Google Secret Manager
Secrets management tools
Data security software
- Features
- Ease of use
- Ease of management
- Quality of support
- Affordability
- Market presence
Take the quiz to check if Google Secret Manager and its alternatives fit your requirements.
Pay-as-you-go
Free TrialFree version
Small
Medium
Large
- Retail and wholesale
- Accommodation and food services
- Agriculture, fishing, and forestry
What is Google Secret Manager
Google Secret Manager (Google Cloud Secret Manager) is a managed service for storing, versioning, and controlling access to application secrets such as API keys, passwords, and certificates. It targets cloud and DevOps teams that need centralized secret distribution to workloads running on Google Cloud services and supported runtimes. The service integrates with Google Cloud IAM for access control and provides audit logging through Google Cloud logging services. It is typically used alongside Google Cloud Key Management Service (KMS) for encryption key management and related compliance controls.
Managed service with IAM controls
The service is fully managed, reducing operational work compared with self-hosted secret stores. Access to secrets is governed through Google Cloud IAM roles and policies, enabling consistent permission management across Google Cloud resources. It supports resource-level permissions and integrates with organization policies and service accounts used by workloads. This aligns well with teams standardizing on Google Cloud identity and access patterns.
Secret versioning and rotation support
Secrets support versioning, which helps teams roll credentials safely and keep rollback options during deployments. Applications can reference specific versions or use the latest enabled version, supporting controlled cutovers. The platform provides mechanisms to disable or destroy versions to reduce exposure from old credentials. These features support common CI/CD and incident response workflows.
Auditability and cloud integrations
Secret access can be logged and monitored using Google Cloud’s audit logging and monitoring tooling, supporting investigation and compliance reporting. The service integrates with common Google Cloud compute and container platforms via service accounts and APIs. This reduces the need for custom distribution mechanisms when workloads already run on Google Cloud. Centralized logging also helps detect anomalous access patterns when configured with alerts.
Strongest fit within Google Cloud
The product is optimized for Google Cloud environments and identity primitives, which can increase friction in multi-cloud or on-prem deployments. While APIs can be used from outside Google Cloud, teams may need additional networking, identity federation, and operational patterns to achieve parity with in-cloud usage. Organizations with heterogeneous platforms may prefer a tool designed for consistent cross-environment secret delivery. This can affect portability and standardization across business units.
Not a full key management suite
Secret Manager focuses on storing and controlling access to secrets rather than providing comprehensive cryptographic key lifecycle management. Teams often pair it with Google Cloud KMS or other cryptographic services for key generation, HSM-backed keys, and advanced key governance. This separation can add architectural complexity and policy coordination between services. Buyers evaluating a single consolidated cryptographic platform may find gaps without additional products.
Limited advanced secret workflows
Compared with some enterprise-focused secret platforms, advanced workflows such as complex dynamic secret generation, broad plugin ecosystems, or deep integrations across many third-party systems may require additional tooling. Some use cases (for example, database credential brokering across diverse environments) can involve more custom implementation. Organizations with extensive non-Google infrastructure may need to build or buy connectors and automation. This can increase time-to-implement for complex enterprise requirements.
Plan & Pricing
Pricing model: Pay-as-you-go Free tier/trial: Always Free monthly limits (per billing account): 6 active secret versions; 10,000 access operations; 3 rotation notifications. New customers: $300 free trial credits valid for 90 days.
Billable items:
- Active secret versions: $0.06 per version per location (per month).
- Access operations: $0.03 per 10,000 operations.
- Rotation notifications: $0.05 per rotation (billed per SECRET_ROTATE message sent to a Pub/Sub topic).
- Management operations: Free (creating secrets, destroying secrets, changing state of secret versions).
- Destroyed secret versions: Free.
Notes & examples:
- Pricing is billed monthly and prorated based on actual consumption (e.g., versions active only part of a month are billed proportionally).
- Example (from official doc paraphrased): after applying the Always Free allowances (6 versions, 10,000 operations, 3 rotations), a sample usage scenario results in an illustrative monthly bill of ~$15.76.
Seller details
Google LLC
Mountain View, CA, USA
1998
Subsidiary
https://cloud.google.com/deep-learning-vm
https://x.com/googlecloud
https://www.linkedin.com/company/google/
