GoogleCloudPlatform · dhavalbhensdadiya-crest · Jan 27, 2026 · Jan 29, 2026 · Jan 27, 2026 · Jan 29, 2026
@@ -14,7 +14,13 @@ This simple command-line application demonstrates how to invoke
 
 1.  **Enable APIs** - [Enable the Secret Manager
     API](https://console.cloud.google.com/flows/enableapi?apiid=secretmanager.googleapis.com)
-    and create a new project or select an existing project.
+    and create a new project or select an existing project. To run the rotation tests, you will need to [Create a Pub/Sub topic](https://cloud.google.com/pubsub/docs/create-topic). CMEK related test cases need separate [KMS key](https://cloud.google.com/kms/docs/create-key) for global and regional tests.
+
+    Set the following environment variables:
+
+    - GOOGLE_CLOUD_PUBSUB_TOPIC - Full name of topic (projects/{project}/topics/{topic}).
+    - GOOGLE_CLOUD_KMS_KEY - Full name of global KMS key (projects/{project}/locations/global/keyRings/{keyring}/cryptoKeys/{key}).
+    - GOOGLE_CLOUD_REGIONAL_KMS_KEY - Full name of regional KMS key (projects/{project}/locations/{location}/keyRings/{keyring}/cryptoKeys/{key}).
 
 1.  **Download The Credentials** - Click "Go to credentials" after enabling the
     APIs. Click "New Credentials" and select "Service Account Key". Create a new

@@ -0,0 +1,67 @@
+<?php
+/*
+ * Copyright 2026 Google LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/main/secretmanager/README.md
+ */
+
+declare(strict_types=1);
+
+namespace Google\Cloud\Samples\SecretManager;
+
+// [START secretmanager_create_regional_secret_with_cmek]
+use Google\Cloud\SecretManager\V1\CreateSecretRequest;
+use Google\Cloud\SecretManager\V1\CustomerManagedEncryption;
+use Google\Cloud\SecretManager\V1\Secret;
+use Google\Cloud\SecretManager\V1\Client\SecretManagerServiceClient;
+
+/**
+ * Create a regional secret that uses a customer-managed encryption key (CMEK).
+ *
+ * @param string $projectId Google Cloud project id (e.g. 'my-project-id')
+ * @param string $locationId Secret location (e.g. 'us-central1')
+ * @param string $secretId Id for the new secret (e.g. 'my-secret-id')
+ * @param string $kmsKeyName Full KMS key resource name (e.g. 'projects/my-project/locations/us-central1/keyRings/my-kr/cryptoKeys/my-key')
+ */
+function create_regional_secret_with_cmek(string $projectId, string $locationId, string $secretId, string $kmsKeyName): void
+{
+    $options = ['apiEndpoint' => "secretmanager.$locationId.rep.googleapis.com"];
+    $client = new SecretManagerServiceClient($options);
+
+    $parent = $client->locationName($projectId, $locationId);
+
+    $cmek = new CustomerManagedEncryption([
+        'kms_key_name' => $kmsKeyName,
+    ]);
+
+    $secret = new Secret([
+        'customer_managed_encryption' => $cmek
+    ]);
+
+    $request = CreateSecretRequest::build($parent, $secretId, $secret);
+
+    $created = $client->createSecret($request);
+
+    printf('Created secret %s with CMEK %s%s', $created->getName(), $kmsKeyName, PHP_EOL);
+}
+// [END secretmanager_create_regional_secret_with_cmek]
+
+// The following 2 lines are only needed to execute the samples on the CLI
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);
@@ -0,0 +1,69 @@
+<?php
+/*
+ * Copyright 2026 Google LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/main/secretmanager/README.md
+ */
+
+declare(strict_types=1);
+
+namespace Google\Cloud\Samples\SecretManager;
+
+// [START secretmanager_create_regional_secret_with_expiration]
+use Google\Cloud\SecretManager\V1\CreateSecretRequest;
+use Google\Cloud\SecretManager\V1\Secret;
+use Google\Cloud\SecretManager\V1\Client\SecretManagerServiceClient;
+use Google\Protobuf\Duration;
+
+/**
+ * Create a regional secret with expiration TTL.
+ *
+ * @param string $projectId Google Cloud project id (e.g. 'my-project')
+ * @param string $locationId Secret location (e.g. 'us-central1')
+ * @param string $secretId Id for the new secret (e.g. 'my-secret')
+ */
+function create_regional_secret_with_expiration(string $projectId, string $locationId, string $secretId): void
+{
+    // Create the Secret Manager Regional client.
+    $options = ['apiEndpoint' => "secretmanager.$locationId.rep.googleapis.com"];
+    $client = new SecretManagerServiceClient($options);
+
+    // Build the resource name of the parent project.
+    $parent = $client->locationName($projectId, $locationId);
+
+    $duration = new Duration();
+    $duration->setSeconds(3600); // 1 hour TTL in seconds
+
+    $secret = new Secret();
+    $secret->setTtl($duration);
+
+    // Build the request.
+    $request = CreateSecretRequest::build($parent, $secretId, $secret);
+
+    // Create the secret.
+    $newSecret = $client->createSecret($request);
+
+    // Print the new secret name.
+    printf('Created secret: %s%s', $newSecret->getName(), PHP_EOL);
+}
+// [END secretmanager_create_regional_secret_with_expiration]
+
+// The following 2 lines are only needed to execute the samples on the CLI
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);
@@ -0,0 +1,75 @@
+<?php
+/*
+ * Copyright 2026 Google LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/main/secretmanager/README.md
+ */
+
+declare(strict_types=1);
+
+namespace Google\Cloud\Samples\SecretManager;
+
+// [START secretmanager_create_regional_secret_with_rotation]
+use Google\Cloud\SecretManager\V1\CreateSecretRequest;
+use Google\Cloud\SecretManager\V1\Secret;
+use Google\Cloud\SecretManager\V1\Rotation;
+use Google\Cloud\SecretManager\V1\Topic;
+use Google\Cloud\SecretManager\V1\Client\SecretManagerServiceClient;
+use Google\Protobuf\Timestamp;
+use Google\Protobuf\Duration;
+
+/**
+ * Create a regional secret with a rotation policy.
+ *
+ * @param string $projectId Your Google Cloud Project ID (e.g. 'my-project')
+ * @param string $locationId Secret location (e.g. 'us-central1')
+ * @param string $secretId  Your secret ID (e.g. 'my-secret')
+ * @param string $topicName Full Pub/Sub topic name (projects/{project}/topics/{topic})
+ */
+function create_regional_secret_with_rotation(string $projectId, string $locationId, string $secretId, string $topicName): void
+{
+    $options = ['apiEndpoint' => "secretmanager.$locationId.rep.googleapis.com"];
+    $client = new SecretManagerServiceClient($options);
+
+    $parent = $client->locationName($projectId, $locationId);
+
+    $nextRotationTimeSeconds = time() + 7200; // 2 hours
+    $rotationPeriodSeconds = 3600; // 1 hour
+
+    $rotation = new Rotation([
+        'next_rotation_time' => new Timestamp(['seconds' => $nextRotationTimeSeconds]),
+        'rotation_period' => new Duration(['seconds' => $rotationPeriodSeconds]),
+    ]);
+
+    $secret = new Secret([
+        'rotation' => $rotation,
+        'topics' => [new Topic(['name' => $topicName])],
+    ]);
+
+    $request = CreateSecretRequest::build($parent, $secretId, $secret);
+
+    $newSecret = $client->createSecret($request);
+
+    printf('Created secret %s with rotation%s', $newSecret->getName(), PHP_EOL);
+}
+// [END secretmanager_create_regional_secret_with_rotation]
+
+// The following 2 lines are only needed to execute the samples on the CLI
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);
@@ -0,0 +1,65 @@
+<?php
+/*
+ * Copyright 2026 Google LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/main/secretmanager/README.md
+ */
+
+declare(strict_types=1);
+
+namespace Google\Cloud\Samples\SecretManager;
+
+// [START secretmanager_create_regional_secret_with_topic]
+use Google\Cloud\SecretManager\V1\CreateSecretRequest;
+use Google\Cloud\SecretManager\V1\Secret;
+use Google\Cloud\SecretManager\V1\Topic;
+use Google\Cloud\SecretManager\V1\Client\SecretManagerServiceClient;
+
+/**
+ * Create a regional secret and associate it with a Pub/Sub topic.
+ *
+ * @param string $projectId Google Cloud project id (e.g. 'my-project')
+ * @param string $locationId Secret location (e.g. 'us-central1')
+ * @param string $secretId Id for the new secret (e.g. 'my-secret')
+ * @param string $topicName Full topic resource name (projects/{project}/topics/{topic})
+ */
+function create_regional_secret_with_topic(string $projectId, string $locationId, string $secretId, string $topicName): void
+{
+    $options = ['apiEndpoint' => "secretmanager.$locationId.rep.googleapis.com"];
+    $client = new SecretManagerServiceClient($options);
+
+    $parent = $client->locationName($projectId, $locationId);
+
+    $secret = new Secret([
+        'topics' => [new Topic(['name' => $topicName])],
+    ]);
+
+     // Build the request.
+    $request = CreateSecretRequest::build($parent, $secretId, $secret);
+
+    // Create the secret.
+    $created = $client->createSecret($request);
+
+    printf('Created secret %s with topic %s%s', $created->getName(), $topicName, PHP_EOL);
+}
+// [END secretmanager_create_regional_secret_with_topic]
+
+// The following 2 lines are only needed to execute the samples on the CLI
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);
@@ -0,0 +1,71 @@
+<?php
+/*
+ * Copyright 2026 Google LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * For instructions on how to run the full sample:
+ *
+ * @see https://github.com/GoogleCloudPlatform/php-docs-samples/tree/main/secretmanager/README.md
+ */
+
+declare(strict_types=1);
+
+namespace Google\Cloud\Samples\SecretManager;
+
+// [START secretmanager_create_secret_with_cmek]
+use Google\Cloud\SecretManager\V1\CreateSecretRequest;
+use Google\Cloud\SecretManager\V1\Replication;
+use Google\Cloud\SecretManager\V1\Replication\Automatic;
+use Google\Cloud\SecretManager\V1\CustomerManagedEncryption;
+use Google\Cloud\SecretManager\V1\Secret;
+use Google\Cloud\SecretManager\V1\Client\SecretManagerServiceClient;
+
+/**
+ * Create a secret that uses a customer-managed encryption key (CMEK).
+ *
+ * @param string $projectId Google Cloud project id (e.g. 'my-project-id')
+ * @param string $secretId Id for the new secret (e.g. 'my-secret-id')
+ * @param string $kmsKeyName Full KMS key resource name (e.g. 'projects/my-project/locations/global/keyRings/my-kr/cryptoKeys/my-key')
+ */
+function create_secret_with_cmek(string $projectId, string $secretId, string $kmsKeyName): void
+{
+    $client = new SecretManagerServiceClient();
+
+    $parent = $client->projectName($projectId);
+
+    $cmek = new CustomerManagedEncryption([
+        'kms_key_name' => $kmsKeyName,
+    ]);
+
+    $secret = new Secret([
+        'replication' => new Replication([
+            'automatic' => new Automatic([
+                'customer_managed_encryption' => $cmek,
+            ]),
+        ]),
+    ]);
+
+    $request = CreateSecretRequest::build($parent, $secretId, $secret);
+
+    $created = $client->createSecret($request);
+
+    printf('Created secret %s with CMEK %s%s', $created->getName(), $kmsKeyName, PHP_EOL);
+}
+// [END secretmanager_create_secret_with_cmek]
+
+// The following 2 lines are only needed to execute the samples on the CLI
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);