Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.11/site-packages/google/cloud/secretmanager_v1beta1/services/secret_manager_service/client.py: 42%

1# -*- coding: utf-8 -*- 

2# Copyright 2025 Google LLC 

3# 

4# Licensed under the Apache License, Version 2.0 (the "License"); 

5# you may not use this file except in compliance with the License. 

6# You may obtain a copy of the License at 

7# 

8# http://www.apache.org/licenses/LICENSE-2.0 

9# 

10# Unless required by applicable law or agreed to in writing, software 

11# distributed under the License is distributed on an "AS IS" BASIS, 

12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 

13# See the License for the specific language governing permissions and 

14# limitations under the License. 

15# 

16import json 

17import logging as std_logging 

18import os 

19import re 

20import warnings 

21from collections import OrderedDict 

22from http import HTTPStatus 

23from typing import ( 

24 Callable, 

25 Dict, 

26 Mapping, 

27 MutableMapping, 

28 MutableSequence, 

29 Optional, 

30 Sequence, 

31 Tuple, 

32 Type, 

33 Union, 

34 cast, 

35) 

36 

37import google.protobuf 

38from google.api_core import client_options as client_options_lib 

39from google.api_core import exceptions as core_exceptions 

40from google.api_core import gapic_v1 

41from google.api_core import retry as retries 

42from google.auth import credentials as ga_credentials # type: ignore 

43from google.auth.exceptions import MutualTLSChannelError # type: ignore 

44from google.auth.transport import mtls # type: ignore 

45from google.auth.transport.grpc import SslCredentials # type: ignore 

46from google.oauth2 import service_account # type: ignore 

47 

48from google.cloud.secretmanager_v1beta1 import gapic_version as package_version 

49 

50try: 

51 OptionalRetry = Union[retries.Retry, gapic_v1.method._MethodDefault, None] 

52except AttributeError: # pragma: NO COVER 

53 OptionalRetry = Union[retries.Retry, object, None] # type: ignore 

54 

55try: 

56 from google.api_core import client_logging # type: ignore 

57 

58 CLIENT_LOGGING_SUPPORTED = True # pragma: NO COVER 

59except ImportError: # pragma: NO COVER 

60 CLIENT_LOGGING_SUPPORTED = False 

61 

62_LOGGER = std_logging.getLogger(__name__) 

63 

64import google.iam.v1.iam_policy_pb2 as iam_policy_pb2 # type: ignore 

65import google.iam.v1.policy_pb2 as policy_pb2 # type: ignore 

66import google.protobuf.field_mask_pb2 as field_mask_pb2 # type: ignore 

67import google.protobuf.timestamp_pb2 as timestamp_pb2 # type: ignore 

68from google.cloud.location import locations_pb2 # type: ignore 

69 

70from google.cloud.secretmanager_v1beta1.services.secret_manager_service import pagers 

71from google.cloud.secretmanager_v1beta1.types import resources, service 

72 

73from .transports.base import DEFAULT_CLIENT_INFO, SecretManagerServiceTransport 

74from .transports.grpc import SecretManagerServiceGrpcTransport 

75from .transports.grpc_asyncio import SecretManagerServiceGrpcAsyncIOTransport 

76from .transports.rest import SecretManagerServiceRestTransport 

77 

78 

79class SecretManagerServiceClientMeta(type): 

80 """Metaclass for the SecretManagerService client. 

81 

82 This provides class-level methods for building and retrieving 

83 support objects (e.g. transport) without polluting the client instance 

84 objects. 

85 """ 

86 

87 _transport_registry = OrderedDict() # type: Dict[str, Type[SecretManagerServiceTransport]] 

88 _transport_registry["grpc"] = SecretManagerServiceGrpcTransport 

89 _transport_registry["grpc_asyncio"] = SecretManagerServiceGrpcAsyncIOTransport 

90 _transport_registry["rest"] = SecretManagerServiceRestTransport 

91 

92 def get_transport_class( 

93 cls, 

94 label: Optional[str] = None, 

95 ) -> Type[SecretManagerServiceTransport]: 

96 """Returns an appropriate transport class. 

97 

98 Args: 

99 label: The name of the desired transport. If none is 

100 provided, then the first transport in the registry is used. 

101 

102 Returns: 

103 The transport class to use. 

104 """ 

105 # If a specific transport is requested, return that one. 

106 if label: 

107 return cls._transport_registry[label] 

108 

109 # No transport is requested; return the default (that is, the first one 

110 # in the dictionary). 

111 return next(iter(cls._transport_registry.values())) 

112 

113 

114class SecretManagerServiceClient(metaclass=SecretManagerServiceClientMeta): 

115 """Secret Manager Service 

116 

117 Manages secrets and operations using those secrets. Implements a 

118 REST model with the following objects: 

119 

120 - [Secret][google.cloud.secrets.v1beta1.Secret] 

121 - [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] 

122 """ 

123 

124 @staticmethod 

125 def _get_default_mtls_endpoint(api_endpoint): 

126 """Converts api endpoint to mTLS endpoint. 

127 

128 Convert "*.sandbox.googleapis.com" and "*.googleapis.com" to 

129 "*.mtls.sandbox.googleapis.com" and "*.mtls.googleapis.com" respectively. 

130 Args: 

131 api_endpoint (Optional[str]): the api endpoint to convert. 

132 Returns: 

133 str: converted mTLS api endpoint. 

134 """ 

135 if not api_endpoint: 

136 return api_endpoint 

137 

138 mtls_endpoint_re = re.compile( 

139 r"(?P<name>[^.]+)(?P<mtls>\.mtls)?(?P<sandbox>\.sandbox)?(?P<googledomain>\.googleapis\.com)?" 

140 ) 

141 

142 m = mtls_endpoint_re.match(api_endpoint) 

143 name, mtls, sandbox, googledomain = m.groups() 

144 if mtls or not googledomain: 

145 return api_endpoint 

146 

147 if sandbox: 

148 return api_endpoint.replace( 

149 "sandbox.googleapis.com", "mtls.sandbox.googleapis.com" 

150 ) 

151 

152 return api_endpoint.replace(".googleapis.com", ".mtls.googleapis.com") 

153 

154 # Note: DEFAULT_ENDPOINT is deprecated. Use _DEFAULT_ENDPOINT_TEMPLATE instead. 

155 DEFAULT_ENDPOINT = "secretmanager.googleapis.com" 

156 DEFAULT_MTLS_ENDPOINT = _get_default_mtls_endpoint.__func__( # type: ignore 

157 DEFAULT_ENDPOINT 

158 ) 

159 

160 _DEFAULT_ENDPOINT_TEMPLATE = "secretmanager.{UNIVERSE_DOMAIN}" 

161 _DEFAULT_UNIVERSE = "googleapis.com" 

162 

163 @staticmethod 

164 def _use_client_cert_effective(): 

165 """Returns whether client certificate should be used for mTLS if the 

166 google-auth version supports should_use_client_cert automatic mTLS enablement. 

167 

168 Alternatively, read from the GOOGLE_API_USE_CLIENT_CERTIFICATE env var. 

169 

170 Returns: 

171 bool: whether client certificate should be used for mTLS 

172 Raises: 

173 ValueError: (If using a version of google-auth without should_use_client_cert and 

174 GOOGLE_API_USE_CLIENT_CERTIFICATE is set to an unexpected value.) 

175 """ 

176 # check if google-auth version supports should_use_client_cert for automatic mTLS enablement 

177 if hasattr(mtls, "should_use_client_cert"): # pragma: NO COVER 

178 return mtls.should_use_client_cert() 

179 else: # pragma: NO COVER 

180 # if unsupported, fallback to reading from env var 

181 use_client_cert_str = os.getenv( 

182 "GOOGLE_API_USE_CLIENT_CERTIFICATE", "false" 

183 ).lower() 

184 if use_client_cert_str not in ("true", "false"): 

185 raise ValueError( 

186 "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must be" 

187 " either `true` or `false`" 

188 ) 

189 return use_client_cert_str == "true" 

190 

191 @classmethod 

192 def from_service_account_info(cls, info: dict, *args, **kwargs): 

193 """Creates an instance of this client using the provided credentials 

194 info. 

195 

196 Args: 

197 info (dict): The service account private key info. 

198 args: Additional arguments to pass to the constructor. 

199 kwargs: Additional arguments to pass to the constructor. 

200 

201 Returns: 

202 SecretManagerServiceClient: The constructed client. 

203 """ 

204 credentials = service_account.Credentials.from_service_account_info(info) 

205 kwargs["credentials"] = credentials 

206 return cls(*args, **kwargs) 

207 

208 @classmethod 

209 def from_service_account_file(cls, filename: str, *args, **kwargs): 

210 """Creates an instance of this client using the provided credentials 

211 file. 

212 

213 Args: 

214 filename (str): The path to the service account private key json 

215 file. 

216 args: Additional arguments to pass to the constructor. 

217 kwargs: Additional arguments to pass to the constructor. 

218 

219 Returns: 

220 SecretManagerServiceClient: The constructed client. 

221 """ 

222 credentials = service_account.Credentials.from_service_account_file(filename) 

223 kwargs["credentials"] = credentials 

224 return cls(*args, **kwargs) 

225 

226 from_service_account_json = from_service_account_file 

227 

228 @property 

229 def transport(self) -> SecretManagerServiceTransport: 

230 """Returns the transport used by the client instance. 

231 

232 Returns: 

233 SecretManagerServiceTransport: The transport used by the client 

234 instance. 

235 """ 

236 return self._transport 

237 

238 @staticmethod 

239 def secret_path( 

240 project: str, 

241 secret: str, 

242 ) -> str: 

243 """Returns a fully-qualified secret string.""" 

244 return "projects/{project}/secrets/{secret}".format( 

245 project=project, 

246 secret=secret, 

247 ) 

248 

249 @staticmethod 

250 def parse_secret_path(path: str) -> Dict[str, str]: 

251 """Parses a secret path into its component segments.""" 

252 m = re.match(r"^projects/(?P<project>.+?)/secrets/(?P<secret>.+?)$", path) 

253 return m.groupdict() if m else {} 

254 

255 @staticmethod 

256 def secret_version_path( 

257 project: str, 

258 secret: str, 

259 secret_version: str, 

260 ) -> str: 

261 """Returns a fully-qualified secret_version string.""" 

262 return "projects/{project}/secrets/{secret}/versions/{secret_version}".format( 

263 project=project, 

264 secret=secret, 

265 secret_version=secret_version, 

266 ) 

267 

268 @staticmethod 

269 def parse_secret_version_path(path: str) -> Dict[str, str]: 

270 """Parses a secret_version path into its component segments.""" 

271 m = re.match( 

272 r"^projects/(?P<project>.+?)/secrets/(?P<secret>.+?)/versions/(?P<secret_version>.+?)$", 

273 path, 

274 ) 

275 return m.groupdict() if m else {} 

276 

277 @staticmethod 

278 def common_billing_account_path( 

279 billing_account: str, 

280 ) -> str: 

281 """Returns a fully-qualified billing_account string.""" 

282 return "billingAccounts/{billing_account}".format( 

283 billing_account=billing_account, 

284 ) 

285 

286 @staticmethod 

287 def parse_common_billing_account_path(path: str) -> Dict[str, str]: 

288 """Parse a billing_account path into its component segments.""" 

289 m = re.match(r"^billingAccounts/(?P<billing_account>.+?)$", path) 

290 return m.groupdict() if m else {} 

291 

292 @staticmethod 

293 def common_folder_path( 

294 folder: str, 

295 ) -> str: 

296 """Returns a fully-qualified folder string.""" 

297 return "folders/{folder}".format( 

298 folder=folder, 

299 ) 

300 

301 @staticmethod 

302 def parse_common_folder_path(path: str) -> Dict[str, str]: 

303 """Parse a folder path into its component segments.""" 

304 m = re.match(r"^folders/(?P<folder>.+?)$", path) 

305 return m.groupdict() if m else {} 

306 

307 @staticmethod 

308 def common_organization_path( 

309 organization: str, 

310 ) -> str: 

311 """Returns a fully-qualified organization string.""" 

312 return "organizations/{organization}".format( 

313 organization=organization, 

314 ) 

315 

316 @staticmethod 

317 def parse_common_organization_path(path: str) -> Dict[str, str]: 

318 """Parse a organization path into its component segments.""" 

319 m = re.match(r"^organizations/(?P<organization>.+?)$", path) 

320 return m.groupdict() if m else {} 

321 

322 @staticmethod 

323 def common_project_path( 

324 project: str, 

325 ) -> str: 

326 """Returns a fully-qualified project string.""" 

327 return "projects/{project}".format( 

328 project=project, 

329 ) 

330 

331 @staticmethod 

332 def parse_common_project_path(path: str) -> Dict[str, str]: 

333 """Parse a project path into its component segments.""" 

334 m = re.match(r"^projects/(?P<project>.+?)$", path) 

335 return m.groupdict() if m else {} 

336 

337 @staticmethod 

338 def common_location_path( 

339 project: str, 

340 location: str, 

341 ) -> str: 

342 """Returns a fully-qualified location string.""" 

343 return "projects/{project}/locations/{location}".format( 

344 project=project, 

345 location=location, 

346 ) 

347 

348 @staticmethod 

349 def parse_common_location_path(path: str) -> Dict[str, str]: 

350 """Parse a location path into its component segments.""" 

351 m = re.match(r"^projects/(?P<project>.+?)/locations/(?P<location>.+?)$", path) 

352 return m.groupdict() if m else {} 

353 

354 @classmethod 

355 def get_mtls_endpoint_and_cert_source( 

356 cls, client_options: Optional[client_options_lib.ClientOptions] = None 

357 ): 

358 """Deprecated. Return the API endpoint and client cert source for mutual TLS. 

359 

360 The client cert source is determined in the following order: 

361 (1) if `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is not "true", the 

362 client cert source is None. 

363 (2) if `client_options.client_cert_source` is provided, use the provided one; if the 

364 default client cert source exists, use the default one; otherwise the client cert 

365 source is None. 

366 

367 The API endpoint is determined in the following order: 

368 (1) if `client_options.api_endpoint` if provided, use the provided one. 

369 (2) if `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is "always", use the 

370 default mTLS endpoint; if the environment variable is "never", use the default API 

371 endpoint; otherwise if client cert source exists, use the default mTLS endpoint, otherwise 

372 use the default API endpoint. 

373 

374 More details can be found at https://google.aip.dev/auth/4114. 

375 

376 Args: 

377 client_options (google.api_core.client_options.ClientOptions): Custom options for the 

378 client. Only the `api_endpoint` and `client_cert_source` properties may be used 

379 in this method. 

380 

381 Returns: 

382 Tuple[str, Callable[[], Tuple[bytes, bytes]]]: returns the API endpoint and the 

383 client cert source to use. 

384 

385 Raises: 

386 google.auth.exceptions.MutualTLSChannelError: If any errors happen. 

387 """ 

388 

389 warnings.warn( 

390 "get_mtls_endpoint_and_cert_source is deprecated. Use the api_endpoint property instead.", 

391 DeprecationWarning, 

392 ) 

393 if client_options is None: 

394 client_options = client_options_lib.ClientOptions() 

395 use_client_cert = SecretManagerServiceClient._use_client_cert_effective() 

396 use_mtls_endpoint = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto") 

397 if use_mtls_endpoint not in ("auto", "never", "always"): 

398 raise MutualTLSChannelError( 

399 "Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be `never`, `auto` or `always`" 

400 ) 

401 

402 # Figure out the client cert source to use. 

403 client_cert_source = None 

404 if use_client_cert: 

405 if client_options.client_cert_source: 

406 client_cert_source = client_options.client_cert_source 

407 elif mtls.has_default_client_cert_source(): 

408 client_cert_source = mtls.default_client_cert_source() 

409 

410 # Figure out which api endpoint to use. 

411 if client_options.api_endpoint is not None: 

412 api_endpoint = client_options.api_endpoint 

413 elif use_mtls_endpoint == "always" or ( 

414 use_mtls_endpoint == "auto" and client_cert_source 

415 ): 

416 api_endpoint = cls.DEFAULT_MTLS_ENDPOINT 

417 else: 

418 api_endpoint = cls.DEFAULT_ENDPOINT 

419 

420 return api_endpoint, client_cert_source 

421 

422 @staticmethod 

423 def _read_environment_variables(): 

424 """Returns the environment variables used by the client. 

425 

426 Returns: 

427 Tuple[bool, str, str]: returns the GOOGLE_API_USE_CLIENT_CERTIFICATE, 

428 GOOGLE_API_USE_MTLS_ENDPOINT, and GOOGLE_CLOUD_UNIVERSE_DOMAIN environment variables. 

429 

430 Raises: 

431 ValueError: If GOOGLE_API_USE_CLIENT_CERTIFICATE is not 

432 any of ["true", "false"]. 

433 google.auth.exceptions.MutualTLSChannelError: If GOOGLE_API_USE_MTLS_ENDPOINT 

434 is not any of ["auto", "never", "always"]. 

435 """ 

436 use_client_cert = SecretManagerServiceClient._use_client_cert_effective() 

437 use_mtls_endpoint = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto").lower() 

438 universe_domain_env = os.getenv("GOOGLE_CLOUD_UNIVERSE_DOMAIN") 

439 if use_mtls_endpoint not in ("auto", "never", "always"): 

440 raise MutualTLSChannelError( 

441 "Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be `never`, `auto` or `always`" 

442 ) 

443 return use_client_cert, use_mtls_endpoint, universe_domain_env 

444 

445 @staticmethod 

446 def _get_client_cert_source(provided_cert_source, use_cert_flag): 

447 """Return the client cert source to be used by the client. 

448 

449 Args: 

450 provided_cert_source (bytes): The client certificate source provided. 

451 use_cert_flag (bool): A flag indicating whether to use the client certificate. 

452 

453 Returns: 

454 bytes or None: The client cert source to be used by the client. 

455 """ 

456 client_cert_source = None 

457 if use_cert_flag: 

458 if provided_cert_source: 

459 client_cert_source = provided_cert_source 

460 elif mtls.has_default_client_cert_source(): 

461 client_cert_source = mtls.default_client_cert_source() 

462 return client_cert_source 

463 

464 @staticmethod 

465 def _get_api_endpoint( 

466 api_override, client_cert_source, universe_domain, use_mtls_endpoint 

467 ): 

468 """Return the API endpoint used by the client. 

469 

470 Args: 

471 api_override (str): The API endpoint override. If specified, this is always 

472 the return value of this function and the other arguments are not used. 

473 client_cert_source (bytes): The client certificate source used by the client. 

474 universe_domain (str): The universe domain used by the client. 

475 use_mtls_endpoint (str): How to use the mTLS endpoint, which depends also on the other parameters. 

476 Possible values are "always", "auto", or "never". 

477 

478 Returns: 

479 str: The API endpoint to be used by the client. 

480 """ 

481 if api_override is not None: 

482 api_endpoint = api_override 

483 elif use_mtls_endpoint == "always" or ( 

484 use_mtls_endpoint == "auto" and client_cert_source 

485 ): 

486 _default_universe = SecretManagerServiceClient._DEFAULT_UNIVERSE 

487 if universe_domain != _default_universe: 

488 raise MutualTLSChannelError( 

489 f"mTLS is not supported in any universe other than {_default_universe}." 

490 ) 

491 api_endpoint = SecretManagerServiceClient.DEFAULT_MTLS_ENDPOINT 

492 else: 

493 api_endpoint = SecretManagerServiceClient._DEFAULT_ENDPOINT_TEMPLATE.format( 

494 UNIVERSE_DOMAIN=universe_domain 

495 ) 

496 return api_endpoint 

497 

498 @staticmethod 

499 def _get_universe_domain( 

500 client_universe_domain: Optional[str], universe_domain_env: Optional[str] 

501 ) -> str: 

502 """Return the universe domain used by the client. 

503 

504 Args: 

505 client_universe_domain (Optional[str]): The universe domain configured via the client options. 

506 universe_domain_env (Optional[str]): The universe domain configured via the "GOOGLE_CLOUD_UNIVERSE_DOMAIN" environment variable. 

507 

508 Returns: 

509 str: The universe domain to be used by the client. 

510 

511 Raises: 

512 ValueError: If the universe domain is an empty string. 

513 """ 

514 universe_domain = SecretManagerServiceClient._DEFAULT_UNIVERSE 

515 if client_universe_domain is not None: 

516 universe_domain = client_universe_domain 

517 elif universe_domain_env is not None: 

518 universe_domain = universe_domain_env 

519 if len(universe_domain.strip()) == 0: 

520 raise ValueError("Universe Domain cannot be an empty string.") 

521 return universe_domain 

522 

523 def _validate_universe_domain(self): 

524 """Validates client's and credentials' universe domains are consistent. 

525 

526 Returns: 

527 bool: True iff the configured universe domain is valid. 

528 

529 Raises: 

530 ValueError: If the configured universe domain is not valid. 

531 """ 

532 

533 # NOTE (b/349488459): universe validation is disabled until further notice. 

534 return True 

535 

536 def _add_cred_info_for_auth_errors( 

537 self, error: core_exceptions.GoogleAPICallError 

538 ) -> None: 

539 """Adds credential info string to error details for 401/403/404 errors. 

540 

541 Args: 

542 error (google.api_core.exceptions.GoogleAPICallError): The error to add the cred info. 

543 """ 

544 if error.code not in [ 

545 HTTPStatus.UNAUTHORIZED, 

546 HTTPStatus.FORBIDDEN, 

547 HTTPStatus.NOT_FOUND, 

548 ]: 

549 return 

550 

551 cred = self._transport._credentials 

552 

553 # get_cred_info is only available in google-auth>=2.35.0 

554 if not hasattr(cred, "get_cred_info"): 

555 return 

556 

557 # ignore the type check since pypy test fails when get_cred_info 

558 # is not available 

559 cred_info = cred.get_cred_info() # type: ignore 

560 if cred_info and hasattr(error._details, "append"): 

561 error._details.append(json.dumps(cred_info)) 

562 

563 @property 

564 def api_endpoint(self): 

565 """Return the API endpoint used by the client instance. 

566 

567 Returns: 

568 str: The API endpoint used by the client instance. 

569 """ 

570 return self._api_endpoint 

571 

572 @property 

573 def universe_domain(self) -> str: 

574 """Return the universe domain used by the client instance. 

575 

576 Returns: 

577 str: The universe domain used by the client instance. 

578 """ 

579 return self._universe_domain 

580 

581 def __init__( 

582 self, 

583 *, 

584 credentials: Optional[ga_credentials.Credentials] = None, 

585 transport: Optional[ 

586 Union[ 

587 str, 

588 SecretManagerServiceTransport, 

589 Callable[..., SecretManagerServiceTransport], 

590 ] 

591 ] = None, 

592 client_options: Optional[Union[client_options_lib.ClientOptions, dict]] = None, 

593 client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, 

594 ) -> None: 

595 """Instantiates the secret manager service client. 

596 

597 Args: 

598 credentials (Optional[google.auth.credentials.Credentials]): The 

599 authorization credentials to attach to requests. These 

600 credentials identify the application to the service; if none 

601 are specified, the client will attempt to ascertain the 

602 credentials from the environment. 

603 transport (Optional[Union[str,SecretManagerServiceTransport,Callable[..., SecretManagerServiceTransport]]]): 

604 The transport to use, or a Callable that constructs and returns a new transport. 

605 If a Callable is given, it will be called with the same set of initialization 

606 arguments as used in the SecretManagerServiceTransport constructor. 

607 If set to None, a transport is chosen automatically. 

608 client_options (Optional[Union[google.api_core.client_options.ClientOptions, dict]]): 

609 Custom options for the client. 

610 

611 1. The ``api_endpoint`` property can be used to override the 

612 default endpoint provided by the client when ``transport`` is 

613 not explicitly provided. Only if this property is not set and 

614 ``transport`` was not explicitly provided, the endpoint is 

615 determined by the GOOGLE_API_USE_MTLS_ENDPOINT environment 

616 variable, which have one of the following values: 

617 "always" (always use the default mTLS endpoint), "never" (always 

618 use the default regular endpoint) and "auto" (auto-switch to the 

619 default mTLS endpoint if client certificate is present; this is 

620 the default value). 

621 

622 2. If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable 

623 is "true", then the ``client_cert_source`` property can be used 

624 to provide a client certificate for mTLS transport. If 

625 not provided, the default SSL client certificate will be used if 

626 present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is "false" or not 

627 set, no client certificate will be used. 

628 

629 3. The ``universe_domain`` property can be used to override the 

630 default "googleapis.com" universe. Note that the ``api_endpoint`` 

631 property still takes precedence; and ``universe_domain`` is 

632 currently not supported for mTLS. 

633 

634 client_info (google.api_core.gapic_v1.client_info.ClientInfo): 

635 The client info used to send a user-agent string along with 

636 API requests. If ``None``, then default info will be used. 

637 Generally, you only need to set this if you're developing 

638 your own client library. 

639 

640 Raises: 

641 google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport 

642 creation failed for any reason. 

643 """ 

644 self._client_options = client_options 

645 if isinstance(self._client_options, dict): 

646 self._client_options = client_options_lib.from_dict(self._client_options) 

647 if self._client_options is None: 

648 self._client_options = client_options_lib.ClientOptions() 

649 self._client_options = cast( 

650 client_options_lib.ClientOptions, self._client_options 

651 ) 

652 

653 universe_domain_opt = getattr(self._client_options, "universe_domain", None) 

654 

655 self._use_client_cert, self._use_mtls_endpoint, self._universe_domain_env = ( 

656 SecretManagerServiceClient._read_environment_variables() 

657 ) 

658 self._client_cert_source = SecretManagerServiceClient._get_client_cert_source( 

659 self._client_options.client_cert_source, self._use_client_cert 

660 ) 

661 self._universe_domain = SecretManagerServiceClient._get_universe_domain( 

662 universe_domain_opt, self._universe_domain_env 

663 ) 

664 self._api_endpoint = None # updated below, depending on `transport` 

665 

666 # Initialize the universe domain validation. 

667 self._is_universe_domain_valid = False 

668 

669 if CLIENT_LOGGING_SUPPORTED: # pragma: NO COVER 

670 # Setup logging. 

671 client_logging.initialize_logging() 

672 

673 api_key_value = getattr(self._client_options, "api_key", None) 

674 if api_key_value and credentials: 

675 raise ValueError( 

676 "client_options.api_key and credentials are mutually exclusive" 

677 ) 

678 

679 # Save or instantiate the transport. 

680 # Ordinarily, we provide the transport, but allowing a custom transport 

681 # instance provides an extensibility point for unusual situations. 

682 transport_provided = isinstance(transport, SecretManagerServiceTransport) 

683 if transport_provided: 

684 # transport is a SecretManagerServiceTransport instance. 

685 if credentials or self._client_options.credentials_file or api_key_value: 

686 raise ValueError( 

687 "When providing a transport instance, " 

688 "provide its credentials directly." 

689 ) 

690 if self._client_options.scopes: 

691 raise ValueError( 

692 "When providing a transport instance, provide its scopes directly." 

693 ) 

694 self._transport = cast(SecretManagerServiceTransport, transport) 

695 self._api_endpoint = self._transport.host 

696 

697 self._api_endpoint = ( 

698 self._api_endpoint 

699 or SecretManagerServiceClient._get_api_endpoint( 

700 self._client_options.api_endpoint, 

701 self._client_cert_source, 

702 self._universe_domain, 

703 self._use_mtls_endpoint, 

704 ) 

705 ) 

706 

707 if not transport_provided: 

708 import google.auth._default # type: ignore 

709 

710 if api_key_value and hasattr( 

711 google.auth._default, "get_api_key_credentials" 

712 ): 

713 credentials = google.auth._default.get_api_key_credentials( 

714 api_key_value 

715 ) 

716 

717 transport_init: Union[ 

718 Type[SecretManagerServiceTransport], 

719 Callable[..., SecretManagerServiceTransport], 

720 ] = ( 

721 SecretManagerServiceClient.get_transport_class(transport) 

722 if isinstance(transport, str) or transport is None 

723 else cast(Callable[..., SecretManagerServiceTransport], transport) 

724 ) 

725 # initialize with the provided callable or the passed in class 

726 self._transport = transport_init( 

727 credentials=credentials, 

728 credentials_file=self._client_options.credentials_file, 

729 host=self._api_endpoint, 

730 scopes=self._client_options.scopes, 

731 client_cert_source_for_mtls=self._client_cert_source, 

732 quota_project_id=self._client_options.quota_project_id, 

733 client_info=client_info, 

734 always_use_jwt_access=True, 

735 api_audience=self._client_options.api_audience, 

736 ) 

737 

738 if "async" not in str(self._transport): 

739 if CLIENT_LOGGING_SUPPORTED and _LOGGER.isEnabledFor( 

740 std_logging.DEBUG 

741 ): # pragma: NO COVER 

742 _LOGGER.debug( 

743 "Created client `google.cloud.secrets_v1beta1.SecretManagerServiceClient`.", 

744 extra={ 

745 "serviceName": "google.cloud.secrets.v1beta1.SecretManagerService", 

746 "universeDomain": getattr( 

747 self._transport._credentials, "universe_domain", "" 

748 ), 

749 "credentialsType": f"{type(self._transport._credentials).__module__}.{type(self._transport._credentials).__qualname__}", 

750 "credentialsInfo": getattr( 

751 self.transport._credentials, "get_cred_info", lambda: None 

752 )(), 

753 } 

754 if hasattr(self._transport, "_credentials") 

755 else { 

756 "serviceName": "google.cloud.secrets.v1beta1.SecretManagerService", 

757 "credentialsType": None, 

758 }, 

759 ) 

760 

761 def list_secrets( 

762 self, 

763 request: Optional[Union[service.ListSecretsRequest, dict]] = None, 

764 *, 

765 parent: Optional[str] = None, 

766 retry: OptionalRetry = gapic_v1.method.DEFAULT, 

767 timeout: Union[float, object] = gapic_v1.method.DEFAULT, 

768 metadata: Sequence[Tuple[str, Union[str, bytes]]] = (), 

769 ) -> pagers.ListSecretsPager: 

770 r"""Lists [Secrets][google.cloud.secrets.v1beta1.Secret]. 

771 

772 .. code-block:: python 

773 

774 # This snippet has been automatically generated and should be regarded as a 

775 # code template only. 

776 # It will require modifications to work: 

777 # - It may require correct/in-range values for request initialization. 

778 # - It may require specifying regional endpoints when creating the service 

779 # client as shown in: 

780 # https://googleapis.dev/python/google-api-core/latest/client_options.html 

781 from google.cloud import secretmanager_v1beta1 

782 

783 def sample_list_secrets(): 

784 # Create a client 

785 client = secretmanager_v1beta1.SecretManagerServiceClient() 

786 

787 # Initialize request argument(s) 

788 request = secretmanager_v1beta1.ListSecretsRequest( 

789 parent="parent_value", 

790 ) 

791 

792 # Make the request 

793 page_result = client.list_secrets(request=request) 

794 

795 # Handle the response 

796 for response in page_result: 

797 print(response) 

798 

799 Args: 

800 request (Union[google.cloud.secretmanager_v1beta1.types.ListSecretsRequest, dict]): 

801 The request object. Request message for 

802 [SecretManagerService.ListSecrets][google.cloud.secrets.v1beta1.SecretManagerService.ListSecrets]. 

803 parent (str): 

804 Required. The resource name of the project associated 

805 with the [Secrets][google.cloud.secrets.v1beta1.Secret], 

806 in the format ``projects/*``. 

807 

808 This corresponds to the ``parent`` field 

809 on the ``request`` instance; if ``request`` is provided, this 

810 should not be set. 

811 retry (google.api_core.retry.Retry): Designation of what errors, if any, 

812 should be retried. 

813 timeout (float): The timeout for this request. 

814 metadata (Sequence[Tuple[str, Union[str, bytes]]]): Key/value pairs which should be 

815 sent along with the request as metadata. Normally, each value must be of type `str`, 

816 but for metadata keys ending with the suffix `-bin`, the corresponding values must 

817 be of type `bytes`. 

818 

819 Returns: 

820 google.cloud.secretmanager_v1beta1.services.secret_manager_service.pagers.ListSecretsPager: 

821 Response message for 

822 [SecretManagerService.ListSecrets][google.cloud.secrets.v1beta1.SecretManagerService.ListSecrets]. 

823 

824 Iterating over this object will yield results and 

825 resolve additional pages automatically. 

826 

827 """ 

828 # Create or coerce a protobuf request object. 

829 # - Quick check: If we got a request object, we should *not* have 

830 # gotten any keyword arguments that map to the request. 

831 flattened_params = [parent] 

832 has_flattened_params = ( 

833 len([param for param in flattened_params if param is not None]) > 0 

834 ) 

835 if request is not None and has_flattened_params: 

836 raise ValueError( 

837 "If the `request` argument is set, then none of " 

838 "the individual field arguments should be set." 

839 ) 

840 

841 # - Use the request object if provided (there's no risk of modifying the input as 

842 # there are no flattened fields), or create one. 

843 if not isinstance(request, service.ListSecretsRequest): 

844 request = service.ListSecretsRequest(request) 

845 # If we have keyword arguments corresponding to fields on the 

846 # request, apply these. 

847 if parent is not None: 

848 request.parent = parent 

849 

850 # Wrap the RPC method; this adds retry and timeout information, 

851 # and friendly error handling. 

852 rpc = self._transport._wrapped_methods[self._transport.list_secrets] 

853 

854 # Certain fields should be provided within the metadata header; 

855 # add these here. 

856 metadata = tuple(metadata) + ( 

857 gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)), 

858 ) 

859 

860 # Validate the universe domain. 

861 self._validate_universe_domain() 

862 

863 # Send the request. 

864 response = rpc( 

865 request, 

866 retry=retry, 

867 timeout=timeout, 

868 metadata=metadata, 

869 ) 

870 

871 # This method is paged; wrap the response in a pager, which provides 

872 # an `__iter__` convenience method. 

873 response = pagers.ListSecretsPager( 

874 method=rpc, 

875 request=request, 

876 response=response, 

877 retry=retry, 

878 timeout=timeout, 

879 metadata=metadata, 

880 ) 

881 

882 # Done; return the response. 

883 return response 

884 

885 def create_secret( 

886 self, 

887 request: Optional[Union[service.CreateSecretRequest, dict]] = None, 

888 *, 

889 parent: Optional[str] = None, 

890 secret_id: Optional[str] = None, 

891 secret: Optional[resources.Secret] = None, 

892 retry: OptionalRetry = gapic_v1.method.DEFAULT, 

893 timeout: Union[float, object] = gapic_v1.method.DEFAULT, 

894 metadata: Sequence[Tuple[str, Union[str, bytes]]] = (), 

895 ) -> resources.Secret: 

896 r"""Creates a new [Secret][google.cloud.secrets.v1beta1.Secret] 

897 containing no 

898 [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion]. 

899 

900 .. code-block:: python 

901 

902 # This snippet has been automatically generated and should be regarded as a 

903 # code template only. 

904 # It will require modifications to work: 

905 # - It may require correct/in-range values for request initialization. 

906 # - It may require specifying regional endpoints when creating the service 

907 # client as shown in: 

908 # https://googleapis.dev/python/google-api-core/latest/client_options.html 

909 from google.cloud import secretmanager_v1beta1 

910 

911 def sample_create_secret(): 

912 # Create a client 

913 client = secretmanager_v1beta1.SecretManagerServiceClient() 

914 

915 # Initialize request argument(s) 

916 request = secretmanager_v1beta1.CreateSecretRequest( 

917 parent="parent_value", 

918 secret_id="secret_id_value", 

919 ) 

920 

921 # Make the request 

922 response = client.create_secret(request=request) 

923 

924 # Handle the response 

925 print(response) 

926 

927 Args: 

928 request (Union[google.cloud.secretmanager_v1beta1.types.CreateSecretRequest, dict]): 

929 The request object. Request message for 

930 [SecretManagerService.CreateSecret][google.cloud.secrets.v1beta1.SecretManagerService.CreateSecret]. 

931 parent (str): 

932 Required. The resource name of the project to associate 

933 with the [Secret][google.cloud.secrets.v1beta1.Secret], 

934 in the format ``projects/*``. 

935 

936 This corresponds to the ``parent`` field 

937 on the ``request`` instance; if ``request`` is provided, this 

938 should not be set. 

939 secret_id (str): 

940 Required. This must be unique within the project. 

941 

942 A secret ID is a string with a maximum length of 255 

943 characters and can contain uppercase and lowercase 

944 letters, numerals, and the hyphen (``-``) and underscore 

945 (``_``) characters. 

946 

947 This corresponds to the ``secret_id`` field 

948 on the ``request`` instance; if ``request`` is provided, this 

949 should not be set. 

950 secret (google.cloud.secretmanager_v1beta1.types.Secret): 

951 Required. A 

952 [Secret][google.cloud.secrets.v1beta1.Secret] with 

953 initial field values. 

954 

955 This corresponds to the ``secret`` field 

956 on the ``request`` instance; if ``request`` is provided, this 

957 should not be set. 

958 retry (google.api_core.retry.Retry): Designation of what errors, if any, 

959 should be retried. 

960 timeout (float): The timeout for this request. 

961 metadata (Sequence[Tuple[str, Union[str, bytes]]]): Key/value pairs which should be 

962 sent along with the request as metadata. Normally, each value must be of type `str`, 

963 but for metadata keys ending with the suffix `-bin`, the corresponding values must 

964 be of type `bytes`. 

965 

966 Returns: 

967 google.cloud.secretmanager_v1beta1.types.Secret: 

968 A [Secret][google.cloud.secrets.v1beta1.Secret] is a logical secret whose 

969 value and versions can be accessed. 

970 

971 A [Secret][google.cloud.secrets.v1beta1.Secret] is 

972 made up of zero or more 

973 [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion] 

974 that represent the secret data. 

975 

976 """ 

977 # Create or coerce a protobuf request object. 

978 # - Quick check: If we got a request object, we should *not* have 

979 # gotten any keyword arguments that map to the request. 

980 flattened_params = [parent, secret_id, secret] 

981 has_flattened_params = ( 

982 len([param for param in flattened_params if param is not None]) > 0 

983 ) 

984 if request is not None and has_flattened_params: 

985 raise ValueError( 

986 "If the `request` argument is set, then none of " 

987 "the individual field arguments should be set." 

988 ) 

989 

990 # - Use the request object if provided (there's no risk of modifying the input as 

991 # there are no flattened fields), or create one. 

992 if not isinstance(request, service.CreateSecretRequest): 

993 request = service.CreateSecretRequest(request) 

994 # If we have keyword arguments corresponding to fields on the 

995 # request, apply these. 

996 if parent is not None: 

997 request.parent = parent 

998 if secret_id is not None: 

999 request.secret_id = secret_id 

1000 if secret is not None: 

1001 request.secret = secret 

1002 

1003 # Wrap the RPC method; this adds retry and timeout information,