Google Cloud Secret Manager · Capability
Google Cloud Secret Manager API
The Secret Manager API enables creating, managing, and accessing secrets and their versions, providing secure storage for sensitive configuration data and credentials.
What You Can Do
GET
Listsecrets
— Google Cloud Secret Manager List secrets
/projects/{projectId}/secrets
POST
Createsecret
— Google Cloud Secret Manager Create a secret
/projects/{projectId}/secrets
GET
Getsecret
— Google Cloud Secret Manager Get a secret
/projects/{projectId}/secrets/{secretId}
PATCH
Updatesecret
— Google Cloud Secret Manager Update a secret
/projects/{projectId}/secrets/{secretId}
DELETE
Deletesecret
— Google Cloud Secret Manager Delete a secret
/projects/{projectId}/secrets/{secretId}
POST
Addsecretversion
— Google Cloud Secret Manager Add a secret version
/projects/{projectId}/secrets/{secretId}:addVersion
GET
Listsecretversions
— Google Cloud Secret Manager List secret versions
/projects/{projectId}/secrets/{secretId}/versions
GET
Accesssecretversion
— Google Cloud Secret Manager Access a secret version
/projects/{projectId}/secrets/{secretId}/versions/{versionId}:access
POST
Destroysecretversion
— Google Cloud Secret Manager Destroy a secret version
/projects/{projectId}/secrets/{secretId}/versions/{versionId}:destroy
MCP Tools
listsecrets
Google Cloud Secret Manager List secrets
read-only
idempotent
createsecret
Google Cloud Secret Manager Create a secret
getsecret
Google Cloud Secret Manager Get a secret
read-only
idempotent
updatesecret
Google Cloud Secret Manager Update a secret
deletesecret
Google Cloud Secret Manager Delete a secret
idempotent
addsecretversion
Google Cloud Secret Manager Add a secret version
listsecretversions
Google Cloud Secret Manager List secret versions
read-only
idempotent
accesssecretversion
Google Cloud Secret Manager Access a secret version
read-only
idempotent
destroysecretversion
Google Cloud Secret Manager Destroy a secret version
Capability Spec
naftiko: 1.0.0-alpha2
info:
label: Google Cloud Secret Manager API
description: The Secret Manager API enables creating, managing, and accessing secrets and their versions, providing secure
storage for sensitive configuration data and credentials.
tags:
- Google
- Cloud
- Secret
- Manager
- API
created: '2026-05-06'
modified: '2026-05-06'
capability:
consumes:
- type: http
namespace: google-cloud-secret-manager
baseUri: https://secretmanager.googleapis.com/v1
description: Google Cloud Secret Manager API HTTP API.
authentication:
type: bearer
token: '{{GOOGLE_CLOUD_SECRET_MANAGER_TOKEN}}'
resources:
- name: projects-projectid-secrets
path: /projects/{projectId}/secrets
operations:
- name: listsecrets
method: GET
description: Google Cloud Secret Manager List secrets
inputParameters:
- name: projectId
in: path
type: string
required: true
- name: pageSize
in: query
type: integer
- name: pageToken
in: query
type: string
- name: filter
in: query
type: string
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: createsecret
method: POST
description: Google Cloud Secret Manager Create a secret
inputParameters:
- name: projectId
in: path
type: string
required: true
- name: secretId
in: query
type: string
required: true
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: projects-projectid-secrets-secretid
path: /projects/{projectId}/secrets/{secretId}
operations:
- name: getsecret
method: GET
description: Google Cloud Secret Manager Get a secret
inputParameters:
- name: projectId
in: path
type: string
required: true
- name: secretId
in: path
type: string
required: true
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: updatesecret
method: PATCH
description: Google Cloud Secret Manager Update a secret
inputParameters:
- name: projectId
in: path
type: string
required: true
- name: secretId
in: path
type: string
required: true
- name: updateMask
in: query
type: string
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: deletesecret
method: DELETE
description: Google Cloud Secret Manager Delete a secret
inputParameters:
- name: projectId
in: path
type: string
required: true
- name: secretId
in: path
type: string
required: true
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: projects-projectid-secrets-secretid-addversion
path: /projects/{projectId}/secrets/{secretId}:addVersion
operations:
- name: addsecretversion
method: POST
description: Google Cloud Secret Manager Add a secret version
inputParameters:
- name: projectId
in: path
type: string
required: true
- name: secretId
in: path
type: string
required: true
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: projects-projectid-secrets-secretid-versions
path: /projects/{projectId}/secrets/{secretId}/versions
operations:
- name: listsecretversions
method: GET
description: Google Cloud Secret Manager List secret versions
inputParameters:
- name: projectId
in: path
type: string
required: true
- name: secretId
in: path
type: string
required: true
- name: pageSize
in: query
type: integer
- name: pageToken
in: query
type: string
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: projects-projectid-secrets-secretid-versions-ver
path: /projects/{projectId}/secrets/{secretId}/versions/{versionId}:access
operations:
- name: accesssecretversion
method: GET
description: Google Cloud Secret Manager Access a secret version
inputParameters:
- name: projectId
in: path
type: string
required: true
- name: secretId
in: path
type: string
required: true
- name: versionId
in: path
type: string
required: true
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: projects-projectid-secrets-secretid-versions-ver
path: /projects/{projectId}/secrets/{secretId}/versions/{versionId}:destroy
operations:
- name: destroysecretversion
method: POST
description: Google Cloud Secret Manager Destroy a secret version
inputParameters:
- name: projectId
in: path
type: string
required: true
- name: secretId
in: path
type: string
required: true
- name: versionId
in: path
type: string
required: true
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
exposes:
- type: rest
port: 8080
namespace: google-cloud-secret-manager-rest
description: REST adapter for Google Cloud Secret Manager API.
resources:
- path: /projects/{projectId}/secrets
name: listsecrets
operations:
- method: GET
name: listsecrets
description: Google Cloud Secret Manager List secrets
call: google-cloud-secret-manager.listsecrets
with:
projectId: rest.projectId
outputParameters:
- type: object
mapping: $.
- path: /projects/{projectId}/secrets
name: createsecret
operations:
- method: POST
name: createsecret
description: Google Cloud Secret Manager Create a secret
call: google-cloud-secret-manager.createsecret
with:
projectId: rest.projectId
outputParameters:
- type: object
mapping: $.
- path: /projects/{projectId}/secrets/{secretId}
name: getsecret
operations:
- method: GET
name: getsecret
description: Google Cloud Secret Manager Get a secret
call: google-cloud-secret-manager.getsecret
with:
projectId: rest.projectId
secretId: rest.secretId
outputParameters:
- type: object
mapping: $.
- path: /projects/{projectId}/secrets/{secretId}
name: updatesecret
operations:
- method: PATCH
name: updatesecret
description: Google Cloud Secret Manager Update a secret
call: google-cloud-secret-manager.updatesecret
with:
projectId: rest.projectId
secretId: rest.secretId
outputParameters:
- type: object
mapping: $.
- path: /projects/{projectId}/secrets/{secretId}
name: deletesecret
operations:
- method: DELETE
name: deletesecret
description: Google Cloud Secret Manager Delete a secret
call: google-cloud-secret-manager.deletesecret
with:
projectId: rest.projectId
secretId: rest.secretId
outputParameters:
- type: object
mapping: $.
- path: /projects/{projectId}/secrets/{secretId}:addVersion
name: addsecretversion
operations:
- method: POST
name: addsecretversion
description: Google Cloud Secret Manager Add a secret version
call: google-cloud-secret-manager.addsecretversion
with:
projectId: rest.projectId
secretId: rest.secretId
outputParameters:
- type: object
mapping: $.
- path: /projects/{projectId}/secrets/{secretId}/versions
name: listsecretversions
operations:
- method: GET
name: listsecretversions
description: Google Cloud Secret Manager List secret versions
call: google-cloud-secret-manager.listsecretversions
with:
projectId: rest.projectId
secretId: rest.secretId
outputParameters:
- type: object
mapping: $.
- path: /projects/{projectId}/secrets/{secretId}/versions/{versionId}:access
name: accesssecretversion
operations:
- method: GET
name: accesssecretversion
description: Google Cloud Secret Manager Access a secret version
call: google-cloud-secret-manager.accesssecretversion
with:
projectId: rest.projectId
secretId: rest.secretId
versionId: rest.versionId
outputParameters:
- type: object
mapping: $.
- path: /projects/{projectId}/secrets/{secretId}/versions/{versionId}:destroy
name: destroysecretversion
operations:
- method: POST
name: destroysecretversion
description: Google Cloud Secret Manager Destroy a secret version
call: google-cloud-secret-manager.destroysecretversion
with:
projectId: rest.projectId
secretId: rest.secretId
versionId: rest.versionId
outputParameters:
- type: object
mapping: $.
- type: mcp
port: 9090
namespace: google-cloud-secret-manager-mcp
transport: http
description: MCP adapter for Google Cloud Secret Manager API for AI agent use.
tools:
- name: listsecrets
description: Google Cloud Secret Manager List secrets
hints:
readOnly: true
destructive: false
idempotent: true
call: google-cloud-secret-manager.listsecrets
with:
projectId: tools.projectId
pageSize: tools.pageSize
pageToken: tools.pageToken
filter: tools.filter
inputParameters:
- name: projectId
type: string
description: projectId
required: true
- name: pageSize
type: integer
description: pageSize
- name: pageToken
type: string
description: pageToken
- name: filter
type: string
description: filter
outputParameters:
- type: object
mapping: $.
- name: createsecret
description: Google Cloud Secret Manager Create a secret
hints:
readOnly: false
destructive: false
idempotent: false
call: google-cloud-secret-manager.createsecret
with:
projectId: tools.projectId
secretId: tools.secretId
inputParameters:
- name: projectId
type: string
description: projectId
required: true
- name: secretId
type: string
description: secretId
required: true
outputParameters:
- type: object
mapping: $.
- name: getsecret
description: Google Cloud Secret Manager Get a secret
hints:
readOnly: true
destructive: false
idempotent: true
call: google-cloud-secret-manager.getsecret
with:
projectId: tools.projectId
secretId: tools.secretId
inputParameters:
- name: projectId
type: string
description: projectId
required: true
- name: secretId
type: string
description: secretId
required: true
outputParameters:
- type: object
mapping: $.
- name: updatesecret
description: Google Cloud Secret Manager Update a secret
hints:
readOnly: false
destructive: false
idempotent: false
call: google-cloud-secret-manager.updatesecret
with:
projectId: tools.projectId
secretId: tools.secretId
updateMask: tools.updateMask
inputParameters:
- name: projectId
type: string
description: projectId
required: true
- name: secretId
type: string
description: secretId
required: true
- name: updateMask
type: string
description: updateMask
outputParameters:
- type: object
mapping: $.
- name: deletesecret
description: Google Cloud Secret Manager Delete a secret
hints:
readOnly: false
destructive: true
idempotent: true
call: google-cloud-secret-manager.deletesecret
with:
projectId: tools.projectId
secretId: tools.secretId
inputParameters:
- name: projectId
type: string
description: projectId
required: true
- name: secretId
type: string
description: secretId
required: true
outputParameters:
- type: object
mapping: $.
- name: addsecretversion
description: Google Cloud Secret Manager Add a secret version
hints:
readOnly: false
destructive: false
idempotent: false
call: google-cloud-secret-manager.addsecretversion
with:
projectId: tools.projectId
secretId: tools.secretId
inputParameters:
- name: projectId
type: string
description: projectId
required: true
- name: secretId
type: string
description: secretId
required: true
outputParameters:
- type: object
mapping: $.
- name: listsecretversions
description: Google Cloud Secret Manager List secret versions
hints:
readOnly: true
destructive: false
idempotent: true
call: google-cloud-secret-manager.listsecretversions
with:
projectId: tools.projectId
secretId: tools.secretId
pageSize: tools.pageSize
pageToken: tools.pageToken
inputParameters:
- name: projectId
type: string
description: projectId
required: true
- name: secretId
type: string
description: secretId
required: true
- name: pageSize
type: integer
description: pageSize
- name: pageToken
type: string
description: pageToken
outputParameters:
- type: object
mapping: $.
- name: accesssecretversion
description: Google Cloud Secret Manager Access a secret version
hints:
readOnly: true
destructive: false
idempotent: true
call: google-cloud-secret-manager.accesssecretversion
with:
projectId: tools.projectId
secretId: tools.secretId
versionId: tools.versionId
inputParameters:
- name: projectId
type: string
description: projectId
required: true
- name: secretId
type: string
description: secretId
required: true
- name: versionId
type: string
description: versionId
required: true
outputParameters:
- type: object
mapping: $.
- name: destroysecretversion
description: Google Cloud Secret Manager Destroy a secret version
hints:
readOnly: false
destructive: false
idempotent: false
call: google-cloud-secret-manager.destroysecretversion
with:
projectId: tools.projectId
secretId: tools.secretId
versionId: tools.versionId
inputParameters:
- name: projectId
type: string
description: projectId
required: true
- name: secretId
type: string
description: secretId
required: true
- name: versionId
type: string
description: versionId
required: true
outputParameters:
- type: object
mapping: $.
binds:
- namespace: env
keys:
GOOGLE_CLOUD_SECRET_MANAGER_TOKEN: GOOGLE_CLOUD_SECRET_MANAGER_TOKEN