Skip to content
Latchkey

gcloud secrets versions access: Read Secrets in CI

Fetch the plaintext value of a Secret Manager secret version.

gcloud secrets versions access retrieves a secret payload from Google Secret Manager. In CI it injects database passwords, API keys, and other credentials at runtime instead of baking them into images. Use the latest alias or a pinned version number.

Common flags

  • VERSION - version number or the alias latest (positional)
  • --secret=NAME - the secret to read
  • --project=PROJECT_ID - project that owns the secret

Example in CI

Read the latest version into an environment variable.

shell
DB_PASS=$(gcloud secrets versions access latest --secret=db-password)
export DB_PASS

Common errors in CI

  • PERMISSION_DENIED: ... secretmanager.versions.access - SA missing roles/secretmanager.secretAccessor
  • NOT_FOUND: Secret ... was not found - wrong secret name or project
  • FAILED_PRECONDITION: ... DESTROYED - the version was disabled or destroyed

Key takeaways

  • Reads a secret payload from Secret Manager at runtime.
  • Use latest for rolling values or a pinned number for reproducibility.
  • Grant secretmanager.secretAccessor to the CI service account.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →