Stay organized with collections
Save and categorize content based on your preferences.
The Workflows connector defines the built-in
functions that can be used to access other Google Cloud products within a
workflow.
This page provides an overview of the individual connector.
There is no need to import or load connector libraries in a workflow—connectors
work out of the box when used in a call step.
Secret Manager API
Stores sensitive data such as API keys, passwords, and certificates. Provides convenience while improving security.
To learn more, see the Secret Manager API documentation.
Helper methods
You can use the helper method accessString to retrieve the secret data as a
string. This is simpler than using the access API as the secret data
is automatically decoded to a string format. To learn more, see the accessString documentation.
You can use the helper method addVersionString to add a new secret value to an existing
secret. This is simpler than using the addVersion API as the secret data is automatically
encoded to a base-64 string, which is required by addVersion. To learn more, see
the addVersionString documentation.
In addition to using a call step, you can call the helper methods in an
expression like this:
Sets the access control policy on the specified secret. Replaces any
existing policy. Permissions on SecretVersions are enforced according to
the policy set on the associated Secret.
Returns permissions that a caller has for the specified secret. If the
secret does not exist, this call returns an empty set of permissions,
not a NOT_FOUND error. Note: This operation is designed to be used for
building permission-aware UIs and command-line tools, not for
authorization checking. This operation may "fail open" without
warning.
Accesses a SecretVersion. This call returns the secret data.
projects/*/secrets/*/versions/latest is an alias to the most recently
created SecretVersion.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Secret Manager API Connector Overview\n\nThe Workflows connector defines the built-in\nfunctions that can be used to access other Google Cloud products within a\nworkflow.\n\nThis page provides an overview of the individual connector.\nThere is no need to import or load connector libraries in a workflow---connectors\nwork out of the box when used in a call step.\n\nSecret Manager API\n------------------\n\nStores sensitive data such as API keys, passwords, and certificates. Provides convenience while improving security.\nTo learn more, see the [Secret Manager API documentation](https://cloud.google.com/secret-manager/).\n\nHelper methods\n--------------\n\nYou can use the helper method `accessString` to retrieve the secret data as a\nstring. This is simpler than using the `access` API as the secret data\nis automatically decoded to a string format. To learn more, see the [accessString documentation](/workflows/docs/reference/googleapis/secretmanager/v1/projects.secrets.versions/accessString).\n| **Warning:** If the [call logging level](/workflows/docs/log-workflow#call_logging) is set to `log-all-calls` when using `accessString` to retrieve the secret data, the secret value is not redacted, and is printed in plain text to the logs under `jsonPayload.succeeded.response`.\n\nYou can use the helper method `addVersionString` to add a new secret value to an existing\nsecret. This is simpler than using the `addVersion` API as the secret data is automatically\nencoded to a base-64 string, which is required by `addVersion`. To learn more, see\nthe [addVersionString documentation](/workflows/docs/reference/googleapis/secretmanager/v1/projects.secrets/addVersionString).\n\nIn addition to using a call step, you can call the helper methods in an\nexpression like this: \n\n ${googleapis.secretmanager.v1.projects.secrets.versions.accessString(secret_id, version, project_id)}\n\nSecret Manager connector sample\n-------------------------------\n\n### YAML\n\n # This workflow demonstrates how to use the Secret Manager connector:\n # Retrieve a secret using three different methods\n # Expected output: the secret data (thrice)\n - init:\n assign:\n - project_id: ${sys.get_env(\"GOOGLE_CLOUD_PROJECT_ID\")}\n - secret_id: \"test-secret\" # Make sure you have this secret and it has a version of 1.\n - version: \"1\"\n # Add data to an existing secret without base-64 encoding\n - add_version_string:\n call: googleapis.secretmanager.v1.projects.secrets.addVersionString\n args:\n secret_id: ${secret_id}\n project_id: ${project_id}\n data: \"a new secret\"\n # Retrieve the secret in string format without base-64 decoding and assume\n # that the secret data is a valid UTF-8 string; if not, raise an error\n - access_string_secret:\n call: googleapis.secretmanager.v1.projects.secrets.versions.accessString\n args:\n secret_id: ${secret_id}\n version: ${version} # if not set, \"latest\" is used\n project_id: ${project_id}\n result: str_secret\n # Retrieve the secret in string format without base-64 decoding\n - access_secret:\n call: googleapis.secretmanager.v1.projects.secrets.versions.access\n args:\n name: ${\"projects/\" + project_id + \"/secrets/\" + secret_id + \"/versions/\" + version}\n result: base64_encoded_secret\n # Retrieve the secret using positional arguments in an expression\n - expression:\n assign:\n - secret_str_from_exp: ${googleapis.secretmanager.v1.projects.secrets.versions.accessString(secret_id, version, project_id)}\n - the_end:\n return:\n - ${str_secret}\n - ${text.decode(base64.decode(base64_encoded_secret.payload.data))}\n - ${secret_str_from_exp}\n\n### JSON\n\n [\n {\n \"init\": {\n \"assign\": [\n {\n \"project_id\": \"${sys.get_env(\\\"GOOGLE_CLOUD_PROJECT_ID\\\")}\"\n },\n {\n \"secret_id\": \"test-secret\"\n },\n {\n \"version\": \"1\"\n }\n ]\n }\n },\n {\n \"add_version_string\": {\n \"call\": \"googleapis.secretmanager.v1.projects.secrets.addVersionString\",\n \"args\": {\n \"secret_id\": \"${secret_id}\",\n \"project_id\": \"${project_id}\",\n \"data\": \"a new secret\"\n }\n }\n },\n {\n \"access_string_secret\": {\n \"call\": \"googleapis.secretmanager.v1.projects.secrets.versions.accessString\",\n \"args\": {\n \"secret_id\": \"${secret_id}\",\n \"version\": \"${version}\",\n \"project_id\": \"${project_id}\"\n },\n \"result\": \"str_secret\"\n }\n },\n {\n \"access_secret\": {\n \"call\": \"googleapis.secretmanager.v1.projects.secrets.versions.access\",\n \"args\": {\n \"name\": \"${\\\"projects/\\\" + project_id + \\\"/secrets/\\\" + secret_id + \\\"/versions/\\\" + version}\"\n },\n \"result\": \"base64_encoded_secret\"\n }\n },\n {\n \"expression\": {\n \"assign\": [\n {\n \"secret_str_from_exp\": \"${googleapis.secretmanager.v1.projects.secrets.versions.accessString(secret_id, version, project_id)}\"\n }\n ]\n }\n },\n {\n \"the_end\": {\n \"return\": [\n \"${str_secret}\",\n \"${text.decode(base64.decode(base64_encoded_secret.payload.data))}\",\n \"${secret_str_from_exp}\"\n ]\n }\n }\n ]\n\nModule: googleapis.secretmanager.v1.projects.locations\n------------------------------------------------------\n\nModule: googleapis.secretmanager.v1.projects.secrets\n----------------------------------------------------\n\nModule: googleapis.secretmanager.v1.projects.secrets.versions\n-------------------------------------------------------------"]]
