Secret Manager — Store secrets safely
A vault for API keys, DB passwords, and JWT secrets. Versioned, IAM-controlled, mounted as env vars in Cloud Run or fetched at build time by Cloud Build.
is a safe where you put sensitive strings — API keys, database passwords, OAuth client secrets, Stripe keys. Instead of having them in .env files checked into git (NEVER do that), they live in GCP and you fetch them at runtime.
Each secret has a name (DB_PASSWORD) and one or more versions. Need to rotate? You create v2 of the same secret; your app reads 'latest' and picks it up automatically (or you pin to v1 for stability and update the pin when ready).
Access is -gated: only specific service accounts can read the secret. Even your own admin role doesn't see the value by default — you need secretAccessor explicitly.
integration: you can mount a secret as an env var. Your app reads process.env.DB_PASSWORD like normal; under the hood Cloud Run pulled it from Secret Manager at startup.
Alternatives (bad ones): .env files in git (never), hardcoded strings in source (never), baking them into the Docker image (never — they end up in forever). Secret Manager is the right answer.
Grounded on https://cloud.google.com/secret-manager/docs/overview
Next up
VPC — Virtual Private Cloud
The private network that glues your GCP resources together: subnets, firewall rules, routes, and how your Cloud Run or VM talks to your Cloud SQL without going through the internet.