Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.11/site-packages/google/cloud/secretmanager_v1beta1/services/secret_manager_service/client.py: 42%

1# -*- coding: utf-8 -*- 

2# Copyright 2026 Google LLC 

3# 

4# Licensed under the Apache License, Version 2.0 (the "License"); 

5# you may not use this file except in compliance with the License. 

6# You may obtain a copy of the License at 

7# 

8# http://www.apache.org/licenses/LICENSE-2.0 

9# 

10# Unless required by applicable law or agreed to in writing, software 

11# distributed under the License is distributed on an "AS IS" BASIS, 

12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 

13# See the License for the specific language governing permissions and 

14# limitations under the License. 

15# 

16import json 

17import logging as std_logging 

18import os 

19import re 

20import warnings 

21from collections import OrderedDict 

22from http import HTTPStatus 

23from typing import ( 

24 Callable, 

25 Dict, 

26 Mapping, 

27 MutableMapping, 

28 MutableSequence, 

29 Optional, 

30 Sequence, 

31 Tuple, 

32 Type, 

33 Union, 

34 cast, 

35) 

36 

37import google.protobuf 

38from google.api_core import client_options as client_options_lib 

39from google.api_core import exceptions as core_exceptions 

40from google.api_core import gapic_v1 

41from google.api_core import retry as retries 

42from google.auth import credentials as ga_credentials # type: ignore 

43from google.auth.exceptions import MutualTLSChannelError # type: ignore 

44from google.auth.transport import mtls # type: ignore 

45from google.auth.transport.grpc import SslCredentials # type: ignore 

46from google.oauth2 import service_account # type: ignore 

47 

48from google.cloud.secretmanager_v1beta1 import gapic_version as package_version 

49 

50try: 

51 OptionalRetry = Union[retries.Retry, gapic_v1.method._MethodDefault, None] 

52except AttributeError: # pragma: NO COVER 

53 OptionalRetry = Union[retries.Retry, object, None] # type: ignore 

54 

55try: 

56 from google.api_core import client_logging # type: ignore 

57 

58 CLIENT_LOGGING_SUPPORTED = True # pragma: NO COVER 

59except ImportError: # pragma: NO COVER 

60 CLIENT_LOGGING_SUPPORTED = False 

61 

62_LOGGER = std_logging.getLogger(__name__) 

63 

64import google.iam.v1.iam_policy_pb2 as iam_policy_pb2 # type: ignore 

65import google.iam.v1.policy_pb2 as policy_pb2 # type: ignore 

66import google.protobuf.field_mask_pb2 as field_mask_pb2 # type: ignore 

67import google.protobuf.timestamp_pb2 as timestamp_pb2 # type: ignore 

68from google.cloud.location import locations_pb2 # type: ignore 

69 

70from google.cloud.secretmanager_v1beta1.services.secret_manager_service import pagers 

71from google.cloud.secretmanager_v1beta1.types import resources, service 

72 

73from .transports.base import DEFAULT_CLIENT_INFO, SecretManagerServiceTransport 

74from .transports.grpc import SecretManagerServiceGrpcTransport 

75from .transports.grpc_asyncio import SecretManagerServiceGrpcAsyncIOTransport 

76from .transports.rest import SecretManagerServiceRestTransport 

77 

78 

79class SecretManagerServiceClientMeta(type): 

80 """Metaclass for the SecretManagerService client. 

81 

82 This provides class-level methods for building and retrieving 

83 support objects (e.g. transport) without polluting the client instance 

84 objects. 

85 """ 

86 

87 _transport_registry = OrderedDict() # type: Dict[str, Type[SecretManagerServiceTransport]] 

88 _transport_registry["grpc"] = SecretManagerServiceGrpcTransport 

89 _transport_registry["grpc_asyncio"] = SecretManagerServiceGrpcAsyncIOTransport 

90 _transport_registry["rest"] = SecretManagerServiceRestTransport 

91 

92 def get_transport_class( 

93 cls, 

94 label: Optional[str] = None, 

95 ) -> Type[SecretManagerServiceTransport]: 

96 """Returns an appropriate transport class. 

97 

98 Args: 

99 label: The name of the desired transport. If none is 

100 provided, then the first transport in the registry is used. 

101 

102 Returns: 

103 The transport class to use. 

104 """ 

105 # If a specific transport is requested, return that one. 

106 if label: 

107 return cls._transport_registry[label] 

108 

109 # No transport is requested; return the default (that is, the first one 

110 # in the dictionary). 

111 return next(iter(cls._transport_registry.values())) 

112 

113 

114class SecretManagerServiceClient(metaclass=SecretManagerServiceClientMeta): 

115 """Secret Manager Service 

116 

117 Manages secrets and operations using those secrets. Implements a 

118 REST model with the following objects: 

119 

120 - [Secret][google.cloud.secrets.v1beta1.Secret] 

121 - [SecretVersion][google.cloud.secrets.v1beta1.SecretVersion] 

122 """ 

123 

124 @staticmethod 

125 def _get_default_mtls_endpoint(api_endpoint) -> Optional[str]: 

126 """Converts api endpoint to mTLS endpoint. 

127 

128 Convert "*.sandbox.googleapis.com" and "*.googleapis.com" to 

129 "*.mtls.sandbox.googleapis.com" and "*.mtls.googleapis.com" respectively. 

130 Args: 

131 api_endpoint (Optional[str]): the api endpoint to convert. 

132 Returns: 

133 Optional[str]: converted mTLS api endpoint. 

134 """ 

135 if not api_endpoint: 

136 return api_endpoint 

137 

138 mtls_endpoint_re = re.compile( 

139 r"(?P<name>[^.]+)(?P<mtls>\.mtls)?(?P<sandbox>\.sandbox)?(?P<googledomain>\.googleapis\.com)?" 

140 ) 

141 

142 m = mtls_endpoint_re.match(api_endpoint) 

143 if m is None: 

144 # Could not parse api_endpoint; return as-is. 

145 return api_endpoint 

146 

147 name, mtls, sandbox, googledomain = m.groups() 

148 if mtls or not googledomain: 

149 return api_endpoint 

150 

151 if sandbox: 

152 return api_endpoint.replace( 

153 "sandbox.googleapis.com", "mtls.sandbox.googleapis.com" 

154 ) 

155 

156 return api_endpoint.replace(".googleapis.com", ".mtls.googleapis.com") 

157 

158 # Note: DEFAULT_ENDPOINT is deprecated. Use _DEFAULT_ENDPOINT_TEMPLATE instead. 

159 DEFAULT_ENDPOINT = "secretmanager.googleapis.com" 

160 DEFAULT_MTLS_ENDPOINT = _get_default_mtls_endpoint.__func__( # type: ignore 

161 DEFAULT_ENDPOINT 

162 ) 

163 

164 _DEFAULT_ENDPOINT_TEMPLATE = "secretmanager.{UNIVERSE_DOMAIN}" 

165 _DEFAULT_UNIVERSE = "googleapis.com" 

166 

167 @staticmethod 

168 def _use_client_cert_effective(): 

169 """Returns whether client certificate should be used for mTLS if the 

170 google-auth version supports should_use_client_cert automatic mTLS enablement. 

171 

172 Alternatively, read from the GOOGLE_API_USE_CLIENT_CERTIFICATE env var. 

173 

174 Returns: 

175 bool: whether client certificate should be used for mTLS 

176 Raises: 

177 ValueError: (If using a version of google-auth without should_use_client_cert and 

178 GOOGLE_API_USE_CLIENT_CERTIFICATE is set to an unexpected value.) 

179 """ 

180 # check if google-auth version supports should_use_client_cert for automatic mTLS enablement 

181 if hasattr(mtls, "should_use_client_cert"): # pragma: NO COVER 

182 return mtls.should_use_client_cert() 

183 else: # pragma: NO COVER 

184 # if unsupported, fallback to reading from env var 

185 use_client_cert_str = os.getenv( 

186 "GOOGLE_API_USE_CLIENT_CERTIFICATE", "false" 

187 ).lower() 

188 if use_client_cert_str not in ("true", "false"): 

189 raise ValueError( 

190 "Environment variable `GOOGLE_API_USE_CLIENT_CERTIFICATE` must be" 

191 " either `true` or `false`" 

192 ) 

193 return use_client_cert_str == "true" 

194 

195 @classmethod 

196 def from_service_account_info(cls, info: dict, *args, **kwargs): 

197 """Creates an instance of this client using the provided credentials 

198 info. 

199 

200 Args: 

201 info (dict): The service account private key info. 

202 args: Additional arguments to pass to the constructor. 

203 kwargs: Additional arguments to pass to the constructor. 

204 

205 Returns: 

206 SecretManagerServiceClient: The constructed client. 

207 """ 

208 credentials = service_account.Credentials.from_service_account_info(info) 

209 kwargs["credentials"] = credentials 

210 return cls(*args, **kwargs) 

211 

212 @classmethod 

213 def from_service_account_file(cls, filename: str, *args, **kwargs): 

214 """Creates an instance of this client using the provided credentials 

215 file. 

216 

217 Args: 

218 filename (str): The path to the service account private key json 

219 file. 

220 args: Additional arguments to pass to the constructor. 

221 kwargs: Additional arguments to pass to the constructor. 

222 

223 Returns: 

224 SecretManagerServiceClient: The constructed client. 

225 """ 

226 credentials = service_account.Credentials.from_service_account_file(filename) 

227 kwargs["credentials"] = credentials 

228 return cls(*args, **kwargs) 

229 

230 from_service_account_json = from_service_account_file 

231 

232 @property 

233 def transport(self) -> SecretManagerServiceTransport: 

234 """Returns the transport used by the client instance. 

235 

236 Returns: 

237 SecretManagerServiceTransport: The transport used by the client 

238 instance. 

239 """ 

240 return self._transport 

241 

242 @staticmethod 

243 def secret_path( 

244 project: str, 

245 secret: str, 

246 ) -> str: 

247 """Returns a fully-qualified secret string.""" 

248 return "projects/{project}/secrets/{secret}".format( 

249 project=project, 

250 secret=secret, 

251 ) 

252 

253 @staticmethod 

254 def parse_secret_path(path: str) -> Dict[str, str]: 

255 """Parses a secret path into its component segments.""" 

256 m = re.match(r"^projects/(?P<project>.+?)/secrets/(?P<secret>.+?)$", path) 

257 return m.groupdict() if m else {} 

258 

259 @staticmethod 

260 def secret_version_path( 

261 project: str, 

262 secret: str, 

263 secret_version: str, 

264 ) -> str: 

265 """Returns a fully-qualified secret_version string.""" 

266 return "projects/{project}/secrets/{secret}/versions/{secret_version}".format( 

267 project=project, 

268 secret=secret, 

269 secret_version=secret_version, 

270 ) 

271 

272 @staticmethod 

273 def parse_secret_version_path(path: str) -> Dict[str, str]: 

274 """Parses a secret_version path into its component segments.""" 

275 m = re.match( 

276 r"^projects/(?P<project>.+?)/secrets/(?P<secret>.+?)/versions/(?P<secret_version>.+?)$", 

277 path, 

278 ) 

279 return m.groupdict() if m else {} 

280 

281 @staticmethod 

282 def common_billing_account_path( 

283 billing_account: str, 

284 ) -> str: 

285 """Returns a fully-qualified billing_account string.""" 

286 return "billingAccounts/{billing_account}".format( 

287 billing_account=billing_account, 

288 ) 

289 

290 @staticmethod 

291 def parse_common_billing_account_path(path: str) -> Dict[str, str]: 

292 """Parse a billing_account path into its component segments.""" 

293 m = re.match(r"^billingAccounts/(?P<billing_account>.+?)$", path) 

294 return m.groupdict() if m else {} 

295 

296 @staticmethod 

297 def common_folder_path( 

298 folder: str, 

299 ) -> str: 

300 """Returns a fully-qualified folder string.""" 

301 return "folders/{folder}".format( 

302 folder=folder, 

303 ) 

304 

305 @staticmethod 

306 def parse_common_folder_path(path: str) -> Dict[str, str]: 

307 """Parse a folder path into its component segments.""" 

308 m = re.match(r"^folders/(?P<folder>.+?)$", path) 

309 return m.groupdict() if m else {} 

310 

311 @staticmethod 

312 def common_organization_path( 

313 organization: str, 

314 ) -> str: 

315 """Returns a fully-qualified organization string.""" 

316 return "organizations/{organization}".format( 

317 organization=organization, 

318 ) 

319 

320 @staticmethod 

321 def parse_common_organization_path(path: str) -> Dict[str, str]: 

322 """Parse a organization path into its component segments.""" 

323 m = re.match(r"^organizations/(?P<organization>.+?)$", path) 

324 return m.groupdict() if m else {} 

325 

326 @staticmethod 

327 def common_project_path( 

328 project: str, 

329 ) -> str: 

330 """Returns a fully-qualified project string.""" 

331 return "projects/{project}".format( 

332 project=project, 

333 ) 

334 

335 @staticmethod 

336 def parse_common_project_path(path: str) -> Dict[str, str]: 

337 """Parse a project path into its component segments.""" 

338 m = re.match(r"^projects/(?P<project>.+?)$", path) 

339 return m.groupdict() if m else {} 

340 

341 @staticmethod 

342 def common_location_path( 

343 project: str, 

344 location: str, 

345 ) -> str: 

346 """Returns a fully-qualified location string.""" 

347 return "projects/{project}/locations/{location}".format( 

348 project=project, 

349 location=location, 

350 ) 

351 

352 @staticmethod 

353 def parse_common_location_path(path: str) -> Dict[str, str]: 

354 """Parse a location path into its component segments.""" 

355 m = re.match(r"^projects/(?P<project>.+?)/locations/(?P<location>.+?)$", path) 

356 return m.groupdict() if m else {} 

357 

358 @classmethod 

359 def get_mtls_endpoint_and_cert_source( 

360 cls, client_options: Optional[client_options_lib.ClientOptions] = None 

361 ): 

362 """Deprecated. Return the API endpoint and client cert source for mutual TLS. 

363 

364 The client cert source is determined in the following order: 

365 (1) if `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is not "true", the 

366 client cert source is None. 

367 (2) if `client_options.client_cert_source` is provided, use the provided one; if the 

368 default client cert source exists, use the default one; otherwise the client cert 

369 source is None. 

370 

371 The API endpoint is determined in the following order: 

372 (1) if `client_options.api_endpoint` if provided, use the provided one. 

373 (2) if `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is "always", use the 

374 default mTLS endpoint; if the environment variable is "never", use the default API 

375 endpoint; otherwise if client cert source exists, use the default mTLS endpoint, otherwise 

376 use the default API endpoint. 

377 

378 More details can be found at https://google.aip.dev/auth/4114. 

379 

380 Args: 

381 client_options (google.api_core.client_options.ClientOptions): Custom options for the 

382 client. Only the `api_endpoint` and `client_cert_source` properties may be used 

383 in this method. 

384 

385 Returns: 

386 Tuple[str, Callable[[], Tuple[bytes, bytes]]]: returns the API endpoint and the 

387 client cert source to use. 

388 

389 Raises: 

390 google.auth.exceptions.MutualTLSChannelError: If any errors happen. 

391 """ 

392 

393 warnings.warn( 

394 "get_mtls_endpoint_and_cert_source is deprecated. Use the api_endpoint property instead.", 

395 DeprecationWarning, 

396 ) 

397 if client_options is None: 

398 client_options = client_options_lib.ClientOptions() 

399 use_client_cert = SecretManagerServiceClient._use_client_cert_effective() 

400 use_mtls_endpoint = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto") 

401 if use_mtls_endpoint not in ("auto", "never", "always"): 

402 raise MutualTLSChannelError( 

403 "Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be `never`, `auto` or `always`" 

404 ) 

405 

406 # Figure out the client cert source to use. 

407 client_cert_source = None 

408 if use_client_cert: 

409 if client_options.client_cert_source: 

410 client_cert_source = client_options.client_cert_source 

411 elif mtls.has_default_client_cert_source(): 

412 client_cert_source = mtls.default_client_cert_source() 

413 

414 # Figure out which api endpoint to use. 

415 if client_options.api_endpoint is not None: 

416 api_endpoint = client_options.api_endpoint 

417 elif use_mtls_endpoint == "always" or ( 

418 use_mtls_endpoint == "auto" and client_cert_source 

419 ): 

420 api_endpoint = cls.DEFAULT_MTLS_ENDPOINT 

421 else: 

422 api_endpoint = cls.DEFAULT_ENDPOINT 

423 

424 return api_endpoint, client_cert_source 

425 

426 @staticmethod 

427 def _read_environment_variables(): 

428 """Returns the environment variables used by the client. 

429 

430 Returns: 

431 Tuple[bool, str, str]: returns the GOOGLE_API_USE_CLIENT_CERTIFICATE, 

432 GOOGLE_API_USE_MTLS_ENDPOINT, and GOOGLE_CLOUD_UNIVERSE_DOMAIN environment variables. 

433 

434 Raises: 

435 ValueError: If GOOGLE_API_USE_CLIENT_CERTIFICATE is not 

436 any of ["true", "false"]. 

437 google.auth.exceptions.MutualTLSChannelError: If GOOGLE_API_USE_MTLS_ENDPOINT 

438 is not any of ["auto", "never", "always"]. 

439 """ 

440 use_client_cert = SecretManagerServiceClient._use_client_cert_effective() 

441 use_mtls_endpoint = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto").lower() 

442 universe_domain_env = os.getenv("GOOGLE_CLOUD_UNIVERSE_DOMAIN") 

443 if use_mtls_endpoint not in ("auto", "never", "always"): 

444 raise MutualTLSChannelError( 

445 "Environment variable `GOOGLE_API_USE_MTLS_ENDPOINT` must be `never`, `auto` or `always`" 

446 ) 

447 return use_client_cert, use_mtls_endpoint, universe_domain_env 

448 

449 @staticmethod 

450 def _get_client_cert_source(provided_cert_source, use_cert_flag): 

451 """Return the client cert source to be used by the client. 

452 

453 Args: 

454 provided_cert_source (bytes): The client certificate source provided. 

455 use_cert_flag (bool): A flag indicating whether to use the client certificate. 

456 

457 Returns: 

458 bytes or None: The client cert source to be used by the client. 

459 """ 

460 client_cert_source = None 

461 if use_cert_flag: 

462 if provided_cert_source: 

463 client_cert_source = provided_cert_source 

464 elif mtls.has_default_client_cert_source(): 

465 client_cert_source = mtls.default_client_cert_source() 

466 return client_cert_source 

467 

468 @staticmethod 

469 def _get_api_endpoint( 

470 api_override, client_cert_source, universe_domain, use_mtls_endpoint 

471 ) -> str: 

472 """Return the API endpoint used by the client. 

473 

474 Args: 

475 api_override (str): The API endpoint override. If specified, this is always 

476 the return value of this function and the other arguments are not used. 

477 client_cert_source (bytes): The client certificate source used by the client. 

478 universe_domain (str): The universe domain used by the client. 

479 use_mtls_endpoint (str): How to use the mTLS endpoint, which depends also on the other parameters. 

480 Possible values are "always", "auto", or "never". 

481 

482 Returns: 

483 str: The API endpoint to be used by the client. 

484 """ 

485 if api_override is not None: 

486 api_endpoint = api_override 

487 elif use_mtls_endpoint == "always" or ( 

488 use_mtls_endpoint == "auto" and client_cert_source 

489 ): 

490 _default_universe = SecretManagerServiceClient._DEFAULT_UNIVERSE 

491 if universe_domain != _default_universe: 

492 raise MutualTLSChannelError( 

493 f"mTLS is not supported in any universe other than {_default_universe}." 

494 ) 

495 api_endpoint = SecretManagerServiceClient.DEFAULT_MTLS_ENDPOINT 

496 else: 

497 api_endpoint = SecretManagerServiceClient._DEFAULT_ENDPOINT_TEMPLATE.format( 

498 UNIVERSE_DOMAIN=universe_domain 

499 ) 

500 return api_endpoint 

501 

502 @staticmethod 

503 def _get_universe_domain( 

504 client_universe_domain: Optional[str], universe_domain_env: Optional[str] 

505 ) -> str: 

506 """Return the universe domain used by the client. 

507 

508 Args: 

509 client_universe_domain (Optional[str]): The universe domain configured via the client options. 

510 universe_domain_env (Optional[str]): The universe domain configured via the "GOOGLE_CLOUD_UNIVERSE_DOMAIN" environment variable. 

511 

512 Returns: 

513 str: The universe domain to be used by the client. 

514 

515 Raises: 

516 ValueError: If the universe domain is an empty string. 

517 """ 

518 universe_domain = SecretManagerServiceClient._DEFAULT_UNIVERSE 

519 if client_universe_domain is not None: 

520 universe_domain = client_universe_domain 

521 elif universe_domain_env is not None: 

522 universe_domain = universe_domain_env 

523 if len(universe_domain.strip()) == 0: 

524 raise ValueError("Universe Domain cannot be an empty string.") 

525 return universe_domain 

526 

527 def _validate_universe_domain(self): 

528 """Validates client's and credentials' universe domains are consistent. 

529 

530 Returns: 

531 bool: True iff the configured universe domain is valid. 

532 

533 Raises: 

534 ValueError: If the configured universe domain is not valid. 

535 """ 

536 

537 # NOTE (b/349488459): universe validation is disabled until further notice. 

538 return True 

539 

540 def _add_cred_info_for_auth_errors( 

541 self, error: core_exceptions.GoogleAPICallError 

542 ) -> None: 

543 """Adds credential info string to error details for 401/403/404 errors. 

544 

545 Args: 

546 error (google.api_core.exceptions.GoogleAPICallError): The error to add the cred info. 

547 """ 

548 if error.code not in [ 

549 HTTPStatus.UNAUTHORIZED, 

550 HTTPStatus.FORBIDDEN, 

551 HTTPStatus.NOT_FOUND, 

552 ]: 

553 return 

554 

555 cred = self._transport._credentials 

556 

557 # get_cred_info is only available in google-auth>=2.35.0 

558 if not hasattr(cred, "get_cred_info"): 

559 return 

560 

561 # ignore the type check since pypy test fails when get_cred_info 

562 # is not available 

563 cred_info = cred.get_cred_info() # type: ignore 

564 if cred_info and hasattr(error._details, "append"): 

565 error._details.append(json.dumps(cred_info)) 

566 

567 @property 

568 def api_endpoint(self) -> str: 

569 """Return the API endpoint used by the client instance. 

570 

571 Returns: 

572 str: The API endpoint used by the client instance. 

573 """ 

574 return self._api_endpoint 

575 

576 @property 

577 def universe_domain(self) -> str: 

578 """Return the universe domain used by the client instance. 

579 

580 Returns: 

581 str: The universe domain used by the client instance. 

582 """ 

583 return self._universe_domain 

584 

585 def __init__( 

586 self, 

587 *, 

588 credentials: Optional[ga_credentials.Credentials] = None, 

589 transport: Optional[ 

590 Union[ 

591 str, 

592 SecretManagerServiceTransport, 

593 Callable[..., SecretManagerServiceTransport], 

594 ] 

595 ] = None, 

596 client_options: Optional[Union[client_options_lib.ClientOptions, dict]] = None, 

597 client_info: gapic_v1.client_info.ClientInfo = DEFAULT_CLIENT_INFO, 

598 ) -> None: 

599 """Instantiates the secret manager service client. 

600 

601 Args: 

602 credentials (Optional[google.auth.credentials.Credentials]): The 

603 authorization credentials to attach to requests. These 

604 credentials identify the application to the service; if none 

605 are specified, the client will attempt to ascertain the 

606 credentials from the environment. 

607 transport (Optional[Union[str,SecretManagerServiceTransport,Callable[..., SecretManagerServiceTransport]]]): 

608 The transport to use, or a Callable that constructs and returns a new transport. 

609 If a Callable is given, it will be called with the same set of initialization 

610 arguments as used in the SecretManagerServiceTransport constructor. 

611 If set to None, a transport is chosen automatically. 

612 client_options (Optional[Union[google.api_core.client_options.ClientOptions, dict]]): 

613 Custom options for the client. 

614 

615 1. The ``api_endpoint`` property can be used to override the 

616 default endpoint provided by the client when ``transport`` is 

617 not explicitly provided. Only if this property is not set and 

618 ``transport`` was not explicitly provided, the endpoint is 

619 determined by the GOOGLE_API_USE_MTLS_ENDPOINT environment 

620 variable, which have one of the following values: 

621 "always" (always use the default mTLS endpoint), "never" (always 

622 use the default regular endpoint) and "auto" (auto-switch to the 

623 default mTLS endpoint if client certificate is present; this is 

624 the default value). 

625 

626 2. If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable 

627 is "true", then the ``client_cert_source`` property can be used 

628 to provide a client certificate for mTLS transport. If 

629 not provided, the default SSL client certificate will be used if 

630 present. If GOOGLE_API_USE_CLIENT_CERTIFICATE is "false" or not 

631 set, no client certificate will be used. 

632 

633 3. The ``universe_domain`` property can be used to override the 

634 default "googleapis.com" universe. Note that the ``api_endpoint`` 

635 property still takes precedence; and ``universe_domain`` is 

636 currently not supported for mTLS. 

637 

638 client_info (google.api_core.gapic_v1.client_info.ClientInfo): 

639 The client info used to send a user-agent string along with 

640 API requests. If ``None``, then default info will be used. 

641 Generally, you only need to set this if you're developing 

642 your own client library. 

643 

644 Raises: 

645 google.auth.exceptions.MutualTLSChannelError: If mutual TLS transport 

646 creation failed for any reason. 

647 """ 

648 self._client_options = client_options 

649 if isinstance(self._client_options, dict): 

650 self._client_options = client_options_lib.from_dict(self._client_options) 

651 if self._client_options is None: 

652 self._client_options = client_options_lib.ClientOptions() 

653 self._client_options = cast( 

654 client_options_lib.ClientOptions, self._client_options 

655 ) 

656 

657 universe_domain_opt = getattr(self._client_options, "universe_domain", None) 

658 

659 self._use_client_cert, self._use_mtls_endpoint, self._universe_domain_env = ( 

660 SecretManagerServiceClient._read_environment_variables() 

661 ) 

662 self._client_cert_source = SecretManagerServiceClient._get_client_cert_source( 

663 self._client_options.client_cert_source, self._use_client_cert 

664 ) 

665 self._universe_domain = SecretManagerServiceClient._get_universe_domain( 

666 universe_domain_opt, self._universe_domain_env 

667 ) 

668 self._api_endpoint: str = "" # updated below, depending on `transport` 

669 

670 # Initialize the universe domain validation. 

671 self._is_universe_domain_valid = False 

672 

673 if CLIENT_LOGGING_SUPPORTED: # pragma: NO COVER 

674 # Setup logging. 

675 client_logging.initialize_logging() 

676 

677 api_key_value = getattr(self._client_options, "api_key", None) 

678 if api_key_value and credentials: 

679 raise ValueError( 

680 "client_options.api_key and credentials are mutually exclusive" 

681 ) 

682 

683 # Save or instantiate the transport. 

684 # Ordinarily, we provide the transport, but allowing a custom transport 

685 # instance provides an extensibility point for unusual situations. 

686 transport_provided = isinstance(transport, SecretManagerServiceTransport) 

687 if transport_provided: 

688 # transport is a SecretManagerServiceTransport instance. 

689 if credentials or self._client_options.credentials_file or api_key_value: 

690 raise ValueError( 

691 "When providing a transport instance, " 

692 "provide its credentials directly." 

693 ) 

694 if self._client_options.scopes: 

695 raise ValueError( 

696 "When providing a transport instance, provide its scopes directly." 

697 ) 

698 self._transport = cast(SecretManagerServiceTransport, transport) 

699 self._api_endpoint = self._transport.host 

700 

701 self._api_endpoint = ( 

702 self._api_endpoint 

703 or SecretManagerServiceClient._get_api_endpoint( 

704 self._client_options.api_endpoint, 

705 self._client_cert_source, 

706 self._universe_domain, 

707 self._use_mtls_endpoint, 

708 ) 

709 ) 

710 

711 if not transport_provided: 

712 import google.auth._default # type: ignore 

713 

714 if api_key_value and hasattr( 

715 google.auth._default, "get_api_key_credentials" 

716 ): 

717 credentials = google.auth._default.get_api_key_credentials( 

718 api_key_value 

719 ) 

720 

721 transport_init: Union[ 

722 Type[SecretManagerServiceTransport], 

723 Callable[..., SecretManagerServiceTransport], 

724 ] = ( 

725 SecretManagerServiceClient.get_transport_class(transport) 

726 if isinstance(transport, str) or transport is None 

727 else cast(Callable[..., SecretManagerServiceTransport], transport) 

728 ) 

729 # initialize with the provided callable or the passed in class 

730 self._transport = transport_init( 

731 credentials=credentials, 

732 credentials_file=self._client_options.credentials_file, 

733 host=self._api_endpoint, 

734 scopes=self._client_options.scopes, 

735 client_cert_source_for_mtls=self._client_cert_source, 

736 quota_project_id=self._client_options.quota_project_id, 

737 client_info=client_info, 

738 always_use_jwt_access=True, 

739 api_audience=self._client_options.api_audience, 

740 ) 

741 

742 if "async" not in str(self._transport): 

743 if CLIENT_LOGGING_SUPPORTED and _LOGGER.isEnabledFor( 

744 std_logging.DEBUG 

745 ): # pragma: NO COVER 

746 _LOGGER.debug( 

747 "Created client `google.cloud.secrets_v1beta1.SecretManagerServiceClient`.", 

748 extra={ 

749 "serviceName": "google.cloud.secrets.v1beta1.SecretManagerService", 

750 "universeDomain": getattr( 

751 self._transport._credentials, "universe_domain", "" 

752 ), 

753 "credentialsType": f"{type(self._transport._credentials).__module__}.{type(self._transport._credentials).__qualname__}", 

754 "credentialsInfo": getattr( 

755 self.transport._credentials, "get_cred_info", lambda: None 

756 )(), 

757 } 

758 if hasattr(self._transport, "_credentials") 

759 else { 

760 "serviceName": "google.cloud.secrets.v1beta1.SecretManagerService", 

761 "credentialsType": None, 

762 }, 

763 ) 

764 

765 def list_secrets( 

766 self, 

767 request: Optional[Union[service.ListSecretsRequest, dict]] = None, 

768 *, 

769 parent: Optional[str] = None, 

770 retry: OptionalRetry = gapic_v1.method.DEFAULT, 

771 timeout: Union[float, object] = gapic_v1.method.DEFAULT, 

772 metadata: Sequence[Tuple[str, Union[str, bytes]]] = (), 

773 ) -> pagers.ListSecretsPager: 

774 r"""Lists [Secrets][google.cloud.secrets.v1beta1.Secret]. 

775 

776 .. code-block:: python 

777 

778 # This snippet has been automatically generated and should be regarded as a 

779 # code template only. 

780 # It will require modifications to work: 

781 # - It may require correct/in-range values for request initialization. 

782 # - It may require specifying regional endpoints when creating the service 

783 # client as shown in: 

784 # https://googleapis.dev/python/google-api-core/latest/client_options.html 

785 from google.cloud import secretmanager_v1beta1 

786 

787 def sample_list_secrets(): 

788 # Create a client 

789 client = secretmanager_v1beta1.SecretManagerServiceClient() 

790 

791 # Initialize request argument(s) 

792 request = secretmanager_v1beta1.ListSecretsRequest( 

793 parent="parent_value", 

794 ) 

795 

796 # Make the request 

797 page_result = client.list_secrets(request=request) 

798 

799 # Handle the response 

800 for response in page_result: 

801 print(response) 

802 

803 Args: 

804 request (Union[google.cloud.secretmanager_v1beta1.types.ListSecretsRequest, dict]): 

805 The request object. Request message for 

806 [SecretManagerService.ListSecrets][google.cloud.secrets.v1beta1.SecretManagerService.ListSecrets]. 

807 parent (str): 

808 Required. The resource name of the project associated 

809 with the [Secrets][google.cloud.secrets.v1beta1.Secret], 

810 in the format ``projects/*``. 

811 

812 This corresponds to the ``parent`` field 

813 on the ``request`` instance; if ``request`` is provided, this 

814 should not be set. 

815 retry (google.api_core.retry.Retry): Designation of what errors, if any, 

816 should be retried. 

817 timeout (float): The timeout for this request. 

818 metadata (Sequence[Tuple[str, Union[str, bytes]]]): Key/value pairs which should be 

819 sent along with the request as metadata. Normally, each value must be of type `str`, 

820 but for metadata keys ending with the suffix `-bin`, the corresponding values must 

821 be of type `bytes`. 

822 

823 Returns: 

824 google.cloud.secretmanager_v1beta1.services.secret_manager_service.pagers.ListSecretsPager: 

825 Response message for 

826 [SecretManagerService.ListSecrets][google.cloud.secrets.v1beta1.SecretManagerService.ListSecrets]. 

827 

828 Iterating over this object will yield results and 

829 resolve additional pages automatically. 

830 

831 """ 

832 # Create or coerce a protobuf request object. 

833 # - Quick check: If we got a request object, we should *not* have 

834 # gotten any keyword arguments that map to the request. 

835 flattened_params = [parent] 

836 has_flattened_params = ( 

837 len([param for param in flattened_params if param is not None]) > 0 

838 ) 

839 if request is not None and has_flattened_params: 

840 raise ValueError( 

841 "If the `request` argument is set, then none of " 

842 "the individual field arguments should be set." 

843 ) 

844 

845 # - Use the request object if provided (there's no risk of modifying the input as 

846 # there are no flattened fields), or create one. 

847 if not isinstance(request, service.ListSecretsRequest): 

848 request = service.ListSecretsRequest(request) 

849 # If we have keyword arguments corresponding to fields on the 

850 # request, apply these. 

851 if parent is not None: 

852 request.parent = parent 

853 

854 # Wrap the RPC method; this adds retry and timeout information, 

855 # and friendly error handling. 

856 rpc = self._transport._wrapped_methods[self._transport.list_secrets] 

857 

858 # Certain fields should be provided within the metadata header; 

859 # add these here. 

860 metadata = tuple(metadata) + ( 

861 gapic_v1.routing_header.to_grpc_metadata((("parent", request.parent),)), 

862 ) 

863 

864 # Validate the universe domain. 

865 self._validate_universe_domain() 

866 

867 # Send the request. 

868 response = rpc( 

869 request, 

870 retry=retry, 

871 timeout=timeout, 

872 metadata=metadata, 

873 ) 

874 

875 # This method is paged; wrap the response in a pager, which provides 

876 # an `__iter__` convenience method. 

877 response = pagers.ListSecretsPager( 

878 method=rpc, 

879 request=request, 

880 response=response, 

881 retry=retry, 

882 timeout=timeout, 

883 metadata=metadata, 

884 ) 

885 

886 # Done; return the response. 

887 return response 

888 

889 def create_secret( 

890 self, 

891 request: Optional[Union[service.CreateSecretRequest, dict]] = None, 

892 *, 

893 parent: Optional[str] = None, 

894 secret_id: Optional[str] = None, 

895 secret: Optional[resources.Secret] = None, 

896 retry: OptionalRetry = gapic_v1.method.DEFAULT, 

897 timeout: Union[float, object] = gapic_v1.method.DEFAULT, 

898 metadata: Sequence[Tuple[str, Union[str, bytes]]] = (), 

899 ) -> resources.Secret: 

900 r"""Creates a new [Secret][google.cloud.secrets.v1beta1.Secret] 

901 containing no 

902 [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion]. 

903 

904 .. code-block:: python 

905 

906 # This snippet has been automatically generated and should be regarded as a 

907 # code template only. 

908 # It will require modifications to work: 

909 # - It may require correct/in-range values for request initialization. 

910 # - It may require specifying regional endpoints when creating the service 

911 # client as shown in: 

912 # https://googleapis.dev/python/google-api-core/latest/client_options.html 

913 from google.cloud import secretmanager_v1beta1 

914 

915 def sample_create_secret(): 

916 # Create a client 

917 client = secretmanager_v1beta1.SecretManagerServiceClient() 

918 

919 # Initialize request argument(s) 

920 request = secretmanager_v1beta1.CreateSecretRequest( 

921 parent="parent_value", 

922 secret_id="secret_id_value", 

923 ) 

924 

925 # Make the request 

926 response = client.create_secret(request=request) 

927 

928 # Handle the response 

929 print(response) 

930 

931 Args: 

932 request (Union[google.cloud.secretmanager_v1beta1.types.CreateSecretRequest, dict]): 

933 The request object. Request message for 

934 [SecretManagerService.CreateSecret][google.cloud.secrets.v1beta1.SecretManagerService.CreateSecret]. 

935 parent (str): 

936 Required. The resource name of the project to associate 

937 with the [Secret][google.cloud.secrets.v1beta1.Secret], 

938 in the format ``projects/*``. 

939 

940 This corresponds to the ``parent`` field 

941 on the ``request`` instance; if ``request`` is provided, this 

942 should not be set. 

943 secret_id (str): 

944 Required. This must be unique within the project. 

945 

946 A secret ID is a string with a maximum length of 255 

947 characters and can contain uppercase and lowercase 

948 letters, numerals, and the hyphen (``-``) and underscore 

949 (``_``) characters. 

950 

951 This corresponds to the ``secret_id`` field 

952 on the ``request`` instance; if ``request`` is provided, this 

953 should not be set. 

954 secret (google.cloud.secretmanager_v1beta1.types.Secret): 

955 Required. A 

956 [Secret][google.cloud.secrets.v1beta1.Secret] with 

957 initial field values. 

958 

959 This corresponds to the ``secret`` field 

960 on the ``request`` instance; if ``request`` is provided, this 

961 should not be set. 

962 retry (google.api_core.retry.Retry): Designation of what errors, if any, 

963 should be retried. 

964 timeout (float): The timeout for this request. 

965 metadata (Sequence[Tuple[str, Union[str, bytes]]]): Key/value pairs which should be 

966 sent along with the request as metadata. Normally, each value must be of type `str`, 

967 but for metadata keys ending with the suffix `-bin`, the corresponding values must 

968 be of type `bytes`. 

969 

970 Returns: 

971 google.cloud.secretmanager_v1beta1.types.Secret: 

972 A [Secret][google.cloud.secrets.v1beta1.Secret] is a logical secret whose 

973 value and versions can be accessed. 

974 

975 A [Secret][google.cloud.secrets.v1beta1.Secret] is 

976 made up of zero or more 

977 [SecretVersions][google.cloud.secrets.v1beta1.SecretVersion] 

978 that represent the secret data. 

979 

980 """ 

981 # Create or coerce a protobuf request object. 

982 # - Quick check: If we got a request object, we should *not* have 

983 # gotten any keyword arguments that map to the request. 

984 flattened_params = [parent, secret_id, secret] 

985 has_flattened_params = ( 

986 len([param for param in flattened_params if param is not None]) > 0 

987 ) 

988 if request is not None and has_flattened_params: 

989 raise ValueError( 

990 "If the `request` argument is set, then none of " 

991 "the individual field arguments should be set." 

992 ) 

993 

994 # - Use the request object if provided (there's no risk of modifying the input as 

995 # there are no flattened fields), or create one. 

996 if not isinstance(request, service.CreateSecretRequest): 

997 request = service.CreateSecretRequest(request) 

998 # If we have keyword arguments corresponding to fields on the 

999 # request, apply these. 

1000 if parent is not None: 

1001 request.parent = parent 

1002 if secret_id is not None: 

1003 request.secret_id = secret_id