



This step-by-step guide explains how to access passwords, API keys, and other sensitive data stored in Google Secret Manager using Google Apps Script.

Google Secret Manager is a cloud service that lets you store sensitive data such as passwords, database credentials, encryption keys, or other sensitive information that you don't want to hard-code into your application's source code. You can also set an expiration date for your secret. Google Secret Manager automatically deletes your secret after the specified amount of time.

The following guide explains how to use Google Apps Script to access secrets stored in Google Secret Manager. But before we proceed, let's first create a secret in Google Secret Manager.

Enable Google Secret Manager

1. Open the Google Cloud console and create a new project.

2. Google Cloud Project[ライブラリ]section and enable the Secret Manager API.

3. Google Cloud[IAM と管理]>[IAM]Go to section. Click Grant Access to add the Secret Manager Secret Accessor role to the Google Account that will access secrets stored in Google Secret Manager.

Create a secret with Google Secret Manager

Now that you've enabled the Secret Manager API and granted access to your Google account, let's create a new secret in Google Secret Manager.

Go to Secret Manager,[Create Secret]Click the button to create a new secret.

Name your secret and add a secret value. This can be a plain text string or you can upload a binary file up to 64KB in size. If you want your secret to expire after a certain amount of time, you can set an expiration date for your secret.

In the example above, we created a secret named MyBankPassword with the value MySuperSecretPassword. Google Secret Manager automatically assigns a version number (1) to your secret. Once you save a secret value, you can't change it, but you can create a new version of the secret with a different value.

Access Google Secret Manager from Google Apps Script

Now that we have created a secret in Google Secret Manager, let's create a Google Apps Script that retrieves the secret value from Google Secret Manager.

Create a new Google Apps Script project by navigating to script.new. Go to your project settings and enable the option to show the appsscript.json manifest file in the editor. Switch to the appsscript.json tab and add the following OAuth scope to your manifest file.

{ “oauthScopes”: [

“https://www.googleapis.com/auth/script.external_request”,

“https://www.googleapis.com/auth/cloud-platform”

]

}

Next, add the following function to your Google Apps Script project. Replace the project_id, secret_id, and version_id variables with the actual values ​​of your secret.

project_id is the project number for your Google Cloud project, which you can find in the Google Cloud Console here.

After you add the function to your Google Apps Script project, run the main function to retrieve the secret value from Google Secret Manager and log it to the Google Apps Script Logger.

const main = () => { const project_id = ' >'; const Secret_id = ' >'; const Secret_value = getSecretValue_({ project ID, secret ID }); Logger.log('The secret value for %s is %s', Secret_id, Secret_value); }; const getSecretValue_ = ({ project_id, Secret_id, version_id = 1 }) => { const endpoint = `projects/${project_id}/secrets/${secret_id}/versions/${version_id}:access`; const api = `https://secretmanager.googleapis.com/v1 /${endpoint}`; const response = UrlFetchApp.fetch(api, {method: 'GET', headers: { Authorization: `Bearer ${ScriptApp.getOAuthToken()}`, 'Content-Type': 'application/ json', }, muteHttpExceptions: true , }); const { error, payload } = JSON.parse(response.getContentText()); if (error) { throw new Error(error.message); const bytes = Utilities.base64Decode (payload.data); constbase64 = bytes.map((byte) => `%${byte.toString(16).padStart(2, '0')}`).join(''); const SecretValue = decodeURIComponent (base64); Returns SecretValue. };

