GoogleCloudPlatform · dhavalbhensdadiya-crest · Jan 21, 2026 · Jan 21, 2026 · Jan 21, 2026 · Jan 22, 2026
@@ -12,21 +12,28 @@ the Secret Manager API using the Google Java API Client Libraries.
 
 ### Enable the API
 
-You must [enable the Secret Manager API](https://console.cloud.google.com/flows/enableapi?apiid=secretmanager.googleapis.com) for your project in order to use these samples
+You must enable the [Secret Manager API](https://console.cloud.google.com/flows/enableapi?apiid=secretmanager.googleapis.com), [Cloud KMS API](https://console.cloud.google.com/flows/enableapi?apiid=cloudkms.googleapis.com) and [Pub/Sub API](https://console.cloud.google.com/flows/enableapi?apiid=pubsub.googleapis.com) for your project in order to use these samples
 
 ### Set Environment Variables
 
-You must set your project ID in order to run the tests
+You must set your project ID, KMS Keys (Global and Regional), and Pub/Sub Topic in order to run the tests
 
 ```text
 $ export GOOGLE_CLOUD_PROJECT=<your-project-id-here>
+$ export GOOGLE_CLOUD_REGIONAL_KMS_KEY=<full-name-of-regional-kms-key> (region same as location)
-$ export GOOGLE_CLOUD_REGIONAL_KMS_KEY=<full-name-of-regional-kms-key> (region same as location)
+$ export GOOGLE_CLOUD_REGIONAL_KMS_KEY=<full-name-of-regional-kms-key> (region must match the location of regional secrets)
-$ export GOOGLE_CLOUD_REGIONAL_KMS_KEY=<full-name-of-regional-kms-key> (region same as location)
+$ export GOOGLE_CLOUD_REGIONAL_KMS_KEY=<full-name-of-regional-kms-key> (region must match the location of regional secrets)
+$ export GOOGLE_CLOUD_KMS_KEY=<full-name-of-global-kms-key>
+$ export GOOGLE_CLOUD_PUBSUB_TOPIC=<full-name-of-pubsub-topic>
 ```
 
+The Pub/Sub topic should be in the format `projects/PROJECT_ID/topics/TOPIC_ID` and is used for testing secret notifications.
+
 ### Grant Permissions
 
 You must ensure that the [user account or service account](https://cloud.google.com/iam/docs/service-accounts#differences_between_a_service_account_and_a_user_account) you used to authorize your gcloud session has the proper permissions to edit Secret Manager resources for your project. In the Cloud Console under IAM, add the following roles to the project whose service account you're using to test:
 
 * Secret Manager Admin (`roles/secretmanager.admin`)
 * Secret Manager Secret Accessor (`roles/secretmanager.secretAccessor`)
+* Cloud KMS Encrypter / Decrypter (`roles/cloudkms.cryptoKeyEncrypterDecrypter`) on the regional and global KMS key used for testing
+* Pub/Sub Publisher (`roles/pubsub.publisher`) on the Pub/Sub topic used for testing
 
 More information can be found in the [Secret Manager Docs](https://cloud.google.com/secret-manager/docs/access-control)
@@ -0,0 +1,64 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package secretmanager;
+
+// [START secretmanager_bind_secret_tag]
+import com.google.cloud.resourcemanager.v3.CreateTagBindingRequest;
+import com.google.cloud.resourcemanager.v3.TagBinding;
+import com.google.cloud.resourcemanager.v3.TagBindingsClient;
+import java.io.IOException;
+import java.util.concurrent.ExecutionException;
+
+public class BindSecretTag {
+
+  public static void main(String[] args) throws Exception {
+    // TODO(developer): replace these variables before running the sample.
+
+    // This is the id of the GCP project
+    String projectId = "your-project-id";
+    // This is the id of the secret to act on
+    String secretId = "your-secret-id";
+    // Tag value to bind, e.g. "tagValues/123"
+    String tagValueName = "your-tag-value";
+
+    bindSecretTag(projectId, secretId, tagValueName);
+  }
+
+  // Bind a TagValue to a Secret by creating a TagBinding.
+  public static TagBinding bindSecretTag(String projectId, String secretId, String tagValueName)
+      throws IOException, InterruptedException, ExecutionException {
+
+    String parent = String.format("//secretmanager.googleapis.com/projects/%s/secrets/%s",
+        projectId, secretId);
+
+    try (TagBindingsClient tagBindingsClient = TagBindingsClient.create()) {
+      TagBinding tagBinding = TagBinding.newBuilder()
+          .setTagValue(tagValueName)
+          .setParent(parent)
+          .build();
+
+      CreateTagBindingRequest request = CreateTagBindingRequest.newBuilder()
+          .setTagBinding(tagBinding)
+          .build();
+
+      TagBinding created = tagBindingsClient.createTagBindingAsync(request).get();
+      System.out.printf("Created TagBinding: %s\n", created.getName());
+      return created;
+    }
+  }
+}
+// [END secretmanager_bind_secret_tag]
@@ -0,0 +1,75 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package secretmanager;
+
+// [START secretmanager_create_secret_with_cmek]
+import com.google.cloud.secretmanager.v1.CustomerManagedEncryption;
+import com.google.cloud.secretmanager.v1.ProjectName;
+import com.google.cloud.secretmanager.v1.Replication;
+import com.google.cloud.secretmanager.v1.Secret;
+import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+import java.io.IOException;
+
+public class CreateSecretWithCmek {
+
+  public static void main(String[] args) throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+
+    // This is the id of the GCP project
+    String projectId = "your-project-id";
+    // This is the id of the secret to act on
+    String secretId = "your-secret-id";
+    // This is the Full kms key name to be used for Cmek.
+    String kmsKeyName = "your-kms-key-name";
+    createSecretWithCmek(projectId, secretId, kmsKeyName);
+  }
+
+  // Create a secret with a customer-managed encryption key (CMEK).
+  public static Secret createSecretWithCmek(String projectId, String secretId, String kmsKeyName)
+      throws IOException {
+
+    // Initialize client that will be used to send requests. This client only needs to be created
+    // once, and can be reused for multiple requests.
+    try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
+
+      // Build the secret name.
+      ProjectName projectName = ProjectName.of(projectId);
+
+      // Build the Cmek configuration.
+      CustomerManagedEncryption customerManagedEncryption =
+          CustomerManagedEncryption.newBuilder().setKmsKeyName(kmsKeyName).build();
+
+      // Build the replication using Cmek.
+      Replication secretReplication =
+          Replication.newBuilder()
+              .setAutomatic(
+                  Replication.Automatic.newBuilder()
+                      .setCustomerManagedEncryption(customerManagedEncryption)
+                      .build())
+              .build();
+
+      // Build the secret to create with the replication policy.
+      Secret secret = Secret.newBuilder().setReplication(secretReplication).build();
+
+      // Create the secret.
+      Secret createdSecret = client.createSecret(projectName, secretId, secret);
+      System.out.printf("Created secret %s\n", createdSecret.getName());
+      return createdSecret;
+    }
+  }
+}
+// [END secretmanager_create_secret_with_cmek]
@@ -0,0 +1,77 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package secretmanager;
+
+// [START secretmanager_create_secret_with_expiration]
+import com.google.cloud.secretmanager.v1.ProjectName;
+import com.google.cloud.secretmanager.v1.Replication;
+import com.google.cloud.secretmanager.v1.Secret;
+import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+import com.google.protobuf.Timestamp;
+import java.io.IOException;
+import java.time.Instant;
+
+public class CreateSecretWithExpiration {
+
+  public static void main(String[] args) throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+
+    // This is the id of the GCP project
+    String projectId = "your-project-id";
+    // This is the id of the secret to create
+    String secretId = "your-secret-id";
+    // This is the time in seconds from now when the secret will expire
+    long expireTimeSeconds = 86400; // 24 hours
+    createSecretWithExpiration(projectId, secretId, expireTimeSeconds);
+  }
+
+  // Create a new secret with an expiration time.
+  public static Secret createSecretWithExpiration(
+      String projectId, String secretId, long expireTimeSeconds) throws IOException {
+    // Initialize client that will be used to send requests. This client only needs to be created
+    // once, and can be reused for multiple requests. After completing all of your requests, call
+    // the "close" method on the client to safely clean up any remaining background resources.
+    try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
+      // Build the parent name from the project.
+      ProjectName projectName = ProjectName.of(projectId);
+
+      // Calculate the expiration time.
+      Instant expireTime = Instant.now().plusSeconds(expireTimeSeconds);
+      Timestamp expireTimestamp = Timestamp.newBuilder()
+          .setSeconds(expireTime.getEpochSecond())
+          .setNanos(expireTime.getNano())
+          .build();
+
+      // Build the secret to create with expiration time.
+      Secret secret =
+          Secret.newBuilder()
+              .setReplication(
+                  Replication.newBuilder()
+                      .setAutomatic(Replication.Automatic.newBuilder().build())
+                      .build())
+              .setExpireTime(expireTimestamp)
+              .build();
+
+      // Create the secret.
+      Secret createdSecret = client.createSecret(projectName, secretId, secret);
+      System.out.printf("Created secret %s with expire time\n", createdSecret.getName());
+
+      return createdSecret;
+    }
+  }
+}
+// [END secretmanager_create_secret_with_expiration]
@@ -0,0 +1,95 @@
+/*
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package secretmanager;
+
+// [START secretmanager_create_secret_with_rotation]
+import com.google.cloud.secretmanager.v1.ProjectName;
+import com.google.cloud.secretmanager.v1.Replication;
+import com.google.cloud.secretmanager.v1.Rotation;
+import com.google.cloud.secretmanager.v1.Secret;
+import com.google.cloud.secretmanager.v1.SecretManagerServiceClient;
+import com.google.cloud.secretmanager.v1.Topic;
+import com.google.protobuf.Duration;
+import com.google.protobuf.Timestamp;
+import java.io.IOException;
+import java.time.Instant;
+
+public class CreateSecretWithRotation {
+
+  public static void main(String[] args) throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+
+    // This is the id of the GCP project
+    String projectId = "your-project-id";
+    // This is the id of the secret to create
+    String secretId = "your-secret-id";
+    // This is the rotation period in seconds (e.g., 2592000 for 30 days)
+    long rotationPeriodSeconds = 2592000;
+    // This is the topic name in the format projects/PROJECT_ID/topics/TOPIC_ID
+    String topicName = "projects/your-project-id/topics/your-topic-id";
+    createSecretWithRotation(projectId, secretId, rotationPeriodSeconds, topicName);
+  }
+
+  // Create a new secret with automatic rotation.
+  public static Secret createSecretWithRotation(
+      String projectId, String secretId, long rotationPeriodSeconds, String topicName) 
+      throws IOException {
+    // Initialize client that will be used to send requests. This client only needs to be created
+    // once, and can be reused for multiple requests. After completing all of your requests, call
+    // the "close" method on the client to safely clean up any remaining background resources.
+    try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
+      // Build the parent name from the project.
+      ProjectName projectName = ProjectName.of(projectId);
+
+      // Calculate the next rotation time.
+      Instant nextRotationTime = Instant.now().plusSeconds(rotationPeriodSeconds);
+      Timestamp nextRotationTimestamp = Timestamp.newBuilder()
+          .setSeconds(nextRotationTime.getEpochSecond())
+          .setNanos(nextRotationTime.getNano())
+          .build();
+
+      // Build the rotation policy.
+      Rotation rotation = Rotation.newBuilder()
+          .setNextRotationTime(nextRotationTimestamp)
+          .setRotationPeriod(Duration.newBuilder().setSeconds(rotationPeriodSeconds).build())
+          .build();
+
+      // Build the topic for rotation notifications.
+      Topic topic = Topic.newBuilder()
+          .setName(topicName)
+          .build();
+
+      // Build the secret to create with rotation and topic.
+      Secret secret =
+          Secret.newBuilder()
+              .setReplication(
+                  Replication.newBuilder()
+                      .setAutomatic(Replication.Automatic.newBuilder().build())
+                      .build())
+              .setRotation(rotation)
+              .addTopics(topic)
+              .build();
+
+      // Create the secret.
+      Secret createdSecret = client.createSecret(projectName, secretId, secret);
+      System.out.printf("Created secret %s with rotation\n", createdSecret.getName());
+
+      return createdSecret;
+    }
+  }
+}
+// [END secretmanager_create_secret_with_rotation]