feat(secretmanager): add examples for creating, updating and deleting secret rotation policies and topics

Author: dhavalbhensdadiya-crest

secretmanager/README.md

@@ -12,24 +12,28 @@ the Secret Manager API using the Google Java API Client Libraries.
 
 ### Enable the API
 
-You must enable the [Secret Manager API](https://console.cloud.google.com/flows/enableapi?apiid=secretmanager.googleapis.com) and [Cloud KMS API](https://console.cloud.google.com/flows/enableapi?apiid=cloudkms.googleapis.com) for your project in order to use these samples
+You must enable the [Secret Manager API](https://console.cloud.google.com/flows/enableapi?apiid=secretmanager.googleapis.com), [Cloud KMS API](https://console.cloud.google.com/flows/enableapi?apiid=cloudkms.googleapis.com) and [Pub/Sub API](https://console.cloud.google.com/flows/enableapi?apiid=pubsub.googleapis.com) for your project in order to use these samples
 
 ### Set Environment Variables
 
-You must set your project ID, KMS Keys (Global and Regional) in order to run the tests
+You must set your project ID, KMS Keys (Global and Regional), and Pub/Sub Topic in order to run the tests
 
 ```text
 $ export GOOGLE_CLOUD_PROJECT=<your-project-id-here>
 $ export GOOGLE_CLOUD_REGIONAL_KMS_KEY=<full-name-of-regional-kms-key> (region same as location)
 $ export GOOGLE_CLOUD_KMS_KEY=<full-name-of-global-kms-key>
+$ export GOOGLE_CLOUD_PUBSUB_TOPIC=<full-name-of-pubsub-topic>
 ```
 
+The Pub/Sub topic should be in the format `projects/PROJECT_ID/topics/TOPIC_ID` and is used for testing secret notifications.
+
 ### Grant Permissions
 
 You must ensure that the [user account or service account](https://cloud.google.com/iam/docs/service-accounts#differences_between_a_service_account_and_a_user_account) you used to authorize your gcloud session has the proper permissions to edit Secret Manager resources for your project. In the Cloud Console under IAM, add the following roles to the project whose service account you're using to test:
 
 * Secret Manager Admin (`roles/secretmanager.admin`)
 * Secret Manager Secret Accessor (`roles/secretmanager.secretAccessor`)
 * Cloud KMS Encrypter / Decrypter (`roles/cloudkms.cryptoKeyEncrypterDecrypter`) on the regional and global KMS key used for testing
+* Pub/Sub Publisher (`roles/pubsub.publisher`) on the Pub/Sub topic used for testing
 
 More information can be found in the [Secret Manager Docs](https://cloud.google.com/secret-manager/docs/access-control)

secretmanager/src/main/java/secretmanager/CreateSecretWithRotation.java

@@ -0,0 +1,95 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package secretmanager;
+
+// [START secretmanager_create_secret_with_rotation]
+import com.google.cloud.secretmanager.v1.ProjectName;
+import com.google.cloud.secretmanager.v1.Replication;
+import com.google.cloud.secretmanager.v1.Rotation;
+import com.google.cloud.secretmanager.v1.Secret;
+import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+import com.google.cloud.secretmanager.v1.Topic;
+import com.google.protobuf.Duration;
+import com.google.protobuf.Timestamp;
+import java.io.IOException;
+import java.time.Instant;
+
+public class CreateSecretWithRotation {
+
+  public static void main(String[] args) throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+    
+    // This is the id of the GCP project
+    String projectId = "your-project-id";
+    // This is the id of the secret to create
+    String secretId = "your-secret-id";
+    // This is the rotation period in seconds (e.g., 2592000 for 30 days)
+    long rotationPeriodSeconds = 2592000;
+    // This is the topic name in the format projects/PROJECT_ID/topics/TOPIC_ID
+    String topicName = "projects/your-project-id/topics/your-topic-id";
+    createSecretWithRotation(projectId, secretId, rotationPeriodSeconds, topicName);
+  }
+
+  // Create a new secret with automatic rotation.
+  public static Secret createSecretWithRotation(
+      String projectId, String secretId, long rotationPeriodSeconds, String topicName) 
+      throws IOException {
+    // Initialize client that will be used to send requests. This client only needs to be created
+    // once, and can be reused for multiple requests. After completing all of your requests, call
+    // the "close" method on the client to safely clean up any remaining background resources.
+    try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
+      // Build the parent name from the project.
+      ProjectName projectName = ProjectName.of(projectId);
+
+      // Calculate the next rotation time.
+      Instant nextRotationTime = Instant.now().plusSeconds(rotationPeriodSeconds);
+      Timestamp nextRotationTimestamp = Timestamp.newBuilder()
+          .setSeconds(nextRotationTime.getEpochSecond())
+          .setNanos(nextRotationTime.getNano())
+          .build();
+
+      // Build the rotation policy.
+      Rotation rotation = Rotation.newBuilder()
+          .setNextRotationTime(nextRotationTimestamp)
+          .setRotationPeriod(Duration.newBuilder().setSeconds(rotationPeriodSeconds).build())
+          .build();
+
+      // Build the topic for rotation notifications.
+      Topic topic = Topic.newBuilder()
+          .setName(topicName)
+          .build();
+
+      // Build the secret to create with rotation and topic.
+      Secret secret =
+          Secret.newBuilder()
+              .setReplication(
+                  Replication.newBuilder()
+                      .setAutomatic(Replication.Automatic.newBuilder().build())
+                      .build())
+              .setRotation(rotation)
+              .addTopics(topic)
+              .build();
+
+      // Create the secret.
+      Secret createdSecret = client.createSecret(projectName, secretId, secret);
+      System.out.printf("Created secret %s with rotation\n", createdSecret.getName());
+
+      return createdSecret;
+    }
+  }
+}
+// [END secretmanager_create_secret_with_rotation]

secretmanager/src/main/java/secretmanager/CreateSecretWithTopic.java

@@ -0,0 +1,74 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package secretmanager;
+
+// [START secretmanager_create_secret_with_topic]
+import com.google.cloud.secretmanager.v1.ProjectName;
+import com.google.cloud.secretmanager.v1.Replication;
+import com.google.cloud.secretmanager.v1.Secret;
+import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+import com.google.cloud.secretmanager.v1.Topic;
+import java.io.IOException;
+
+public class CreateSecretWithTopic {
+
+  public static void main(String[] args) throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+    
+    // This is the id of the GCP project
+    String projectId = "your-project-id";
+    // This is the id of the secret to create
+    String secretId = "your-secret-id";
+    // This is the topic name in the format projects/PROJECT_ID/topics/TOPIC_ID
+    String topicName = "projects/your-project-id/topics/your-topic-id";
+    createSecretWithTopic(projectId, secretId, topicName);
+  }
+
+  // Create a new secret with a Pub/Sub topic for notifications.
+  public static Secret createSecretWithTopic(
+      String projectId, String secretId, String topicName) throws IOException {
+    // Initialize client that will be used to send requests. This client only needs to be created
+    // once, and can be reused for multiple requests. After completing all of your requests, call
+    // the "close" method on the client to safely clean up any remaining background resources.
+    try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
+      // Build the parent name from the project.
+      ProjectName projectName = ProjectName.of(projectId);
+
+      // Build the topic.
+      Topic topic = Topic.newBuilder()
+          .setName(topicName)
+          .build();
+
+      // Build the secret to create with topic.
+      Secret secret =
+          Secret.newBuilder()
+              .setReplication(
+                  Replication.newBuilder()
+                      .setAutomatic(Replication.Automatic.newBuilder().build())
+                      .build())
+              .addTopics(topic)
+              .build();
+
+      // Create the secret.
+      Secret createdSecret = client.createSecret(projectName, secretId, secret);
+      System.out.printf("Created secret %s with topic\n", createdSecret.getName());
+
+      return createdSecret;
+    }
+  }
+}
+// [END secretmanager_create_secret_with_topic]

secretmanager/src/main/java/secretmanager/DeleteSecretRotation.java

@@ -0,0 +1,66 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package secretmanager;
+
+// [START secretmanager_delete_secret_rotation]
+import com.google.cloud.secretmanager.v1.Secret;
+import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+import com.google.cloud.secretmanager.v1.SecretName;
+import com.google.protobuf.FieldMask;
+import com.google.protobuf.util.FieldMaskUtil;
+import java.io.IOException;
+
+public class DeleteSecretRotation {
+
+  public static void main(String[] args) throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+    
+    // This is the id of the GCP project
+    String projectId = "your-project-id";
+    // This is the id of the secret to update
+    String secretId = "your-secret-id";
+    deleteSecretRotation(projectId, secretId);
+  }
+
+  // Delete the rotation policy from an existing secret.
+  public static Secret deleteSecretRotation(String projectId, String secretId) 
+      throws IOException {
+    // Initialize client that will be used to send requests. This client only needs to be created
+    // once, and can be reused for multiple requests. After completing all of your requests, call
+    // the "close" method on the client to safely clean up any remaining background resources.
+    try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
+      // Build the secret name.
+      SecretName secretName = SecretName.of(projectId, secretId);
+
+      // Build the updated secret without rotation.
+      Secret secret =
+          Secret.newBuilder()
+              .setName(secretName.toString())
+              .build();
+
+      // Build the field mask to clear the rotation.
+      FieldMask fieldMask = FieldMaskUtil.fromString("rotation");
+
+      // Update the secret to remove rotation.
+      Secret updatedSecret = client.updateSecret(secret, fieldMask);
+      System.out.printf("Deleted rotation from secret %s\n", updatedSecret.getName());
+
+      return updatedSecret;
+    }
+  }
+}
+// [END secretmanager_delete_secret_rotation]

secretmanager/src/main/java/secretmanager/UpdateSecretRotation.java

@@ -0,0 +1,96 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package secretmanager;
+
+// [START secretmanager_update_secret_rotation]
+import com.google.cloud.secretmanager.v1.Rotation;
+import com.google.cloud.secretmanager.v1.Secret;
+import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+import com.google.cloud.secretmanager.v1.SecretName;
+import com.google.cloud.secretmanager.v1.Topic;
+import com.google.protobuf.Duration;
+import com.google.protobuf.FieldMask;
+import com.google.protobuf.Timestamp;
+import com.google.protobuf.util.FieldMaskUtil;
+import java.io.IOException;
+import java.time.Instant;
+
+public class UpdateSecretRotation {
+
+  public static void main(String[] args) throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+    
+    // This is the id of the GCP project
+    String projectId = "your-project-id";
+    // This is the id of the secret to update
+    String secretId = "your-secret-id";
+    // This is the rotation period in seconds (e.g., 2592000 for 30 days)
+    long rotationPeriodSeconds = 2592000;
+    // This is the topic name in the format projects/PROJECT_ID/topics/TOPIC_ID
+    String topicName = "projects/your-project-id/topics/your-topic-id";
+    updateSecretRotation(projectId, secretId, rotationPeriodSeconds, topicName);
+  }
+
+  // Update an existing secret with a new rotation policy.
+  public static Secret updateSecretRotation(
+      String projectId, String secretId, long rotationPeriodSeconds, String topicName) 
+      throws IOException {
+    // Initialize client that will be used to send requests. This client only needs to be created
+    // once, and can be reused for multiple requests. After completing all of your requests, call
+    // the "close" method on the client to safely clean up any remaining background resources.
+    try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
+      // Build the secret name.
+      SecretName secretName = SecretName.of(projectId, secretId);
+
+      // Calculate the next rotation time.
+      Instant nextRotationTime = Instant.now().plusSeconds(rotationPeriodSeconds);
+      Timestamp nextRotationTimestamp = Timestamp.newBuilder()
+          .setSeconds(nextRotationTime.getEpochSecond())
+          .setNanos(nextRotationTime.getNano())
+          .build();
+
+      // Build the rotation policy.
+      Rotation rotation = Rotation.newBuilder()
+          .setNextRotationTime(nextRotationTimestamp)
+          .setRotationPeriod(Duration.newBuilder().setSeconds(rotationPeriodSeconds).build())
+          .build();
+
+      // Build the topic for rotation notifications.
+      Topic topic = Topic.newBuilder()
+          .setName(topicName)
+          .build();
+
+      // Build the updated secret with new rotation policy and topic.
+      Secret secret =
+          Secret.newBuilder()
+              .setName(secretName.toString())
+              .setRotation(rotation)
+              .addTopics(topic)
+              .build();
+
+      // Build the field mask to update rotation and topics.
+      FieldMask fieldMask = FieldMaskUtil.fromString("rotation,topics");
+
+      // Update the secret.
+      Secret updatedSecret = client.updateSecret(secret, fieldMask);
+      System.out.printf("Updated secret %s with new rotation policy\n", updatedSecret.getName());
+
+      return updatedSecret;
+    }
+  }
+}
+// [END secretmanager_update_secret_rotation]