Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.11/site-packages/google/cloud/secretmanager_v1beta1/services/secret_manager_service/client.py: 42%

1# -*- coding: utf-8 -*- 

2# Copyright 2025 Google LLC 

3# 

4# Licensed under the Apache License, Version 2.0 (the "License"); 

5# you may not use this file except in compliance with the License. 

6# You may obtain a copy of the License at 

7# 

8# http://www.apache.org/licenses/LICENSE-2.0 

9# 

10# Unless required by applicable law or agreed to in writing, software 

11# distributed under the License is distributed on an "AS IS" BASIS, 

12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 

13# See the License for the specific language governing permissions and 

14# limitations under the License. 

15# 

16from collections import OrderedDict 

17from http import HTTPStatus 

18import json 

19import logging as std_logging 

20import os 

21import re 

22from typing import ( 

23 Callable, 

24 Dict, 

25 Mapping, 

26 MutableMapping, 

27 MutableSequence, 

28 Optional, 

29 Sequence, 

30 Tuple, 

31 Type, 

32 Union, 

33 cast, 

34) 

35import warnings 

36 

37from google.api_core import client_options as client_options_lib 

38from google.api_core import exceptions as core_exceptions 

39from google.api_core import gapic_v1 

40from google.api_core import retry as retries 

41from google.auth import credentials as ga_credentials # type: ignore 

42from google.auth.exceptions import MutualTLSChannelError # type: ignore 

43from google.auth.transport import mtls # type: ignore 

44from google.auth.transport.grpc import SslCredentials # type: ignore 

45from google.oauth2 import service_account # type: ignore 

46import google.protobuf 

47 

48from google.cloud.secretmanager_v1beta1 import gapic_version as package_version 

49 

50try: 

51 OptionalRetry = Union[retries.Retry, gapic_v1.method._MethodDefault, None] 

52except AttributeError: # pragma: NO COVER 

53 OptionalRetry = Union[retries.Retry, object, None] # type: ignore 

54 

55try: 

56 from google.api_core import client_logging # type: ignore 

57 

58 CLIENT_LOGGING_SUPPORTED = True # pragma: NO COVER 

59except ImportError: # pragma: NO COVER 

60 CLIENT_LOGGING_SUPPORTED = False 

61 

62_LOGGER = std_logging.getLogger(__name__) 

63 

64from google.cloud.location import locations_pb2 # type: ignore 

65from google.iam.v1 import iam_policy_pb2 # type: ignore 

66from google.iam.v1 import policy_pb2 # type: ignore 

67from google.protobuf import field_mask_pb2 # type: ignore 

68from google.protobuf import timestamp_pb2 # type: ignore 

69 

70from google.cloud.secretmanager_v1beta1.services.secret_manager_service import pagers 

71from google.cloud.secretmanager_v1beta1.types import resources, service 

72 

73from .transports.base import DEFAULT_CLIENT_INFO, SecretManagerServiceTransport 

74from .transports.grpc import SecretManagerServiceGrpcTransport 

75from .transports.grpc_asyncio import SecretManagerServiceGrpcAsyncIOTransport 

76from .transports.rest import SecretManagerServiceRestTransport 

77 

78 

79class SecretManagerServiceClientMeta(type): 

80 """Metaclass for the SecretManagerService client. 

81 

82 This provides class-level methods for building and retrieving 

83 support objects (e.g. transport) without polluting the client instance 

84 objects. 

85 """ 

86 

87 _transport_registry = ( 

88 OrderedDict() 

89 ) # type: Dict[str, Type[SecretManagerServiceTransport]] 

90 _transport_registry["grpc"] = SecretManagerServiceGrpcTransport 

91 _transport_registry["grpc_asyncio"] = SecretManagerServiceGrpcAsyncIOTransport 

92 _transport_registry["rest"] = SecretManagerServiceRestTransport 

93 

94 def get_transport_class( 

95 cls, 

96 label: Optional[str] = None, 

97 ) -> Type[SecretManagerServiceTransport]: 

98 """Returns an appropriate transport class. 

99 

100 Args: 

101 label: The name of the desired transport. If none is 

102 provided, then the first transport in the registry is used. 

103 

104 Returns: 

105 The transport class to use. 

106 """ 

107 # If a specific transport is requested, return that one. 

108 if label: 

109 return cls._transport_registry[label] 

110 

111 # No transport is requested; return the default (that is, the first one 

112 # in the dictionary). 

113 return next(iter(cls._transport_registry.values())) 

114 

115 

116class SecretManagerServiceClient(metaclass=SecretManagerServiceClientMeta): 

117 """Secret Manager Service 

118 

119 Manages secrets and operations using those secrets. Implements a 

120 REST model with the following objects: 

121 

122 - [Secret][google.cloud.secrets.v1beta1.Secret] 

123 - [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] 

124 """ 

125 

126 @staticmethod 

127 def _get_default_mtls_endpoint(api_endpoint): 

128 """Converts api endpoint to mTLS endpoint. 

129 

130 Convert "*.sandbox.googleapis.com" and "*.googleapis.com" to 

131 "*.mtls.sandbox.googleapis.com" and "*.mtls.googleapis.com" respectively. 

132 Args: 

133 api_endpoint (Optional[str]): the api endpoint to convert. 

134 Returns: 

135 str: converted mTLS api endpoint. 

136 """ 

137 if not api_endpoint: 

138 return api_endpoint 

139 

140 mtls_endpoint_re = re.compile( 

141 r"(?P<name>[^.]+)(?P<mtls>\.mtls)?(?P<sandbox>\.sandbox)?(?P<googledomain>\.googleapis\.com)?" 

142 ) 

143 

144 m = mtls_endpoint_re.match(api_endpoint) 

145 name, mtls, sandbox, googledomain = m.groups() 

146 if mtls or not googledomain: 

147 return api_endpoint 

148 

149 if sandbox: 

150 return api_endpoint.replace( 

151 "sandbox.googleapis.com", "mtls.sandbox.googleapis.com" 

152 ) 

153 

154 return api_endpoint.replace(".googleapis.com", ".mtls.googleapis.com") 

155 

156 # Note: DEFAULT_ENDPOINT is deprecated. Use _DEFAULT_ENDPOINT_TEMPLATE instead. 

157 DEFAULT_ENDPOINT = "secretmanager.googleapis.com" 

158 DEFAULT_MTLS_ENDPOINT = _get_default_mtls_endpoint.__func__( # type: ignore 

159 DEFAULT_ENDPOINT 

160 ) 

161 

162 _DEFAULT_ENDPOINT_TEMPLATE = "secretmanager.{UNIVERSE_DOMAIN}" 

163 _DEFAULT_UNIVERSE = "googleapis.com" 

164 

165 @staticmethod 

166 def _use_client_cert_effective(): 

167 """Returns whether client certificate should be used for mTLS if the 

168 google-auth version supports should_use_client_cert automatic mTLS enablement. 

169 

170 Alternatively, read from the GOOGLE_API_USE_CLIENT_CERTIFICATE env var. 

171 

172 Returns: 

173 bool: whether client certificate should be used for mTLS 

174 Raises: 

175 ValueError: (If using a version of google-auth without should_use_client_cert and 

176 GOOGLE_API_USE_CLIENT_CERTIFICATE is set to an unexpected value.) 

177 """ 

178 # check if google-auth version supports should_use_client_cert for automatic mTLS enablement 

179 if hasattr(mtls, "should_use_client_cert"): # pragma: NO COVER 

180 return mtls.should_use_client_cert() 

181 else: # pragma: NO COVER 

182 # if unsupported, fallback to reading from env var 

183 use_client_cert_str = os.getenv( 

184 "GOOGLE_API_USE_CLIENT_CERTIFICATE", "false" 

185 ).lower() 

186 if use_client_cert_str not in ("true", "false"): 

187 raise ValueError( 

188 "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must be" 

189 " either `true` or `false`" 

190 ) 

191 return use_client_cert_str == "true" 

192 

193 @classmethod 

194 def from_service_account_info(cls, info: dict, *args, **kwargs): 

195 """Creates an instance of this client using the provided credentials 

196 info. 

197 

198 Args: 

199 info (dict): The service account private key info. 

200 args: Additional arguments to pass to the constructor. 

201 kwargs: Additional arguments to pass to the constructor. 

202 

203 Returns: 

204 SecretManagerServiceClient: The constructed client. 

205 """ 

206 credentials = service_account.Credentials.from_service_account_info(info) 

207 kwargs["credentials"] = credentials 

208 return cls(*args, **kwargs) 

209 

210 @classmethod 

211 def from_service_account_file(cls, filename: str, *args, **kwargs): 

212 """Creates an instance of this client using the provided credentials 

213 file. 

214 

215 Args: 

216 filename (str): The path to the service account private key json 

217 file. 

218 args: Additional arguments to pass to the constructor. 

219 kwargs: Additional arguments to pass to the constructor. 

220 

221 Returns: 

222 SecretManagerServiceClient: The constructed client. 

223 """ 

224 credentials = service_account.Credentials.from_service_account_file(filename) 

225 kwargs["credentials"] = credentials 

226 return cls(*args, **kwargs) 

227 

228 from_service_account_json = from_service_account_file 

229 

230 @property 

231 def transport(self) -> SecretManagerServiceTransport: 

232 """Returns the transport used by the client instance. 

233 

234 Returns: 

235 SecretManagerServiceTransport: The transport used by the client 

236 instance. 

237 """ 

238 return self._transport 

239 

240 @staticmethod 

241 def secret_path( 

242 project: str, 

243 secret: str, 

244 ) -> str: 

245 """Returns a fully-qualified secret string.""" 

246 return "projects/{project}/secrets/{secret}".format( 

247 project=project, 

248 secret=secret, 

249 ) 

250 

251 @staticmethod 

252 def parse_secret_path(path: str) -> Dict[str, str]: 

253 """Parses a secret path into its component segments.""" 

254 m = re.match(r"^projects/(?P<project>.+?)/secrets/(?P<secret>.+?)$", path) 

255 return m.groupdict() if m else {} 

256 

257 @staticmethod 

258 def secret_version_path( 

259 project: str, 

260 secret: str, 

261 secret_version: str, 

262 ) -> str: 

263 """Returns a fully-qualified secret_version string.""" 

264 return "projects/{project}/secrets/{secret}/versions/{secret_version}".format( 

265 project=project, 

266 secret=secret, 

267 secret_version=secret_version, 

268 ) 

269 

270 @staticmethod 

271 def parse_secret_version_path(path: str) -> Dict[str, str]: 

272 """Parses a secret_version path into its component segments.""" 

273 m = re.match( 

274 r"^projects/(?P<project>.+?)/secrets/(?P<secret>.+?)/versions/(?P<secret_version>.+?)$", 

275 path, 

276 ) 

277 return m.groupdict() if m else {} 

278 

279 @staticmethod 

280 def common_billing_account_path( 

281 billing_account: str, 

282 ) -> str: 

283 """Returns a fully-qualified billing_account string.""" 

284 return "billingAccounts/{billing_account}".format( 

285 billing_account=billing_account, 

286 ) 

287 

288 @staticmethod 

289 def parse_common_billing_account_path(path: str) -> Dict[str, str]: 

290 """Parse a billing_account path into its component segments.""" 

291 m = re.match(r"^billingAccounts/(?P<billing_account>.+?)$", path) 

292 return m.groupdict() if m else {} 

293 

294 @staticmethod 

295 def common_folder_path( 

296 folder: str, 

297 ) -> str: 

298 """Returns a fully-qualified folder string.""" 

299 return "folders/{folder}".format( 

300 folder=folder, 

301 ) 

302 

303 @staticmethod 

304 def parse_common_folder_path(path: str) -> Dict[str, str]: 

305 """Parse a folder path into its component segments.""" 

306 m = re.match(r"^folders/(?P<folder>.+?)$", path) 

307 return m.groupdict() if m else {} 

308 

309 @staticmethod 

310 def common_organization_path( 

311 organization: str, 

312 ) -> str: 

313 """Returns a fully-qualified organization string.""" 

314 return "organizations/{organization}".format( 

315 organization=organization, 

316 ) 

317 

318 @staticmethod 

319 def parse_common_organization_path(path: str) -> Dict[str, str]: 

320 """Parse a organization path into its component segments.""" 

321 m = re.match(r"^organizations/(?P<organization>.+?)$", path) 

322 return m.groupdict() if m else {} 

323 

324 @staticmethod 

325 def common_project_path( 

326 project: str, 

327 ) -> str: 

328 """Returns a fully-qualified project string.""" 

329 return "projects/{project}".format( 

330 project=project, 

331 ) 

332 

333 @staticmethod 

334 def parse_common_project_path(path: str) -> Dict[str, str]: 

335 """Parse a project path into its component segments.""" 

336 m = re.match(r"^projects/(?P<project>.+?)$", path) 

337 return m.groupdict() if m else {} 

338 

339 @staticmethod 

340 def common_location_path( 

341 project: str, 

342 location: str, 

343 ) -> str: 

344 """Returns a fully-qualified location string.""" 

345 return "projects/{project}/locations/{location}".format( 

346 project=project, 

347 location=location, 

348 ) 

349 

350 @staticmethod 

351 def parse_common_location_path(path: str) -> Dict[str, str]: 

352 """Parse a location path into its component segments.""" 

353 m = re.match(r"^projects/(?P<project>.+?)/locations/(?P<location>.+?)$", path) 

354 return m.groupdict() if m else {} 

355 

356 @classmethod 

357 def get_mtls_endpoint_and_cert_source( 

358 cls, client_options: Optional[client_options_lib.ClientOptions] = None 

359 ): 

360 """Deprecated. Return the API endpoint and client cert source for mutual TLS. 

361 

362 The client cert source is determined in the following order: 

363 (1) if `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is not "true", the 

364 client cert source is None. 

365 (2) if `client_options.client_cert_source` is provided, use the provided one; if the 

366 default client cert source exists, use the default one; otherwise the client cert 

367 source is None. 

368 

369 The API endpoint is determined in the following order: 

370 (1) if `client_options.api_endpoint` if provided, use the provided one. 

371 (2) if `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is "always", use the 

372 default mTLS endpoint; if the environment variable is "never", use the default API 

373 endpoint; otherwise if client cert source exists, use the default mTLS endpoint, otherwise 

374 use the default API endpoint. 

375 

376 More details can be found at https://google.aip.dev/auth/4114. 

377 

378 Args: 

379 client_options (google.api_core.client_options.ClientOptions): Custom options for the 

380 client. Only the `api_endpoint` and `client_cert_source` properties may be used 

381 in this method. 

382 

383 Returns: 

384 Tuple[str, Callable[[], Tuple[bytes, bytes]]]: returns the API endpoint and the 

385 client cert source to use. 

386 

387 Raises: 

388 google.auth.exceptions.MutualTLSChannelError: If any errors happen. 

389 """ 

390 

391 warnings.warn( 

392 "get_mtls_endpoint_and_cert_source is deprecated. Use the api_endpoint property instead.", 

393 DeprecationWarning, 

394 ) 

395 if client_options is None: 

396 client_options = client_options_lib.ClientOptions() 

397 use_client_cert = SecretManagerServiceClient._use_client_cert_effective() 

398 use_mtls_endpoint = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto") 

399 if use_mtls_endpoint not in ("auto", "never", "always"): 

400 raise MutualTLSChannelError( 

401 "Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be `never`, `auto` or `always`" 

402 ) 

403 

404 # Figure out the client cert source to use. 

405 client_cert_source = None 

406 if use_client_cert: 

407 if client_options.client_cert_source: 

408 client_cert_source = client_options.client_cert_source 

409 elif mtls.has_default_client_cert_source(): 

410 client_cert_source = mtls.default_client_cert_source() 

411 

412 # Figure out which api endpoint to use. 

413 if client_options.api_endpoint is not None: 

414 api_endpoint = client_options.api_endpoint 

415 elif use_mtls_endpoint == "always" or ( 

416 use_mtls_endpoint == "auto" and client_cert_source 

417 ): 

418 api_endpoint = cls.DEFAULT_MTLS_ENDPOINT 

419 else: 

420 api_endpoint = cls.DEFAULT_ENDPOINT 

421 

422 return api_endpoint, client_cert_source 

423 

424 @staticmethod 

425 def _read_environment_variables(): 

426 """Returns the environment variables used by the client. 

427 

428 Returns: 

429 Tuple[bool, str, str]: returns the GOOGLE_API_USE_CLIENT_CERTIFICATE, 

430 GOOGLE_API_USE_MTLS_ENDPOINT, and GOOGLE_CLOUD_UNIVERSE_DOMAIN environment variables. 

431 

432 Raises: 

433 ValueError: If GOOGLE_API_USE_CLIENT_CERTIFICATE is not 

434 any of ["true", "false"]. 

435 google.auth.exceptions.MutualTLSChannelError: If GOOGLE_API_USE_MTLS_ENDPOINT 

436 is not any of ["auto", "never", "always"]. 

437 """ 

438 use_client_cert = SecretManagerServiceClient._use_client_cert_effective() 

439 use_mtls_endpoint = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto").lower() 

440 universe_domain_env = os.getenv("GOOGLE_CLOUD_UNIVERSE_DOMAIN") 

441 if use_mtls_endpoint not in ("auto", "never", "always"): 

442 raise MutualTLSChannelError( 

443 "Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be `never`, `auto` or `always`" 

444 ) 

445 return use_client_cert, use_mtls_endpoint, universe_domain_env 

446 

447 @staticmethod 

448 def _get_client_cert_source(provided_cert_source, use_cert_flag): 

449 """Return the client cert source to be used by the client. 

450 

451 Args: 

452 provided_cert_source (bytes): The client certificate source provided. 

453 use_cert_flag (bool): A flag indicating whether to use the client certificate. 

454 

455 Returns: 

456 bytes or None: The client cert source to be used by the client. 

457 """ 

458 client_cert_source = None 

459 if use_cert_flag: 

460 if provided_cert_source: 

461 client_cert_source = provided_cert_source 

462 elif mtls.has_default_client_cert_source(): 

463 client_cert_source = mtls.default_client_cert_source() 

464 return client_cert_source 

465 

466 @staticmethod 

467 def _get_api_endpoint( 

468 api_override, client_cert_source, universe_domain, use_mtls_endpoint 

469 ): 

470 """Return the API endpoint used by the client. 

471 

472 Args: 

473 api_override (str): The API endpoint override. If specified, this is always 

474 the return value of this function and the other arguments are not used. 

475 client_cert_source (bytes): The client certificate source used by the client. 

476 universe_domain (str): The universe domain used by the client. 

477 use_mtls_endpoint (str): How to use the mTLS endpoint, which depends also on the other parameters. 

478 Possible values are "always", "auto", or "never". 

479 

480 Returns: 

481 str: The API endpoint to be used by the client. 

482 """ 

483 if api_override is not None: 

484 api_endpoint = api_override 

485 elif use_mtls_endpoint == "always" or ( 

486 use_mtls_endpoint == "auto" and client_cert_source 

487 ): 

488 _default_universe = SecretManagerServiceClient._DEFAULT_UNIVERSE 

489 if universe_domain != _default_universe: 

490 raise MutualTLSChannelError( 

491 f"mTLS is not supported in any universe other than {_default_universe}." 

492 ) 

493 api_endpoint = SecretManagerServiceClient.DEFAULT_MTLS_ENDPOINT 

494 else: 

495 api_endpoint = SecretManagerServiceClient._DEFAULT_ENDPOINT_TEMPLATE.format( 

496 UNIVERSE_DOMAIN=universe_domain 

497 ) 

498 return api_endpoint 

499 

500 @staticmethod 

501 def _get_universe_domain( 

502 client_universe_domain: Optional[str], universe_domain_env: Optional[str] 

503 ) -> str: 

504 """Return the universe domain used by the client. 

505 

506 Args: 

507 client_universe_domain (Optional[str]): The universe domain configured via the client options. 

508 universe_domain_env (Optional[str]): The universe domain configured via the "GOOGLE_CLOUD_UNIVERSE_DOMAIN" environment variable. 

509 

510 Returns: 

511 str: The universe domain to be used by the client. 

512 

513 Raises: 

514 ValueError: If the universe domain is an empty string. 

515 """ 

516 universe_domain = SecretManagerServiceClient._DEFAULT_UNIVERSE 

517 if client_universe_domain is not None: 

518 universe_domain = client_universe_domain 

519 elif universe_domain_env is not None: 

520 universe_domain = universe_domain_env 

521 if len(universe_domain.strip()) == 0: 

522 raise ValueError("Universe Domain cannot be an empty string.") 

523 return universe_domain 

524 

525 def _validate_universe_domain(self): 

526 """Validates client's and credentials' universe domains are consistent. 

527 

528 Returns: 

529 bool: True iff the configured universe domain is valid. 

530 

531 Raises: 

532 ValueError: If the configured universe domain is not valid. 

533 """ 

534 

535 # NOTE (b/349488459): universe validation is disabled until further notice. 

536 return True 

537 

538 def _add_cred_info_for_auth_errors( 

539 self, error: core_exceptions.GoogleAPICallError 

540 ) -> None: 

541 """Adds credential info string to error details for 401/403/404 errors. 

542 

543 Args: 

544 error (google.api_core.exceptions.GoogleAPICallError): The error to add the cred info. 

545 """ 

546 if error.code not in [ 

547 HTTPStatus.UNAUTHORIZED, 

548 HTTPStatus.FORBIDDEN, 

549 HTTPStatus.NOT_FOUND, 

550 ]: 

551 return 

552 

553 cred = self._transport._credentials 

554 

555 # get_cred_info is only available in google-auth>=2.35.0 

556 if not hasattr(cred, "get_cred_info"): 

557 return 

558 

559 # ignore the type check since pypy test fails when get_cred_info 

560 # is not available 

561 cred_info = cred.get_cred_info() # type: ignore 

562 if cred_info and hasattr(error._details, "append"): 

563 error._details.append(json.dumps(cred_info)) 

564 

565 @property 

566 def api_endpoint(self): 

567 """Return the API endpoint used by the client instance. 

568 

569 Returns: 

570 str: The API endpoint used by the client instance. 

571 """ 

572 return self._api_endpoint 

573 

574 @property 

575 def universe_domain(self) -> str: 

576 """Return the universe domain used by the client instance. 

577 

578 Returns: 

579 str: The universe domain used by the client instance. 

580 """ 

581 return self._universe_domain 

582 

583 def __init__( 

584 self, 

585 *, 

586 credentials: Optional[ga_credentials.Credentials] = None, 

587 transport: Optional[ 

588 Union[ 

589 str, 

590 SecretManagerServiceTransport, 

591 Callable[..., SecretManagerServiceTransport], 

592 ] 

593 ] = None, 

594 client_options: Optional[Union[client_options_lib.ClientOptions, dict]] = None, 

595 client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, 

596 ) -> None: 

597 """Instantiates the secret manager service client. 

598 

599 Args: 

600 credentials (Optional[google.auth.credentials.Credentials]): The 

601 authorization credentials to attach to requests. These 

602 credentials identify the application to the service; if none 

603 are specified, the client will attempt to ascertain the 

604 credentials from the environment. 

605 transport (Optional[Union[str,SecretManagerServiceTransport,Callable[..., SecretManagerServiceTransport]]]): 

606 The transport to use, or a Callable that constructs and returns a new transport. 

607 If a Callable is given, it will be called with the same set of initialization 

608 arguments as used in the SecretManagerServiceTransport constructor. 

609 If set to None, a transport is chosen automatically. 

610 client_options (Optional[Union[google.api_core.client_options.ClientOptions, dict]]): 

611 Custom options for the client. 

612 

613 1. The ``api_endpoint`` property can be used to override the 

614 default endpoint provided by the client when ``transport`` is 

615 not explicitly provided. Only if this property is not set and 

616 ``transport`` was not explicitly provided, the endpoint is 

617 determined by the GOOGLE_API_USE_MTLS_ENDPOINT environment 

618 variable, which have one of the following values: 

619 "always" (always use the default mTLS endpoint), "never" (always 

620 use the default regular endpoint) and "auto" (auto-switch to the 

621 default mTLS endpoint if client certificate is present; this is 

622 the default value). 

623 

624 2. If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable 

625 is "true", then the ``client_cert_source`` property can be used 

626 to provide a client certificate for mTLS transport. If 

627 not provided, the default SSL client certificate will be used if 

628 present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is "false" or not 

629 set, no client certificate will be used. 

630 

631 3. The ``universe_domain`` property can be used to override the 

632 default "googleapis.com" universe. Note that the ``api_endpoint`` 

633 property still takes precedence; and ``universe_domain`` is 

634 currently not supported for mTLS. 

635 

636 client_info (google.api_core.gapic_v1.client_info.ClientInfo): 

637 The client info used to send a user-agent string along with 

638 API requests. If ``None``, then default info will be used. 

639 Generally, you only need to set this if you're developing 

640 your own client library. 

641 

642 Raises: 

643 google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport 

644 creation failed for any reason. 

645 """ 

646 self._client_options = client_options 

647 if isinstance(self._client_options, dict): 

648 self._client_options = client_options_lib.from_dict(self._client_options) 

649 if self._client_options is None: 

650 self._client_options = client_options_lib.ClientOptions() 

651 self._client_options = cast( 

652 client_options_lib.ClientOptions, self._client_options 

653 ) 

654 

655 universe_domain_opt = getattr(self._client_options, "universe_domain", None) 

656 

657 ( 

658 self._use_client_cert, 

659 self._use_mtls_endpoint, 

660 self._universe_domain_env, 

661 ) = SecretManagerServiceClient._read_environment_variables() 

662 self._client_cert_source = SecretManagerServiceClient._get_client_cert_source( 

663 self._client_options.client_cert_source, self._use_client_cert 

664 ) 

665 self._universe_domain = SecretManagerServiceClient._get_universe_domain( 

666 universe_domain_opt, self._universe_domain_env 

667 ) 

668 self._api_endpoint = None # updated below, depending on `transport` 

669 

670 # Initialize the universe domain validation. 

671 self._is_universe_domain_valid = False 

672 

673 if CLIENT_LOGGING_SUPPORTED: # pragma: NO COVER 

674 # Setup logging. 

675 client_logging.initialize_logging() 

676 

677 api_key_value = getattr(self._client_options, "api_key", None) 

678 if api_key_value and credentials: 

679 raise ValueError( 

680 "client_options.api_key and credentials are mutually exclusive" 

681 ) 

682 

683 # Save or instantiate the transport. 

684 # Ordinarily, we provide the transport, but allowing a custom transport 

685 # instance provides an extensibility point for unusual situations. 

686 transport_provided = isinstance(transport, SecretManagerServiceTransport) 

687 if transport_provided: 

688 # transport is a SecretManagerServiceTransport instance. 

689 if credentials or self._client_options.credentials_file or api_key_value: 

690 raise ValueError( 

691 "When providing a transport instance, " 

692 "provide its credentials directly." 

693 ) 

694 if self._client_options.scopes: 

695 raise ValueError( 

696 "When providing a transport instance, provide its scopes " 

697 "directly." 

698 ) 

699 self._transport = cast(SecretManagerServiceTransport, transport) 

700 self._api_endpoint = self._transport.host 

701 

702 self._api_endpoint = ( 

703 self._api_endpoint 

704 or SecretManagerServiceClient._get_api_endpoint( 

705 self._client_options.api_endpoint, 

706 self._client_cert_source, 

707 self._universe_domain, 

708 self._use_mtls_endpoint, 

709 ) 

710 ) 

711 

712 if not transport_provided: 

713 import google.auth._default # type: ignore 

714 

715 if api_key_value and hasattr( 

716 google.auth._default, "get_api_key_credentials" 

717 ): 

718 credentials = google.auth._default.get_api_key_credentials( 

719 api_key_value 

720 ) 

721 

722 transport_init: Union[ 

723 Type[SecretManagerServiceTransport], 

724 Callable[..., SecretManagerServiceTransport], 

725 ] = ( 

726 SecretManagerServiceClient.get_transport_class(transport) 

727 if isinstance(transport, str) or transport is None 

728 else cast(Callable[..., SecretManagerServiceTransport], transport) 

729 ) 

730 # initialize with the provided callable or the passed in class 

731 self._transport = transport_init( 

732 credentials=credentials, 

733 credentials_file=self._client_options.credentials_file, 

734 host=self._api_endpoint, 

735 scopes=self._client_options.scopes, 

736 client_cert_source_for_mtls=self._client_cert_source, 

737 quota_project_id=self._client_options.quota_project_id, 

738 client_info=client_info, 

739 always_use_jwt_access=True, 

740 api_audience=self._client_options.api_audience, 

741 ) 

742 

743 if "async" not in str(self._transport): 

744 if CLIENT_LOGGING_SUPPORTED and _LOGGER.isEnabledFor( 

745 std_logging.DEBUG 

746 ): # pragma: NO COVER 

747 _LOGGER.debug( 

748 "Created client `google.cloud.secrets_v1beta1.SecretManagerServiceClient`.", 

749 extra={ 

750 "serviceName": "google.cloud.secrets.v1beta1.SecretManagerService", 

751 "universeDomain": getattr( 

752 self._transport._credentials, "universe_domain", "" 

753 ), 

754 "credentialsType": f"{type(self._transport._credentials).__module__}.{type(self._transport._credentials).__qualname__}", 

755 "credentialsInfo": getattr( 

756 self.transport._credentials, "get_cred_info", lambda: None 

757 )(), 

758 } 

759 if hasattr(self._transport, "_credentials") 

760 else { 

761 "serviceName": "google.cloud.secrets.v1beta1.SecretManagerService", 

762 "credentialsType": None, 

763 }, 

764 ) 

765 

766 def list_secrets( 

767 self, 

768 request: Optional[Union[service.ListSecretsRequest, dict]] = None, 

769 *, 

770 parent: Optional[str] = None, 

771 retry: OptionalRetry = gapic_v1.method.DEFAULT, 

772 timeout: Union[float, object] = gapic_v1.method.DEFAULT, 

773 metadata: Sequence[Tuple[str, Union[str, bytes]]] = (), 

774 ) -> pagers.ListSecretsPager: 

775 r"""Lists [Secrets][google.cloud.secrets.v1beta1.Secret]. 

776 

777 .. code-block:: python 

778 

779 # This snippet has been automatically generated and should be regarded as a 

780 # code template only. 

781 # It will require modifications to work: 

782 # - It may require correct/in-range values for request initialization. 

783 # - It may require specifying regional endpoints when creating the service 

784 # client as shown in: 

785 # https://googleapis.dev/python/google-api-core/latest/client_options.html 

786 from google.cloud import secretmanager_v1beta1 

787 

788 def sample_list_secrets(): 

789 # Create a client 

790 client = secretmanager_v1beta1.SecretManagerServiceClient() 

791 

792 # Initialize request argument(s) 

793 request = secretmanager_v1beta1.ListSecretsRequest( 

794 parent="parent_value", 

795 ) 

796 

797 # Make the request 

798 page_result = client.list_secrets(request=request) 

799 

800 # Handle the response 

801 for response in page_result: 

802 print(response) 

803 

804 Args: 

805 request (Union[google.cloud.secretmanager_v1beta1.types.ListSecretsRequest, dict]): 

806 The request object. Request message for 

807 [SecretManagerService.ListSecrets][google.cloud.secrets.v1beta1.SecretManagerService.ListSecrets]. 

808 parent (str): 

809 Required. The resource name of the project associated 

810 with the [Secrets][google.cloud.secrets.v1beta1.Secret], 

811 in the format ``projects/*``. 

812 

813 This corresponds to the ``parent`` field 

814 on the ``request`` instance; if ``request`` is provided, this 

815 should not be set. 

816 retry (google.api_core.retry.Retry): Designation of what errors, if any, 

817 should be retried. 

818 timeout (float): The timeout for this request. 

819 metadata (Sequence[Tuple[str, Union[str, bytes]]]): Key/value pairs which should be 

820 sent along with the request as metadata. Normally, each value must be of type `str`, 

821 but for metadata keys ending with the suffix `-bin`, the corresponding values must 

822 be of type `bytes`. 

823 

824 Returns: 

825 google.cloud.secretmanager_v1beta1.services.secret_manager_service.pagers.ListSecretsPager: 

826 Response message for 

827 [SecretManagerService.ListSecrets][google.cloud.secrets.v1beta1.SecretManagerService.ListSecrets]. 

828 

829 Iterating over this object will yield results and 

830 resolve additional pages automatically. 

831 

832 """ 

833 # Create or coerce a protobuf request object. 

834 # - Quick check: If we got a request object, we should *not* have 

835 # gotten any keyword arguments that map to the request. 

836 flattened_params = [parent] 

837 has_flattened_params = ( 

838 len([param for param in flattened_params if param is not None]) > 0 

839 ) 

840 if request is not None and has_flattened_params: 

841 raise ValueError( 

842 "If the `request` argument is set, then none of " 

843 "the individual field arguments should be set." 

844 ) 

845 

846 # - Use the request object if provided (there's no risk of modifying the input as 

847 # there are no flattened fields), or create one. 

848 if not isinstance(request, service.ListSecretsRequest): 

849 request = service.ListSecretsRequest(request) 

850 # If we have keyword arguments corresponding to fields on the 

851 # request, apply these. 

852 if parent is not None: 

853 request.parent = parent 

854 

855 # Wrap the RPC method; this adds retry and timeout information, 

856 # and friendly error handling. 

857 rpc = self._transport._wrapped_methods[self._transport.list_secrets] 

858 

859 # Certain fields should be provided within the metadata header; 

860 # add these here. 

861 metadata = tuple(metadata) + ( 

862 gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)), 

863 ) 

864 

865 # Validate the universe domain. 

866 self._validate_universe_domain() 

867 

868 # Send the request. 

869 response = rpc( 

870 request, 

871 retry=retry, 

872 timeout=timeout, 

873 metadata=metadata, 

874 ) 

875 

876 # This method is paged; wrap the response in a pager, which provides 

877 # an `__iter__` convenience method. 

878 response = pagers.ListSecretsPager( 

879 method=rpc, 

880 request=request, 

881 response=response, 

882 retry=retry, 

883 timeout=timeout, 

884 metadata=metadata, 

885 ) 

886 

887 # Done; return the response. 

888 return response 

889 

890 def create_secret( 

891 self, 

892 request: Optional[Union[service.CreateSecretRequest, dict]] = None, 

893 *, 

894 parent: Optional[str] = None, 

895 secret_id: Optional[str] = None, 

896 secret: Optional[resources.Secret] = None, 

897 retry: OptionalRetry = gapic_v1.method.DEFAULT, 

898 timeout: Union[float, object] = gapic_v1.method.DEFAULT, 

899 metadata: Sequence[Tuple[str, Union[str, bytes]]] = (), 

900 ) -> resources.Secret: 

901 r"""Creates a new [Secret][google.cloud.secrets.v1beta1.Secret] 

902 containing no 

903 [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion]. 

904 

905 .. code-block:: python 

906 

907 # This snippet has been automatically generated and should be regarded as a 

908 # code template only. 

909 # It will require modifications to work: 

910 # - It may require correct/in-range values for request initialization. 

911 # - It may require specifying regional endpoints when creating the service 

912 # client as shown in: 

913 # https://googleapis.dev/python/google-api-core/latest/client_options.html 

914 from google.cloud import secretmanager_v1beta1 

915 

916 def sample_create_secret(): 

917 # Create a client 

918 client = secretmanager_v1beta1.SecretManagerServiceClient() 

919 

920 # Initialize request argument(s) 

921 request = secretmanager_v1beta1.CreateSecretRequest( 

922 parent="parent_value", 

923 secret_id="secret_id_value", 

924 ) 

925 

926 # Make the request 

927 response = client.create_secret(request=request) 

928 

929 # Handle the response 

930 print(response) 

931 

932 Args: 

933 request (Union[google.cloud.secretmanager_v1beta1.types.CreateSecretRequest, dict]): 

934 The request object. Request message for 

935 [SecretManagerService.CreateSecret][google.cloud.secrets.v1beta1.SecretManagerService.CreateSecret]. 

936 parent (str): 

937 Required. The resource name of the project to associate 

938 with the [Secret][google.cloud.secrets.v1beta1.Secret], 

939 in the format ``projects/*``. 

940 

941 This corresponds to the ``parent`` field 

942 on the ``request`` instance; if ``request`` is provided, this 

943 should not be set. 

944 secret_id (str): 

945 Required. This must be unique within the project. 

946 

947 A secret ID is a string with a maximum length of 255 

948 characters and can contain uppercase and lowercase 

949 letters, numerals, and the hyphen (``-``) and underscore 

950 (``_``) characters. 

951 

952 This corresponds to the ``secret_id`` field 

953 on the ``request`` instance; if ``request`` is provided, this 

954 should not be set. 

955 secret (google.cloud.secretmanager_v1beta1.types.Secret): 

956 Required. A 

957 [Secret][google.cloud.secrets.v1beta1.Secret] with 

958 initial field values. 

959 

960 This corresponds to the ``secret`` field 

961 on the ``request`` instance; if ``request`` is provided, this 

962 should not be set. 

963 retry (google.api_core.retry.Retry): Designation of what errors, if any, 

964 should be retried. 

965 timeout (float): The timeout for this request. 

966 metadata (Sequence[Tuple[str, Union[str, bytes]]]): Key/value pairs which should be 

967 sent along with the request as metadata. Normally, each value must be of type `str`, 

968 but for metadata keys ending with the suffix `-bin`, the corresponding values must 

969 be of type `bytes`. 

970 

971 Returns: 

972 google.cloud.secretmanager_v1beta1.types.Secret: 

973 A [Secret][google.cloud.secrets.v1beta1.Secret] is a logical secret whose 

974 value and versions can be accessed. 

975 

976 A [Secret][google.cloud.secrets.v1beta1.Secret] is 

977 made up of zero or more 

978 [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion] 

979 that represent the secret data. 

980 

981 """ 

982 # Create or coerce a protobuf request object. 

983 # - Quick check: If we got a request object, we should *not* have 

984 # gotten any keyword arguments that map to the request. 

985 flattened_params = [parent, secret_id, secret] 

986 has_flattened_params = ( 

987 len([param for param in flattened_params if param is not None]) > 0 

988 ) 

989 if request is not None and has_flattened_params: 

990 raise ValueError( 

991 "If the `request` argument is set, then none of " 

992 "the individual field arguments should be set." 

993 ) 

994 

995 # - Use the request object if provided (there's no risk of modifying the input as 

996 # there are no flattened fields), or create one. 

997 if not isinstance(request, service.CreateSecretRequest): 

998 request = service.CreateSecretRequest(request) 

999 # If we have keyword arguments corresponding to fields on the 

1000 # request, apply these. 

1001 if parent is not None: 

1002 request.parent = parent 

1003 if secret_id is not None: 

1004 request.secret_id = secret_id 

1005 if secret is not None: