Secret Manager roles and permissions

This page lists the IAM roles and permissions for Secret Manager. To search through all roles and permissions, see the role and permission index.

Secret Manager roles

Role Permissions

(roles/secretmanager.admin)

Full access to administer Secret Manager resources.

Lowest-level resources where you can grant this role:

  • Secret

cloudkms.keyHandles.*

  • cloudkms.keyHandles.create
  • cloudkms.keyHandles.get
  • cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

resourcemanager.projects.get

resourcemanager.projects.list

secretmanager.*

  • secretmanager.locations.get
  • secretmanager.locations.list
  • secretmanager.secrets.create
  • secretmanager.secrets.createTagBinding
  • secretmanager.secrets.delete
  • secretmanager.secrets.deleteTagBinding
  • secretmanager.secrets.get
  • secretmanager.secrets.getIamPolicy
  • secretmanager.secrets.list
  • secretmanager.secrets.listEffectiveTags
  • secretmanager.secrets.listTagBindings
  • secretmanager.secrets.setIamPolicy
  • secretmanager.secrets.update
  • secretmanager.versions.access
  • secretmanager.versions.add
  • secretmanager.versions.destroy
  • secretmanager.versions.disable
  • secretmanager.versions.enable
  • secretmanager.versions.get
  • secretmanager.versions.list

(roles/secretmanager.secretAccessor)

Allows accessing the payload of secrets.

Lowest-level resources where you can grant this role:

  • Secret

resourcemanager.projects.get

resourcemanager.projects.list

secretmanager.versions.access

(roles/secretmanager.secretVersionAdder)

Allows adding versions to existing secrets.

Lowest-level resources where you can grant this role:

  • Secret

resourcemanager.projects.get

resourcemanager.projects.list

secretmanager.versions.add

(roles/secretmanager.secretVersionManager)

Allows creating and managing versions of existing secrets.

Lowest-level resources where you can grant this role:

  • Secret

resourcemanager.projects.get

resourcemanager.projects.list

secretmanager.versions.add

secretmanager.versions.destroy

secretmanager.versions.disable

secretmanager.versions.enable

secretmanager.versions.get

secretmanager.versions.list

(roles/secretmanager.viewer)

Allows viewing metadata of all Secret Manager resources

Lowest-level resources where you can grant this role:

  • Secret

resourcemanager.projects.get

resourcemanager.projects.list

secretmanager.locations.*

  • secretmanager.locations.get
  • secretmanager.locations.list

secretmanager.secrets.get

secretmanager.secrets.getIamPolicy

secretmanager.secrets.list

secretmanager.secrets.listEffectiveTags

secretmanager.secrets.listTagBindings

secretmanager.versions.get

secretmanager.versions.list

Secret Manager permissions

Permission Included in roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Secret Manager Admin (roles/secretmanager.admin)

Secret Manager Viewer (roles/secretmanager.viewer)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Secret Manager Admin (roles/secretmanager.admin)

Secret Manager Viewer (roles/secretmanager.viewer)

Owner (roles/owner)

Editor (roles/editor)

Secret Manager Admin (roles/secretmanager.admin)

Owner (roles/owner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Tag User (roles/resourcemanager.tagUser)

Secret Manager Admin (roles/secretmanager.admin)

Owner (roles/owner)

Editor (roles/editor)

Secret Manager Admin (roles/secretmanager.admin)

Owner (roles/owner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Tag User (roles/resourcemanager.tagUser)

Secret Manager Admin (roles/secretmanager.admin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Secret Manager Admin (roles/secretmanager.admin)

Secret Manager Viewer (roles/secretmanager.viewer)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Connector Admin (roles/connectors.admin)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Secret Manager Admin (roles/secretmanager.admin)

Secret Manager Viewer (roles/secretmanager.viewer)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Secret Manager Admin (roles/secretmanager.admin)

Secret Manager Viewer (roles/secretmanager.viewer)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

Secret Manager Admin (roles/secretmanager.admin)

Secret Manager Viewer (roles/secretmanager.viewer)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

Secret Manager Admin (roles/secretmanager.admin)

Secret Manager Viewer (roles/secretmanager.viewer)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

Secret Manager Admin (roles/secretmanager.admin)

Owner (roles/owner)

Editor (roles/editor)

Secret Manager Admin (roles/secretmanager.admin)

Owner (roles/owner)

Secret Manager Admin (roles/secretmanager.admin)

Secret Manager Secret Accessor (roles/secretmanager.secretAccessor)

Owner (roles/owner)

Editor (roles/editor)

Secret Manager Admin (roles/secretmanager.admin)

Secret Manager Secret Version Adder (roles/secretmanager.secretVersionAdder)

Secret Manager Secret Version Manager (roles/secretmanager.secretVersionManager)

Owner (roles/owner)

Editor (roles/editor)

Secret Manager Admin (roles/secretmanager.admin)

Secret Manager Secret Version Manager (roles/secretmanager.secretVersionManager)

Owner (roles/owner)

Editor (roles/editor)

Secret Manager Admin (roles/secretmanager.admin)

Secret Manager Secret Version Manager (roles/secretmanager.secretVersionManager)

Owner (roles/owner)

Editor (roles/editor)

Secret Manager Admin (roles/secretmanager.admin)

Secret Manager Secret Version Manager (roles/secretmanager.secretVersionManager)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Auditor (roles/iam.securityAuditor)

Support User (roles/iam.supportUser)

Secret Manager Admin (roles/secretmanager.admin)

Secret Manager Secret Version Manager (roles/secretmanager.secretVersionManager)

Secret Manager Viewer (roles/secretmanager.viewer)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Auditor (roles/iam.securityAuditor)

Security Reviewer (roles/iam.securityReviewer)

Support User (roles/iam.supportUser)

Secret Manager Admin (roles/secretmanager.admin)

Secret Manager Secret Version Manager (roles/secretmanager.secretVersionManager)

Secret Manager Viewer (roles/secretmanager.viewer)