.

Version

Field	Description
id	string ID of the version.
secret_id	string ID of the secret that the version belongs to.
created_at	google.protobuf.Timestamp Time when the version was created.
destroy_at	google.protobuf.Timestamp Time when the version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.
description	string Description of the version.
status	enum Status Status of the secret. `ACTIVE`: The version is active and the secret payload can be accessed. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the Version.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
payload_entry_keys[]	string Keys of the entries contained in the version payload.

Update

Updates the specified secret.

rpc Update (UpdateSecretRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:UpdateSecretMetadata

Operation.response:Secret

UpdateSecretRequest

Field	Description
secret_id	string Required. ID of the secret to update. The maximum string length in characters is 50.
update_mask	google.protobuf.FieldMask Required. Field mask that specifies which attributes of the secret are going to be updated.
name	string New name of the secret. The maximum string length in characters is 100.
description	string New description of the secret. The maximum string length in characters is 1024.
labels	map<string,string> Custom labels for the secret as `key:value` pairs. Maximum 64 per key. No more than 64 per resource. The maximum string length in characters for each value is 63. Each value must match the regular expression `[-_0-9a-z]`. The maximum string length in characters for each key is 63. Each key must match the regular expression `[a-z][-_0-9a-z]`.
deletion_protection	bool Flag that inhibits deletion of the secret.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<UpdateSecretMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<Secret> if operation finished successfully.

UpdateSecretMetadata

Field	Description
secret_id	string Required. ID of the secret being updated. The maximum string length in characters is 50.

Secret

Field	Description
id	string ID of the secret.
folder_id	string ID of the folder that the secret belongs to.
created_at	google.protobuf.Timestamp Creation timestamp.
name	string Name of the secret.
description	string Description of the secret.
labels	map<string,string> Custom labels for the secret as `key:value` pairs. Maximum 64 per key.
kms_key_id	string Optional ID of the KMS key will be used to encrypt and decrypt the secret.
status	enum Status Status of the secret. `CREATING`: The secret is being created. `ACTIVE`: The secret is active and the secret payload can be accessed. Can be set to INACTIVE using the SecretService.Deactivate method. `INACTIVE`: The secret is inactive and unusable. Can be set to ACTIVE using the SecretService.Deactivate method.
current_version	Version Current (i.e. the `latest`) version of the secret.
deletion_protection	bool Flag that inhibits deletion of the secret.

Version

Field	Description
id	string ID of the version.
secret_id	string ID of the secret that the version belongs to.
created_at	google.protobuf.Timestamp Time when the version was created.
destroy_at	google.protobuf.Timestamp Time when the version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.
description	string Description of the version.
status	enum Status Status of the secret. `ACTIVE`: The version is active and the secret payload can be accessed. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the Version.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
payload_entry_keys[]	string Keys of the entries contained in the version payload.

Delete

Deletes the specified secret.

rpc Delete (DeleteSecretRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:DeleteSecretMetadata

Operation.response:Secret

DeleteSecretRequest

Field	Description
secret_id	string Required. ID of the secret to be deleted. The maximum string length in characters is 50.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<DeleteSecretMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<Secret> if operation finished successfully.

DeleteSecretMetadata

Field	Description
secret_id	string ID of the secret being deleted.

Secret

Field	Description
id	string ID of the secret.
folder_id	string ID of the folder that the secret belongs to.
created_at	google.protobuf.Timestamp Creation timestamp.
name	string Name of the secret.
description	string Description of the secret.
labels	map<string,string> Custom labels for the secret as `key:value` pairs. Maximum 64 per key.
kms_key_id	string Optional ID of the KMS key will be used to encrypt and decrypt the secret.
status	enum Status Status of the secret. `CREATING`: The secret is being created. `ACTIVE`: The secret is active and the secret payload can be accessed. Can be set to INACTIVE using the SecretService.Deactivate method. `INACTIVE`: The secret is inactive and unusable. Can be set to ACTIVE using the SecretService.Deactivate method.
current_version	Version Current (i.e. the `latest`) version of the secret.
deletion_protection	bool Flag that inhibits deletion of the secret.

Version

Field	Description
id	string ID of the version.
secret_id	string ID of the secret that the version belongs to.
created_at	google.protobuf.Timestamp Time when the version was created.
destroy_at	google.protobuf.Timestamp Time when the version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.
description	string Description of the version.
status	enum Status Status of the secret. `ACTIVE`: The version is active and the secret payload can be accessed. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the Version.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
payload_entry_keys[]	string Keys of the entries contained in the version payload.

Activate

Activates the specified secret.

rpc Activate (ActivateSecretRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:ActivateSecretMetadata

Operation.response:Secret

ActivateSecretRequest

Field	Description
secret_id	string Required. ID of the secret to be activated. The maximum string length in characters is 50.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<ActivateSecretMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<Secret> if operation finished successfully.

ActivateSecretMetadata

Field	Description
secret_id	string ID of the secret being activated.

Secret

Field	Description
id	string ID of the secret.
folder_id	string ID of the folder that the secret belongs to.
created_at	google.protobuf.Timestamp Creation timestamp.
name	string Name of the secret.
description	string Description of the secret.
labels	map<string,string> Custom labels for the secret as `key:value` pairs. Maximum 64 per key.
kms_key_id	string Optional ID of the KMS key will be used to encrypt and decrypt the secret.
status	enum Status Status of the secret. `CREATING`: The secret is being created. `ACTIVE`: The secret is active and the secret payload can be accessed. Can be set to INACTIVE using the SecretService.Deactivate method. `INACTIVE`: The secret is inactive and unusable. Can be set to ACTIVE using the SecretService.Deactivate method.
current_version	Version Current (i.e. the `latest`) version of the secret.
deletion_protection	bool Flag that inhibits deletion of the secret.

Version

Field	Description
id	string ID of the version.
secret_id	string ID of the secret that the version belongs to.
created_at	google.protobuf.Timestamp Time when the version was created.
destroy_at	google.protobuf.Timestamp Time when the version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.
description	string Description of the version.
status	enum Status Status of the secret. `ACTIVE`: The version is active and the secret payload can be accessed. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the Version.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
payload_entry_keys[]	string Keys of the entries contained in the version payload.

Deactivate

Deactivates the specified secret.

rpc Deactivate (DeactivateSecretRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:DeactivateSecretMetadata

Operation.response:Secret

DeactivateSecretRequest

Field	Description
secret_id	string Required. ID of the secret to be deactivated. The maximum string length in characters is 50.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<DeactivateSecretMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<Secret> if operation finished successfully.

DeactivateSecretMetadata

Field	Description
secret_id	string ID of the secret being deactivated.

Secret

Field	Description
id	string ID of the secret.
folder_id	string ID of the folder that the secret belongs to.
created_at	google.protobuf.Timestamp Creation timestamp.
name	string Name of the secret.
description	string Description of the secret.
labels	map<string,string> Custom labels for the secret as `key:value` pairs. Maximum 64 per key.
kms_key_id	string Optional ID of the KMS key will be used to encrypt and decrypt the secret.
status	enum Status Status of the secret. `CREATING`: The secret is being created. `ACTIVE`: The secret is active and the secret payload can be accessed. Can be set to INACTIVE using the SecretService.Deactivate method. `INACTIVE`: The secret is inactive and unusable. Can be set to ACTIVE using the SecretService.Deactivate method.
current_version	Version Current (i.e. the `latest`) version of the secret.
deletion_protection	bool Flag that inhibits deletion of the secret.

Version

Field	Description
id	string ID of the version.
secret_id	string ID of the secret that the version belongs to.
created_at	google.protobuf.Timestamp Time when the version was created.
destroy_at	google.protobuf.Timestamp Time when the version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.
description	string Description of the version.
status	enum Status Status of the secret. `ACTIVE`: The version is active and the secret payload can be accessed. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the Version.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
payload_entry_keys[]	string Keys of the entries contained in the version payload.

ListVersions

Retrieves the list of versions of the specified secret.

rpc ListVersions (ListVersionsRequest) returns (ListVersionsResponse)

ListVersionsRequest

Field	Description
secret_id	string Required. ID of the secret to list versions for. The maximum string length in characters is 50.
page_size	int64 The maximum number of results per page to return. If the number of available results is larger than `page_size`, the service returns a ListVersionsRequest.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. The maximum value is 1000.
page_token	string Page token. To get the next page of results, set `page_token` to the ListVersionsRequest.next_page_token returned by a previous list request. The maximum string length in characters is 100.

ListVersionsResponse

Field	Description
versions[]	Version List of versions for the specified secret.
next_page_token	string This token allows you to get the next page of results for list requests. If the number of results is greater than the specified ListVersionsRequest.page_size, use the `next_page_token` as the value for the ListVersionsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own `next_page_token` to continue paging through the results.

Version

Field	Description
id	string ID of the version.
secret_id	string ID of the secret that the version belongs to.
created_at	google.protobuf.Timestamp Time when the version was created.
destroy_at	google.protobuf.Timestamp Time when the version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.
description	string Description of the version.
status	enum Status Status of the secret. `ACTIVE`: The version is active and the secret payload can be accessed. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the Version.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
payload_entry_keys[]	string Keys of the entries contained in the version payload.

AddVersion

Adds new version based on a previous one.

rpc AddVersion (AddVersionRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:AddVersionMetadata

Operation.response:Version

AddVersionRequest

Field	Description
secret_id	string Required. ID of the secret. The maximum string length in characters is 50.
description	string Description of the version. The maximum string length in characters is 1024.
payload_entries[]	PayloadEntryChange Describe how payload entries of the base version change in the added version. The maximum number of elements is 32.
base_version_id	string Optional base version id. Defaults to the current version if not specified The maximum string length in characters is 50.

PayloadEntryChange

Field	Description
key	string Required. Non-confidential key of the entry. The maximum string length in characters is 256. Value must match the regular expression `[-_./\\\\@0-9a-zA-Z]+`.
value	oneof: `text_value` or `binary_value` Confidential value of the entry.
text_value	string Use the field to set a text value. The maximum string length in characters is 65536.
binary_value	bytes Use the field to set a binary value. The maximum string length in characters is 65536.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<AddVersionMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<Version> if operation finished successfully.

AddVersionMetadata

Field	Description
secret_id	string ID of the secret.
version_id	string ID of the added version.

Version

Field	Description
id	string ID of the version.
secret_id	string ID of the secret that the version belongs to.
created_at	google.protobuf.Timestamp Time when the version was created.
destroy_at	google.protobuf.Timestamp Time when the version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.
description	string Description of the version.
status	enum Status Status of the secret. `ACTIVE`: The version is active and the secret payload can be accessed. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the Version.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
payload_entry_keys[]	string Keys of the entries contained in the version payload.

ScheduleVersionDestruction

Schedules the specified version for destruction.
Scheduled destruction can be cancelled with the SecretService.CancelVersionDestruction method.

rpc ScheduleVersionDestruction (ScheduleVersionDestructionRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:ScheduleVersionDestructionMetadata

Operation.response:Version

ScheduleVersionDestructionRequest

Field	Description
secret_id	string Required. ID of the secret whose version should be scheduled for destruction. The maximum string length in characters is 50.
version_id	string Required. ID of the version to be destroyed. The maximum string length in characters is 50.
pending_period	google.protobuf.Duration Time interval between the version destruction request and actual destruction. Default value: 7 days.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<ScheduleVersionDestructionMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<Version> if operation finished successfully.

ScheduleVersionDestructionMetadata

Field	Description
secret_id	string ID of the secret whose version is being scheduled for destruction.
version_id	string ID of the version that is being scheduled for destruction.
destroy_at	google.protobuf.Timestamp Destruction timestamp.

Version

Field	Description
id	string ID of the version.
secret_id	string ID of the secret that the version belongs to.
created_at	google.protobuf.Timestamp Time when the version was created.
destroy_at	google.protobuf.Timestamp Time when the version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.
description	string Description of the version.
status	enum Status Status of the secret. `ACTIVE`: The version is active and the secret payload can be accessed. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the Version.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
payload_entry_keys[]	string Keys of the entries contained in the version payload.

CancelVersionDestruction

Cancels previously scheduled version destruction, if the version hasn't been destroyed yet.

rpc CancelVersionDestruction (CancelVersionDestructionRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:CancelVersionDestructionMetadata

Operation.response:Version

CancelVersionDestructionRequest

Field	Description
secret_id	string Required. ID of the secret to cancel a version's destruction for. The maximum string length in characters is 50.
version_id	string Required. ID of the secret whose scheduled destruction should be cancelled. The maximum string length in characters is 50.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<CancelVersionDestructionMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<Version> if operation finished successfully.

CancelVersionDestructionMetadata

Field	Description
secret_id	string ID of the secret whose version's destruction is being cancelled.
version_id	string ID of the version whose scheduled destruction is being cancelled.

Version

Field	Description
id	string ID of the version.
secret_id	string ID of the secret that the version belongs to.
created_at	google.protobuf.Timestamp Time when the version was created.
destroy_at	google.protobuf.Timestamp Time when the version is going to be destroyed. Empty unless the status is `SCHEDULED_FOR_DESTRUCTION`.
description	string Description of the version.
status	enum Status Status of the secret. `ACTIVE`: The version is active and the secret payload can be accessed. `SCHEDULED_FOR_DESTRUCTION`: The version is scheduled for destruction, the time when it will be destroyed is specified in the Version.destroy_at field. `DESTROYED`: The version is destroyed and cannot be recovered.
payload_entry_keys[]	string Keys of the entries contained in the version payload.

ListOperations

Lists operations for the specified secret.

rpc ListOperations (ListSecretOperationsRequest) returns (ListSecretOperationsResponse)

ListSecretOperationsRequest

Field	Description
secret_id	string Required. ID of the secret to get operations for. The maximum string length in characters is 50.
page_size	int64 The maximum number of results per page that should be returned. If the number of available results is larger than `page_size`, the service returns a ListSecretOperationsRequest.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. The maximum value is 1000.
page_token	string Page token. To get the next page of results, set `page_token` to the ListSecretOperationsRequest.next_page_token returned by a previous list request. The maximum string length in characters is 100.

ListSecretOperationsResponse

Field	Description
operations[]	operation.Operation List of operations for the specified secret.
next_page_token	string This token allows you to get the next page of results for list requests. If the number of results is larger than ListSecretOperationsResponse.page_size, use the `next_page_token` as the value for the ListSecretOperationsResponse.page_token query parameter in the next list request. Each subsequent list request will have its own `next_page_token` to continue paging through the results.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any The normal response of the operation in case of success. If the original method returns no data on success, such as Delete, the response is google.protobuf.Empty. If the original method is the standard Create/Update, the response should be the target resource of the operation. Any method that returns a long-running operation should document the response type, if any.

ListAccessBindings

Lists existing access bindings for the specified secret.

rpc ListAccessBindings (ListAccessBindingsRequest) returns (ListAccessBindingsResponse)

ListAccessBindingsRequest

Field	Description
resource_id	string Required. ID of the resource to list access bindings for. To get the resource ID, use a corresponding List request. For example, use the yandex.cloud.resourcemanager.v1.CloudService.List request to get the Cloud resource ID. The maximum string length in characters is 50.
page_size	int64 The maximum number of results per page that should be returned. If the number of available results is larger than `page_size`, the service returns a ListAccessBindingsResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. The maximum value is 1000.
page_token	string Page token. Set `page_token` to the ListAccessBindingsResponse.next_page_token returned by a previous list request to get the next page of results. The maximum string length in characters is 100.

ListAccessBindingsResponse

Field	Description
access_bindings[]	AccessBinding List of access bindings for the specified resource.
next_page_token	string This token allows you to get the next page of results for list requests. If the number of results is larger than ListAccessBindingsRequest.page_size, use the `next_page_token` as the value for the ListAccessBindingsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own `next_page_token` to continue paging through the results.

AccessBinding

Field	Description
role_id	string Required. ID of the `yandex.cloud.iam.v1.Role` that is assigned to the `subject`. The maximum string length in characters is 50.
subject	Subject Required. Identity for which access binding is being created. It can represent an account with a unique ID or several accounts with a system identifier.

Subject

Field Description

string
Required. ID of the subject.
It can contain one of the following values:

allAuthenticatedUsers: A special system identifier that represents anyone

who is authenticated. It can be used only if the type is system.

allUsers: A special system identifier that represents anyone. No authentication is required.

For example, you don't need to specify the IAM token in an API query.

<cloud generated id>: An identifier that represents a user account.

It can be used only if the type is userAccount, federatedUser or serviceAccount. The maximum string length in characters is 50.

type

string
Required. Type of the subject.
It can contain one of the following values:

userAccount: An account on Yandex or Yandex.Connect, added to Yandex.Cloud.
serviceAccount: A service account. This type represents the yandex.cloud.iam.v1.ServiceAccount resource.
federatedUser: A federated account. This type represents a user from an identity federation, like Active Directory.
system: System group. This type represents several accounts with a common system identifier.

For more information, see Subject to which the role is assigned. The maximum string length in characters is 100.

SetAccessBindings

Sets access bindings for the secret.

rpc SetAccessBindings (SetAccessBindingsRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:SetAccessBindingsMetadata

Operation.response:google.protobuf.Empty

SetAccessBindingsRequest

Field	Description
resource_id	string Required. ID of the resource for which access bindings are being set. To get the resource ID, use a corresponding List request. The maximum string length in characters is 50.
access_bindings[]	AccessBinding Required. Access bindings to be set. For more information, see Access Bindings.

AccessBinding

Field	Description
role_id	string Required. ID of the `yandex.cloud.iam.v1.Role` that is assigned to the `subject`. The maximum string length in characters is 50.
subject	Subject Required. Identity for which access binding is being created. It can represent an account with a unique ID or several accounts with a system identifier.

Subject

Field Description

string
Required. ID of the subject.
It can contain one of the following values:

allAuthenticatedUsers: A special system identifier that represents anyone

who is authenticated. It can be used only if the type is system.

allUsers: A special system identifier that represents anyone. No authentication is required.

For example, you don't need to specify the IAM token in an API query.

<cloud generated id>: An identifier that represents a user account.

It can be used only if the type is userAccount, federatedUser or serviceAccount. The maximum string length in characters is 50.

type

string
Required. Type of the subject.
It can contain one of the following values:

userAccount: An account on Yandex or Yandex.Connect, added to Yandex.Cloud.
serviceAccount: A service account. This type represents the yandex.cloud.iam.v1.ServiceAccount resource.
federatedUser: A federated account. This type represents a user from an identity federation, like Active Directory.
system: System group. This type represents several accounts with a common system identifier.

For more information, see Subject to which the role is assigned. The maximum string length in characters is 100.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<SetAccessBindingsMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<google.protobuf.Empty> if operation finished successfully.

SetAccessBindingsMetadata

Field	Description
resource_id	string ID of the resource for which access bindings are being set.

UpdateAccessBindings

Updates access bindings for the secret.

rpc UpdateAccessBindings (UpdateAccessBindingsRequest) returns (operation.Operation)

Metadata and response of Operation:

Operation.metadata:UpdateAccessBindingsMetadata

Operation.response:google.protobuf.Empty

UpdateAccessBindingsRequest

Field	Description
resource_id	string Required. ID of the resource for which access bindings are being updated. The maximum string length in characters is 50.
access_binding_deltas[]	AccessBindingDelta Required. Updates to access bindings. The number of elements must be greater than 0.

AccessBindingDelta

Field	Description
action	enum AccessBindingAction Required. The action that is being performed on an access binding. `ADD`: Addition of an access binding. `REMOVE`: Removal of an access binding.
access_binding	AccessBinding Required. Access binding. For more information, see Access Bindings.

AccessBinding

Field	Description
role_id	string Required. ID of the `yandex.cloud.iam.v1.Role` that is assigned to the `subject`. The maximum string length in characters is 50.
subject	Subject Required. Identity for which access binding is being created. It can represent an account with a unique ID or several accounts with a system identifier.

Subject

Field Description

string
Required. ID of the subject.
It can contain one of the following values:

allAuthenticatedUsers: A special system identifier that represents anyone

who is authenticated. It can be used only if the type is system.

allUsers: A special system identifier that represents anyone. No authentication is required.

For example, you don't need to specify the IAM token in an API query.

<cloud generated id>: An identifier that represents a user account.

It can be used only if the type is userAccount, federatedUser or serviceAccount. The maximum string length in characters is 50.

type

string
Required. Type of the subject.
It can contain one of the following values:

userAccount: An account on Yandex or Yandex.Connect, added to Yandex.Cloud.
serviceAccount: A service account. This type represents the yandex.cloud.iam.v1.ServiceAccount resource.
federatedUser: A federated account. This type represents a user from an identity federation, like Active Directory.
system: System group. This type represents several accounts with a common system identifier.

For more information, see Subject to which the role is assigned. The maximum string length in characters is 100.

Operation

Field	Description
id	string ID of the operation.
description	string Description of the operation. 0-256 characters long.
created_at	google.protobuf.Timestamp Creation timestamp.
created_by	string ID of the user or service account who initiated the operation.
modified_at	google.protobuf.Timestamp The time when the Operation resource was last modified.
done	bool If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available.
metadata	google.protobuf.Any<UpdateAccessBindingsMetadata> Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result	oneof: `error` or `response` The operation result. If `done == false` and there was no failure detected, neither `error` nor `response` is set. If `done == false` and there was a failure detected, `error` is set. If `done == true`, exactly one of `error` or `response` is set.
error	google.rpc.Status The error result of the operation in case of failure or cancellation.
response	google.protobuf.Any<google.protobuf.Empty> if operation finished successfully.

UpdateAccessBindingsMetadata

Field	Description
resource_id	string ID of the resource for which access bindings are being updated.