Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.11/site-packages/google/cloud/secretmanager_v1beta1/services/secret_manager_service/client.py: 42%

1# -*- coding: utf-8 -*- 

2# Copyright 2025 Google LLC 

3# 

4# Licensed under the Apache License, Version 2.0 (the "License"); 

5# you may not use this file except in compliance with the License. 

6# You may obtain a copy of the License at 

7# 

8# http://www.apache.org/licenses/LICENSE-2.0 

9# 

10# Unless required by applicable law or agreed to in writing, software 

11# distributed under the License is distributed on an "AS IS" BASIS, 

12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 

13# See the License for the specific language governing permissions and 

14# limitations under the License. 

15# 

16from collections import OrderedDict 

17from http import HTTPStatus 

18import json 

19import logging as std_logging 

20import os 

21import re 

22from typing import ( 

23 Callable, 

24 Dict, 

25 Mapping, 

26 MutableMapping, 

27 MutableSequence, 

28 Optional, 

29 Sequence, 

30 Tuple, 

31 Type, 

32 Union, 

33 cast, 

34) 

35import warnings 

36 

37from google.api_core import client_options as client_options_lib 

38from google.api_core import exceptions as core_exceptions 

39from google.api_core import gapic_v1 

40from google.api_core import retry as retries 

41from google.auth import credentials as ga_credentials # type: ignore 

42from google.auth.exceptions import MutualTLSChannelError # type: ignore 

43from google.auth.transport import mtls # type: ignore 

44from google.auth.transport.grpc import SslCredentials # type: ignore 

45from google.oauth2 import service_account # type: ignore 

46import google.protobuf 

47 

48from google.cloud.secretmanager_v1beta1 import gapic_version as package_version 

49 

50try: 

51 OptionalRetry = Union[retries.Retry, gapic_v1.method._MethodDefault, None] 

52except AttributeError: # pragma: NO COVER 

53 OptionalRetry = Union[retries.Retry, object, None] # type: ignore 

54 

55try: 

56 from google.api_core import client_logging # type: ignore 

57 

58 CLIENT_LOGGING_SUPPORTED = True # pragma: NO COVER 

59except ImportError: # pragma: NO COVER 

60 CLIENT_LOGGING_SUPPORTED = False 

61 

62_LOGGER = std_logging.getLogger(__name__) 

63 

64from google.cloud.location import locations_pb2 # type: ignore 

65from google.iam.v1 import iam_policy_pb2 # type: ignore 

66from google.iam.v1 import policy_pb2 # type: ignore 

67from google.protobuf import field_mask_pb2 # type: ignore 

68from google.protobuf import timestamp_pb2 # type: ignore 

69 

70from google.cloud.secretmanager_v1beta1.services.secret_manager_service import pagers 

71from google.cloud.secretmanager_v1beta1.types import resources, service 

72 

73from .transports.base import DEFAULT_CLIENT_INFO, SecretManagerServiceTransport 

74from .transports.grpc import SecretManagerServiceGrpcTransport 

75from .transports.grpc_asyncio import SecretManagerServiceGrpcAsyncIOTransport 

76from .transports.rest import SecretManagerServiceRestTransport 

77 

78 

79class SecretManagerServiceClientMeta(type): 

80 """Metaclass for the SecretManagerService client. 

81 

82 This provides class-level methods for building and retrieving 

83 support objects (e.g. transport) without polluting the client instance 

84 objects. 

85 """ 

86 

87 _transport_registry = ( 

88 OrderedDict() 

89 ) # type: Dict[str, Type[SecretManagerServiceTransport]] 

90 _transport_registry["grpc"] = SecretManagerServiceGrpcTransport 

91 _transport_registry["grpc_asyncio"] = SecretManagerServiceGrpcAsyncIOTransport 

92 _transport_registry["rest"] = SecretManagerServiceRestTransport 

93 

94 def get_transport_class( 

95 cls, 

96 label: Optional[str] = None, 

97 ) -> Type[SecretManagerServiceTransport]: 

98 """Returns an appropriate transport class. 

99 

100 Args: 

101 label: The name of the desired transport. If none is 

102 provided, then the first transport in the registry is used. 

103 

104 Returns: 

105 The transport class to use. 

106 """ 

107 # If a specific transport is requested, return that one. 

108 if label: 

109 return cls._transport_registry[label] 

110 

111 # No transport is requested; return the default (that is, the first one 

112 # in the dictionary). 

113 return next(iter(cls._transport_registry.values())) 

114 

115 

116class SecretManagerServiceClient(metaclass=SecretManagerServiceClientMeta): 

117 """Secret Manager Service 

118 

119 Manages secrets and operations using those secrets. Implements a 

120 REST model with the following objects: 

121 

122 - [Secret][google.cloud.secrets.v1beta1.Secret] 

123 - [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] 

124 """ 

125 

126 @staticmethod 

127 def _get_default_mtls_endpoint(api_endpoint): 

128 """Converts api endpoint to mTLS endpoint. 

129 

130 Convert "*.sandbox.googleapis.com" and "*.googleapis.com" to 

131 "*.mtls.sandbox.googleapis.com" and "*.mtls.googleapis.com" respectively. 

132 Args: 

133 api_endpoint (Optional[str]): the api endpoint to convert. 

134 Returns: 

135 str: converted mTLS api endpoint. 

136 """ 

137 if not api_endpoint: 

138 return api_endpoint 

139 

140 mtls_endpoint_re = re.compile( 

141 r"(?P<name>[^.]+)(?P<mtls>\.mtls)?(?P<sandbox>\.sandbox)?(?P<googledomain>\.googleapis\.com)?" 

142 ) 

143 

144 m = mtls_endpoint_re.match(api_endpoint) 

145 name, mtls, sandbox, googledomain = m.groups() 

146 if mtls or not googledomain: 

147 return api_endpoint 

148 

149 if sandbox: 

150 return api_endpoint.replace( 

151 "sandbox.googleapis.com", "mtls.sandbox.googleapis.com" 

152 ) 

153 

154 return api_endpoint.replace(".googleapis.com", ".mtls.googleapis.com") 

155 

156 # Note: DEFAULT_ENDPOINT is deprecated. Use _DEFAULT_ENDPOINT_TEMPLATE instead. 

157 DEFAULT_ENDPOINT = "secretmanager.googleapis.com" 

158 DEFAULT_MTLS_ENDPOINT = _get_default_mtls_endpoint.__func__( # type: ignore 

159 DEFAULT_ENDPOINT 

160 ) 

161 

162 _DEFAULT_ENDPOINT_TEMPLATE = "secretmanager.{UNIVERSE_DOMAIN}" 

163 _DEFAULT_UNIVERSE = "googleapis.com" 

164 

165 @classmethod 

166 def from_service_account_info(cls, info: dict, *args, **kwargs): 

167 """Creates an instance of this client using the provided credentials 

168 info. 

169 

170 Args: 

171 info (dict): The service account private key info. 

172 args: Additional arguments to pass to the constructor. 

173 kwargs: Additional arguments to pass to the constructor. 

174 

175 Returns: 

176 SecretManagerServiceClient: The constructed client. 

177 """ 

178 credentials = service_account.Credentials.from_service_account_info(info) 

179 kwargs["credentials"] = credentials 

180 return cls(*args, **kwargs) 

181 

182 @classmethod 

183 def from_service_account_file(cls, filename: str, *args, **kwargs): 

184 """Creates an instance of this client using the provided credentials 

185 file. 

186 

187 Args: 

188 filename (str): The path to the service account private key json 

189 file. 

190 args: Additional arguments to pass to the constructor. 

191 kwargs: Additional arguments to pass to the constructor. 

192 

193 Returns: 

194 SecretManagerServiceClient: The constructed client. 

195 """ 

196 credentials = service_account.Credentials.from_service_account_file(filename) 

197 kwargs["credentials"] = credentials 

198 return cls(*args, **kwargs) 

199 

200 from_service_account_json = from_service_account_file 

201 

202 @property 

203 def transport(self) -> SecretManagerServiceTransport: 

204 """Returns the transport used by the client instance. 

205 

206 Returns: 

207 SecretManagerServiceTransport: The transport used by the client 

208 instance. 

209 """ 

210 return self._transport 

211 

212 @staticmethod 

213 def secret_path( 

214 project: str, 

215 secret: str, 

216 ) -> str: 

217 """Returns a fully-qualified secret string.""" 

218 return "projects/{project}/secrets/{secret}".format( 

219 project=project, 

220 secret=secret, 

221 ) 

222 

223 @staticmethod 

224 def parse_secret_path(path: str) -> Dict[str, str]: 

225 """Parses a secret path into its component segments.""" 

226 m = re.match(r"^projects/(?P<project>.+?)/secrets/(?P<secret>.+?)$", path) 

227 return m.groupdict() if m else {} 

228 

229 @staticmethod 

230 def secret_version_path( 

231 project: str, 

232 secret: str, 

233 secret_version: str, 

234 ) -> str: 

235 """Returns a fully-qualified secret_version string.""" 

236 return "projects/{project}/secrets/{secret}/versions/{secret_version}".format( 

237 project=project, 

238 secret=secret, 

239 secret_version=secret_version, 

240 ) 

241 

242 @staticmethod 

243 def parse_secret_version_path(path: str) -> Dict[str, str]: 

244 """Parses a secret_version path into its component segments.""" 

245 m = re.match( 

246 r"^projects/(?P<project>.+?)/secrets/(?P<secret>.+?)/versions/(?P<secret_version>.+?)$", 

247 path, 

248 ) 

249 return m.groupdict() if m else {} 

250 

251 @staticmethod 

252 def common_billing_account_path( 

253 billing_account: str, 

254 ) -> str: 

255 """Returns a fully-qualified billing_account string.""" 

256 return "billingAccounts/{billing_account}".format( 

257 billing_account=billing_account, 

258 ) 

259 

260 @staticmethod 

261 def parse_common_billing_account_path(path: str) -> Dict[str, str]: 

262 """Parse a billing_account path into its component segments.""" 

263 m = re.match(r"^billingAccounts/(?P<billing_account>.+?)$", path) 

264 return m.groupdict() if m else {} 

265 

266 @staticmethod 

267 def common_folder_path( 

268 folder: str, 

269 ) -> str: 

270 """Returns a fully-qualified folder string.""" 

271 return "folders/{folder}".format( 

272 folder=folder, 

273 ) 

274 

275 @staticmethod 

276 def parse_common_folder_path(path: str) -> Dict[str, str]: 

277 """Parse a folder path into its component segments.""" 

278 m = re.match(r"^folders/(?P<folder>.+?)$", path) 

279 return m.groupdict() if m else {} 

280 

281 @staticmethod 

282 def common_organization_path( 

283 organization: str, 

284 ) -> str: 

285 """Returns a fully-qualified organization string.""" 

286 return "organizations/{organization}".format( 

287 organization=organization, 

288 ) 

289 

290 @staticmethod 

291 def parse_common_organization_path(path: str) -> Dict[str, str]: 

292 """Parse a organization path into its component segments.""" 

293 m = re.match(r"^organizations/(?P<organization>.+?)$", path) 

294 return m.groupdict() if m else {} 

295 

296 @staticmethod 

297 def common_project_path( 

298 project: str, 

299 ) -> str: 

300 """Returns a fully-qualified project string.""" 

301 return "projects/{project}".format( 

302 project=project, 

303 ) 

304 

305 @staticmethod 

306 def parse_common_project_path(path: str) -> Dict[str, str]: 

307 """Parse a project path into its component segments.""" 

308 m = re.match(r"^projects/(?P<project>.+?)$", path) 

309 return m.groupdict() if m else {} 

310 

311 @staticmethod 

312 def common_location_path( 

313 project: str, 

314 location: str, 

315 ) -> str: 

316 """Returns a fully-qualified location string.""" 

317 return "projects/{project}/locations/{location}".format( 

318 project=project, 

319 location=location, 

320 ) 

321 

322 @staticmethod 

323 def parse_common_location_path(path: str) -> Dict[str, str]: 

324 """Parse a location path into its component segments.""" 

325 m = re.match(r"^projects/(?P<project>.+?)/locations/(?P<location>.+?)$", path) 

326 return m.groupdict() if m else {} 

327 

328 @classmethod 

329 def get_mtls_endpoint_and_cert_source( 

330 cls, client_options: Optional[client_options_lib.ClientOptions] = None 

331 ): 

332 """Deprecated. Return the API endpoint and client cert source for mutual TLS. 

333 

334 The client cert source is determined in the following order: 

335 (1) if `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is not "true", the 

336 client cert source is None. 

337 (2) if `client_options.client_cert_source` is provided, use the provided one; if the 

338 default client cert source exists, use the default one; otherwise the client cert 

339 source is None. 

340 

341 The API endpoint is determined in the following order: 

342 (1) if `client_options.api_endpoint` if provided, use the provided one. 

343 (2) if `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is "always", use the 

344 default mTLS endpoint; if the environment variable is "never", use the default API 

345 endpoint; otherwise if client cert source exists, use the default mTLS endpoint, otherwise 

346 use the default API endpoint. 

347 

348 More details can be found at https://google.aip.dev/auth/4114. 

349 

350 Args: 

351 client_options (google.api_core.client_options.ClientOptions): Custom options for the 

352 client. Only the `api_endpoint` and `client_cert_source` properties may be used 

353 in this method. 

354 

355 Returns: 

356 Tuple[str, Callable[[], Tuple[bytes, bytes]]]: returns the API endpoint and the 

357 client cert source to use. 

358 

359 Raises: 

360 google.auth.exceptions.MutualTLSChannelError: If any errors happen. 

361 """ 

362 

363 warnings.warn( 

364 "get_mtls_endpoint_and_cert_source is deprecated. Use the api_endpoint property instead.", 

365 DeprecationWarning, 

366 ) 

367 if client_options is None: 

368 client_options = client_options_lib.ClientOptions() 

369 use_client_cert = os.getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE", "false") 

370 use_mtls_endpoint = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto") 

371 if use_client_cert not in ("true", "false"): 

372 raise ValueError( 

373 "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must be either `true` or `false`" 

374 ) 

375 if use_mtls_endpoint not in ("auto", "never", "always"): 

376 raise MutualTLSChannelError( 

377 "Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be `never`, `auto` or `always`" 

378 ) 

379 

380 # Figure out the client cert source to use. 

381 client_cert_source = None 

382 if use_client_cert == "true": 

383 if client_options.client_cert_source: 

384 client_cert_source = client_options.client_cert_source 

385 elif mtls.has_default_client_cert_source(): 

386 client_cert_source = mtls.default_client_cert_source() 

387 

388 # Figure out which api endpoint to use. 

389 if client_options.api_endpoint is not None: 

390 api_endpoint = client_options.api_endpoint 

391 elif use_mtls_endpoint == "always" or ( 

392 use_mtls_endpoint == "auto" and client_cert_source 

393 ): 

394 api_endpoint = cls.DEFAULT_MTLS_ENDPOINT 

395 else: 

396 api_endpoint = cls.DEFAULT_ENDPOINT 

397 

398 return api_endpoint, client_cert_source 

399 

400 @staticmethod 

401 def _read_environment_variables(): 

402 """Returns the environment variables used by the client. 

403 

404 Returns: 

405 Tuple[bool, str, str]: returns the GOOGLE_API_USE_CLIENT_CERTIFICATE, 

406 GOOGLE_API_USE_MTLS_ENDPOINT, and GOOGLE_CLOUD_UNIVERSE_DOMAIN environment variables. 

407 

408 Raises: 

409 ValueError: If GOOGLE_API_USE_CLIENT_CERTIFICATE is not 

410 any of ["true", "false"]. 

411 google.auth.exceptions.MutualTLSChannelError: If GOOGLE_API_USE_MTLS_ENDPOINT 

412 is not any of ["auto", "never", "always"]. 

413 """ 

414 use_client_cert = os.getenv( 

415 "GOOGLE_API_USE_CLIENT_CERTIFICATE", "false" 

416 ).lower() 

417 use_mtls_endpoint = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto").lower() 

418 universe_domain_env = os.getenv("GOOGLE_CLOUD_UNIVERSE_DOMAIN") 

419 if use_client_cert not in ("true", "false"): 

420 raise ValueError( 

421 "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must be either `true` or `false`" 

422 ) 

423 if use_mtls_endpoint not in ("auto", "never", "always"): 

424 raise MutualTLSChannelError( 

425 "Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be `never`, `auto` or `always`" 

426 ) 

427 return use_client_cert == "true", use_mtls_endpoint, universe_domain_env 

428 

429 @staticmethod 

430 def _get_client_cert_source(provided_cert_source, use_cert_flag): 

431 """Return the client cert source to be used by the client. 

432 

433 Args: 

434 provided_cert_source (bytes): The client certificate source provided. 

435 use_cert_flag (bool): A flag indicating whether to use the client certificate. 

436 

437 Returns: 

438 bytes or None: The client cert source to be used by the client. 

439 """ 

440 client_cert_source = None 

441 if use_cert_flag: 

442 if provided_cert_source: 

443 client_cert_source = provided_cert_source 

444 elif mtls.has_default_client_cert_source(): 

445 client_cert_source = mtls.default_client_cert_source() 

446 return client_cert_source 

447 

448 @staticmethod 

449 def _get_api_endpoint( 

450 api_override, client_cert_source, universe_domain, use_mtls_endpoint 

451 ): 

452 """Return the API endpoint used by the client. 

453 

454 Args: 

455 api_override (str): The API endpoint override. If specified, this is always 

456 the return value of this function and the other arguments are not used. 

457 client_cert_source (bytes): The client certificate source used by the client. 

458 universe_domain (str): The universe domain used by the client. 

459 use_mtls_endpoint (str): How to use the mTLS endpoint, which depends also on the other parameters. 

460 Possible values are "always", "auto", or "never". 

461 

462 Returns: 

463 str: The API endpoint to be used by the client. 

464 """ 

465 if api_override is not None: 

466 api_endpoint = api_override 

467 elif use_mtls_endpoint == "always" or ( 

468 use_mtls_endpoint == "auto" and client_cert_source 

469 ): 

470 _default_universe = SecretManagerServiceClient._DEFAULT_UNIVERSE 

471 if universe_domain != _default_universe: 

472 raise MutualTLSChannelError( 

473 f"mTLS is not supported in any universe other than {_default_universe}." 

474 ) 

475 api_endpoint = SecretManagerServiceClient.DEFAULT_MTLS_ENDPOINT 

476 else: 

477 api_endpoint = SecretManagerServiceClient._DEFAULT_ENDPOINT_TEMPLATE.format( 

478 UNIVERSE_DOMAIN=universe_domain 

479 ) 

480 return api_endpoint 

481 

482 @staticmethod 

483 def _get_universe_domain( 

484 client_universe_domain: Optional[str], universe_domain_env: Optional[str] 

485 ) -> str: 

486 """Return the universe domain used by the client. 

487 

488 Args: 

489 client_universe_domain (Optional[str]): The universe domain configured via the client options. 

490 universe_domain_env (Optional[str]): The universe domain configured via the "GOOGLE_CLOUD_UNIVERSE_DOMAIN" environment variable. 

491 

492 Returns: 

493 str: The universe domain to be used by the client. 

494 

495 Raises: 

496 ValueError: If the universe domain is an empty string. 

497 """ 

498 universe_domain = SecretManagerServiceClient._DEFAULT_UNIVERSE 

499 if client_universe_domain is not None: 

500 universe_domain = client_universe_domain 

501 elif universe_domain_env is not None: 

502 universe_domain = universe_domain_env 

503 if len(universe_domain.strip()) == 0: 

504 raise ValueError("Universe Domain cannot be an empty string.") 

505 return universe_domain 

506 

507 def _validate_universe_domain(self): 

508 """Validates client's and credentials' universe domains are consistent. 

509 

510 Returns: 

511 bool: True iff the configured universe domain is valid. 

512 

513 Raises: 

514 ValueError: If the configured universe domain is not valid. 

515 """ 

516 

517 # NOTE (b/349488459): universe validation is disabled until further notice. 

518 return True 

519 

520 def _add_cred_info_for_auth_errors( 

521 self, error: core_exceptions.GoogleAPICallError 

522 ) -> None: 

523 """Adds credential info string to error details for 401/403/404 errors. 

524 

525 Args: 

526 error (google.api_core.exceptions.GoogleAPICallError): The error to add the cred info. 

527 """ 

528 if error.code not in [ 

529 HTTPStatus.UNAUTHORIZED, 

530 HTTPStatus.FORBIDDEN, 

531 HTTPStatus.NOT_FOUND, 

532 ]: 

533 return 

534 

535 cred = self._transport._credentials 

536 

537 # get_cred_info is only available in google-auth>=2.35.0 

538 if not hasattr(cred, "get_cred_info"): 

539 return 

540 

541 # ignore the type check since pypy test fails when get_cred_info 

542 # is not available 

543 cred_info = cred.get_cred_info() # type: ignore 

544 if cred_info and hasattr(error._details, "append"): 

545 error._details.append(json.dumps(cred_info)) 

546 

547 @property 

548 def api_endpoint(self): 

549 """Return the API endpoint used by the client instance. 

550 

551 Returns: 

552 str: The API endpoint used by the client instance. 

553 """ 

554 return self._api_endpoint 

555 

556 @property 

557 def universe_domain(self) -> str: 

558 """Return the universe domain used by the client instance. 

559 

560 Returns: 

561 str: The universe domain used by the client instance. 

562 """ 

563 return self._universe_domain 

564 

565 def __init__( 

566 self, 

567 *, 

568 credentials: Optional[ga_credentials.Credentials] = None, 

569 transport: Optional[ 

570 Union[ 

571 str, 

572 SecretManagerServiceTransport, 

573 Callable[..., SecretManagerServiceTransport], 

574 ] 

575 ] = None, 

576 client_options: Optional[Union[client_options_lib.ClientOptions, dict]] = None, 

577 client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, 

578 ) -> None: 

579 """Instantiates the secret manager service client. 

580 

581 Args: 

582 credentials (Optional[google.auth.credentials.Credentials]): The 

583 authorization credentials to attach to requests. These 

584 credentials identify the application to the service; if none 

585 are specified, the client will attempt to ascertain the 

586 credentials from the environment. 

587 transport (Optional[Union[str,SecretManagerServiceTransport,Callable[..., SecretManagerServiceTransport]]]): 

588 The transport to use, or a Callable that constructs and returns a new transport. 

589 If a Callable is given, it will be called with the same set of initialization 

590 arguments as used in the SecretManagerServiceTransport constructor. 

591 If set to None, a transport is chosen automatically. 

592 client_options (Optional[Union[google.api_core.client_options.ClientOptions, dict]]): 

593 Custom options for the client. 

594 

595 1. The ``api_endpoint`` property can be used to override the 

596 default endpoint provided by the client when ``transport`` is 

597 not explicitly provided. Only if this property is not set and 

598 ``transport`` was not explicitly provided, the endpoint is 

599 determined by the GOOGLE_API_USE_MTLS_ENDPOINT environment 

600 variable, which have one of the following values: 

601 "always" (always use the default mTLS endpoint), "never" (always 

602 use the default regular endpoint) and "auto" (auto-switch to the 

603 default mTLS endpoint if client certificate is present; this is 

604 the default value). 

605 

606 2. If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable 

607 is "true", then the ``client_cert_source`` property can be used 

608 to provide a client certificate for mTLS transport. If 

609 not provided, the default SSL client certificate will be used if 

610 present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is "false" or not 

611 set, no client certificate will be used. 

612 

613 3. The ``universe_domain`` property can be used to override the 

614 default "googleapis.com" universe. Note that the ``api_endpoint`` 

615 property still takes precedence; and ``universe_domain`` is 

616 currently not supported for mTLS. 

617 

618 client_info (google.api_core.gapic_v1.client_info.ClientInfo): 

619 The client info used to send a user-agent string along with 

620 API requests. If ``None``, then default info will be used. 

621 Generally, you only need to set this if you're developing 

622 your own client library. 

623 

624 Raises: 

625 google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport 

626 creation failed for any reason. 

627 """ 

628 self._client_options = client_options 

629 if isinstance(self._client_options, dict): 

630 self._client_options = client_options_lib.from_dict(self._client_options) 

631 if self._client_options is None: 

632 self._client_options = client_options_lib.ClientOptions() 

633 self._client_options = cast( 

634 client_options_lib.ClientOptions, self._client_options 

635 ) 

636 

637 universe_domain_opt = getattr(self._client_options, "universe_domain", None) 

638 

639 ( 

640 self._use_client_cert, 

641 self._use_mtls_endpoint, 

642 self._universe_domain_env, 

643 ) = SecretManagerServiceClient._read_environment_variables() 

644 self._client_cert_source = SecretManagerServiceClient._get_client_cert_source( 

645 self._client_options.client_cert_source, self._use_client_cert 

646 ) 

647 self._universe_domain = SecretManagerServiceClient._get_universe_domain( 

648 universe_domain_opt, self._universe_domain_env 

649 ) 

650 self._api_endpoint = None # updated below, depending on `transport` 

651 

652 # Initialize the universe domain validation. 

653 self._is_universe_domain_valid = False 

654 

655 if CLIENT_LOGGING_SUPPORTED: # pragma: NO COVER 

656 # Setup logging. 

657 client_logging.initialize_logging() 

658 

659 api_key_value = getattr(self._client_options, "api_key", None) 

660 if api_key_value and credentials: 

661 raise ValueError( 

662 "client_options.api_key and credentials are mutually exclusive" 

663 ) 

664 

665 # Save or instantiate the transport. 

666 # Ordinarily, we provide the transport, but allowing a custom transport 

667 # instance provides an extensibility point for unusual situations. 

668 transport_provided = isinstance(transport, SecretManagerServiceTransport) 

669 if transport_provided: 

670 # transport is a SecretManagerServiceTransport instance. 

671 if credentials or self._client_options.credentials_file or api_key_value: 

672 raise ValueError( 

673 "When providing a transport instance, " 

674 "provide its credentials directly." 

675 ) 

676 if self._client_options.scopes: 

677 raise ValueError( 

678 "When providing a transport instance, provide its scopes " 

679 "directly." 

680 ) 

681 self._transport = cast(SecretManagerServiceTransport, transport) 

682 self._api_endpoint = self._transport.host 

683 

684 self._api_endpoint = ( 

685 self._api_endpoint 

686 or SecretManagerServiceClient._get_api_endpoint( 

687 self._client_options.api_endpoint, 

688 self._client_cert_source, 

689 self._universe_domain, 

690 self._use_mtls_endpoint, 

691 ) 

692 ) 

693 

694 if not transport_provided: 

695 import google.auth._default # type: ignore 

696 

697 if api_key_value and hasattr( 

698 google.auth._default, "get_api_key_credentials" 

699 ): 

700 credentials = google.auth._default.get_api_key_credentials( 

701 api_key_value 

702 ) 

703 

704 transport_init: Union[ 

705 Type[SecretManagerServiceTransport], 

706 Callable[..., SecretManagerServiceTransport], 

707 ] = ( 

708 SecretManagerServiceClient.get_transport_class(transport) 

709 if isinstance(transport, str) or transport is None 

710 else cast(Callable[..., SecretManagerServiceTransport], transport) 

711 ) 

712 # initialize with the provided callable or the passed in class 

713 self._transport = transport_init( 

714 credentials=credentials, 

715 credentials_file=self._client_options.credentials_file, 

716 host=self._api_endpoint, 

717 scopes=self._client_options.scopes, 

718 client_cert_source_for_mtls=self._client_cert_source, 

719 quota_project_id=self._client_options.quota_project_id, 

720 client_info=client_info, 

721 always_use_jwt_access=True, 

722 api_audience=self._client_options.api_audience, 

723 ) 

724 

725 if "async" not in str(self._transport): 

726 if CLIENT_LOGGING_SUPPORTED and _LOGGER.isEnabledFor( 

727 std_logging.DEBUG 

728 ): # pragma: NO COVER 

729 _LOGGER.debug( 

730 "Created client `google.cloud.secrets_v1beta1.SecretManagerServiceClient`.", 

731 extra={ 

732 "serviceName": "google.cloud.secrets.v1beta1.SecretManagerService", 

733 "universeDomain": getattr( 

734 self._transport._credentials, "universe_domain", "" 

735 ), 

736 "credentialsType": f"{type(self._transport._credentials).__module__}.{type(self._transport._credentials).__qualname__}", 

737 "credentialsInfo": getattr( 

738 self.transport._credentials, "get_cred_info", lambda: None 

739 )(), 

740 } 

741 if hasattr(self._transport, "_credentials") 

742 else { 

743 "serviceName": "google.cloud.secrets.v1beta1.SecretManagerService", 

744 "credentialsType": None, 

745 }, 

746 ) 

747 

748 def list_secrets( 

749 self, 

750 request: Optional[Union[service.ListSecretsRequest, dict]] = None, 

751 *, 

752 parent: Optional[str] = None, 

753 retry: OptionalRetry = gapic_v1.method.DEFAULT, 

754 timeout: Union[float, object] = gapic_v1.method.DEFAULT, 

755 metadata: Sequence[Tuple[str, Union[str, bytes]]] = (), 

756 ) -> pagers.ListSecretsPager: 

757 r"""Lists [Secrets][google.cloud.secrets.v1beta1.Secret]. 

758 

759 .. code-block:: python 

760 

761 # This snippet has been automatically generated and should be regarded as a 

762 # code template only. 

763 # It will require modifications to work: 

764 # - It may require correct/in-range values for request initialization. 

765 # - It may require specifying regional endpoints when creating the service 

766 # client as shown in: 

767 # https://googleapis.dev/python/google-api-core/latest/client_options.html 

768 from google.cloud import secretmanager_v1beta1 

769 

770 def sample_list_secrets(): 

771 # Create a client 

772 client = secretmanager_v1beta1.SecretManagerServiceClient() 

773 

774 # Initialize request argument(s) 

775 request = secretmanager_v1beta1.ListSecretsRequest( 

776 parent="parent_value", 

777 ) 

778 

779 # Make the request 

780 page_result = client.list_secrets(request=request) 

781 

782 # Handle the response 

783 for response in page_result: 

784 print(response) 

785 

786 Args: 

787 request (Union[google.cloud.secretmanager_v1beta1.types.ListSecretsRequest, dict]): 

788 The request object. Request message for 

789 [SecretManagerService.ListSecrets][google.cloud.secrets.v1beta1.SecretManagerService.ListSecrets]. 

790 parent (str): 

791 Required. The resource name of the project associated 

792 with the [Secrets][google.cloud.secrets.v1beta1.Secret], 

793 in the format ``projects/*``. 

794 

795 This corresponds to the ``parent`` field 

796 on the ``request`` instance; if ``request`` is provided, this 

797 should not be set. 

798 retry (google.api_core.retry.Retry): Designation of what errors, if any, 

799 should be retried. 

800 timeout (float): The timeout for this request. 

801 metadata (Sequence[Tuple[str, Union[str, bytes]]]): Key/value pairs which should be 

802 sent along with the request as metadata. Normally, each value must be of type `str`, 

803 but for metadata keys ending with the suffix `-bin`, the corresponding values must 

804 be of type `bytes`. 

805 

806 Returns: 

807 google.cloud.secretmanager_v1beta1.services.secret_manager_service.pagers.ListSecretsPager: 

808 Response message for 

809 [SecretManagerService.ListSecrets][google.cloud.secrets.v1beta1.SecretManagerService.ListSecrets]. 

810 

811 Iterating over this object will yield results and 

812 resolve additional pages automatically. 

813 

814 """ 

815 # Create or coerce a protobuf request object. 

816 # - Quick check: If we got a request object, we should *not* have 

817 # gotten any keyword arguments that map to the request. 

818 flattened_params = [parent] 

819 has_flattened_params = ( 

820 len([param for param in flattened_params if param is not None]) > 0 

821 ) 

822 if request is not None and has_flattened_params: 

823 raise ValueError( 

824 "If the `request` argument is set, then none of " 

825 "the individual field arguments should be set." 

826 ) 

827 

828 # - Use the request object if provided (there's no risk of modifying the input as 

829 # there are no flattened fields), or create one. 

830 if not isinstance(request, service.ListSecretsRequest): 

831 request = service.ListSecretsRequest(request) 

832 # If we have keyword arguments corresponding to fields on the 

833 # request, apply these. 

834 if parent is not None: 

835 request.parent = parent 

836 

837 # Wrap the RPC method; this adds retry and timeout information, 

838 # and friendly error handling. 

839 rpc = self._transport._wrapped_methods[self._transport.list_secrets] 

840 

841 # Certain fields should be provided within the metadata header; 

842 # add these here. 

843 metadata = tuple(metadata) + ( 

844 gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)), 

845 ) 

846 

847 # Validate the universe domain. 

848 self._validate_universe_domain() 

849 

850 # Send the request. 

851 response = rpc( 

852 request, 

853 retry=retry, 

854 timeout=timeout, 

855 metadata=metadata, 

856 ) 

857 

858 # This method is paged; wrap the response in a pager, which provides 

859 # an `__iter__` convenience method. 

860 response = pagers.ListSecretsPager( 

861 method=rpc, 

862 request=request, 

863 response=response, 

864 retry=retry, 

865 timeout=timeout, 

866 metadata=metadata, 

867 ) 

868 

869 # Done; return the response. 

870 return response 

871 

872 def create_secret( 

873 self, 

874 request: Optional[Union[service.CreateSecretRequest, dict]] = None, 

875 *, 

876 parent: Optional[str] = None, 

877 secret_id: Optional[str] = None, 

878 secret: Optional[resources.Secret] = None, 

879 retry: OptionalRetry = gapic_v1.method.DEFAULT, 

880 timeout: Union[float, object] = gapic_v1.method.DEFAULT, 

881 metadata: Sequence[Tuple[str, Union[str, bytes]]] = (), 

882 ) -> resources.Secret: 

883 r"""Creates a new [Secret][google.cloud.secrets.v1beta1.Secret] 

884 containing no 

885 [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion]. 

886 

887 .. code-block:: python 

888 

889 # This snippet has been automatically generated and should be regarded as a 

890 # code template only. 

891 # It will require modifications to work: 

892 # - It may require correct/in-range values for request initialization. 

893 # - It may require specifying regional endpoints when creating the service 

894 # client as shown in: 

895 # https://googleapis.dev/python/google-api-core/latest/client_options.html 

896 from google.cloud import secretmanager_v1beta1 

897 

898 def sample_create_secret(): 

899 # Create a client 

900 client = secretmanager_v1beta1.SecretManagerServiceClient() 

901 

902 # Initialize request argument(s) 

903 request = secretmanager_v1beta1.CreateSecretRequest( 

904 parent="parent_value", 

905 secret_id="secret_id_value", 

906 ) 

907 

908 # Make the request 

909 response = client.create_secret(request=request) 

910 

911 # Handle the response 

912 print(response) 

913 

914 Args: 

915 request (Union[google.cloud.secretmanager_v1beta1.types.CreateSecretRequest, dict]): 

916 The request object. Request message for 

917 [SecretManagerService.CreateSecret][google.cloud.secrets.v1beta1.SecretManagerService.CreateSecret]. 

918 parent (str): 

919 Required. The resource name of the project to associate 

920 with the [Secret][google.cloud.secrets.v1beta1.Secret], 

921 in the format ``projects/*``. 

922 

923 This corresponds to the ``parent`` field 

924 on the ``request`` instance; if ``request`` is provided, this 

925 should not be set. 

926 secret_id (str): 

927 Required. This must be unique within the project. 

928 

929 A secret ID is a string with a maximum length of 255 

930 characters and can contain uppercase and lowercase 

931 letters, numerals, and the hyphen (``-``) and underscore 

932 (``_``) characters. 

933 

934 This corresponds to the ``secret_id`` field 

935 on the ``request`` instance; if ``request`` is provided, this 

936 should not be set. 

937 secret (google.cloud.secretmanager_v1beta1.types.Secret): 

938 Required. A 

939 [Secret][google.cloud.secrets.v1beta1.Secret] with 

940 initial field values. 

941 

942 This corresponds to the ``secret`` field 

943 on the ``request`` instance; if ``request`` is provided, this 

944 should not be set. 

945 retry (google.api_core.retry.Retry): Designation of what errors, if any, 

946 should be retried. 

947 timeout (float): The timeout for this request. 

948 metadata (Sequence[Tuple[str, Union[str, bytes]]]): Key/value pairs which should be 

949 sent along with the request as metadata. Normally, each value must be of type `str`, 

950 but for metadata keys ending with the suffix `-bin`, the corresponding values must 

951 be of type `bytes`. 

952 

953 Returns: 

954 google.cloud.secretmanager_v1beta1.types.Secret: 

955 A [Secret][google.cloud.secrets.v1beta1.Secret] is a logical secret whose 

956 value and versions can be accessed. 

957 

958 A [Secret][google.cloud.secrets.v1beta1.Secret] is 

959 made up of zero or more 

960 [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion] 

961 that represent the secret data. 

962 

963 """ 

964 # Create or coerce a protobuf request object. 

965 # - Quick check: If we got a request object, we should *not* have 

966 # gotten any keyword arguments that map to the request. 

967 flattened_params = [parent, secret_id, secret] 

968 has_flattened_params = ( 

969 len([param for param in flattened_params if param is not None]) > 0 

970 ) 

971 if request is not None and has_flattened_params: 

972 raise ValueError( 

973 "If the `request` argument is set, then none of " 

974 "the individual field arguments should be set." 

975 ) 

976 

977 # - Use the request object if provided (there's no risk of modifying the input as 

978 # there are no flattened fields), or create one. 

979 if not isinstance(request, service.CreateSecretRequest): 

980 request = service.CreateSecretRequest(request) 

981 # If we have keyword arguments corresponding to fields on the 

982 # request, apply these. 

983 if parent is not None: 

984 request.parent = parent 

985 if secret_id is not None: 

986 request.secret_id = secret_id 

987 if secret is not None: 

988 request.secret = secret 

989 

990 # Wrap the RPC method; this adds retry and timeout information, 

991 # and friendly error handling. 

992 rpc = self._transport._wrapped_methods[self._transport.create_secret] 

993 

994 # Certain fields should be provided within the metadata header; 

995 # add these here. 

996 metadata = tuple(metadata) + ( 

997 gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)), 

998 ) 

999 

1000 # Validate the universe domain.