gcloud secrets versions access: Read Secrets in CI
Fetch the plaintext value of a Secret Manager secret version.
gcloud secrets versions access retrieves a secret payload from Google Secret Manager. In CI it injects database passwords, API keys, and other credentials at runtime instead of baking them into images. Use the latest alias or a pinned version number.
Common flags
VERSION- version number or the alias latest (positional)--secret=NAME- the secret to read--project=PROJECT_ID- project that owns the secret
Example in CI
Read the latest version into an environment variable.
shell
DB_PASS=$(gcloud secrets versions access latest --secret=db-password)
export DB_PASSCommon errors in CI
- PERMISSION_DENIED: ... secretmanager.versions.access - SA missing roles/secretmanager.secretAccessor
- NOT_FOUND: Secret ... was not found - wrong secret name or project
- FAILED_PRECONDITION: ... DESTROYED - the version was disabled or destroyed
Key takeaways
- Reads a secret payload from Secret Manager at runtime.
- Use latest for rolling values or a pinned number for reproducibility.
- Grant secretmanager.secretAccessor to the CI service account.
Related guides
gcloud auth activate-service-account: Authenticate CIAuthenticate gcloud in CI with a service account key file: required flags, a GitHub Actions example, and the…
gcloud run deploy: Ship to Cloud Run in CIDeploy a container or source to Cloud Run from a pipeline: the flags you need, a CI example, and the deploy e…
az keyvault secret show: Read Key Vault in CIRead a secret from Azure Key Vault in CI: flags to extract the value, an example, and the access policy error…