Secret Manager — Store secrets safely

Secret Manager stores binary blobs (up to 64 KiB) as versioned secrets with per-secret IAM. Versions are immutable; rotation = new version. Access via gcloud CLI, REST API, or language SDKs. All traffic encrypted in transit; data encrypted at rest with Google-managed keys (CMEK optional).

Integration patterns: (a) Cloud Run env-var secret references — set at deploy time with `--set-secrets=DB_PASSWORD=projects/P/secrets/DB_PASSWORD:latest` — cheapest, reloaded on revision redeploy; (b) runtime fetch via SDK — supports rotation without redeploy but costs one API call + secret-access charges; (c) Cloud Build `availableSecrets` + `secretEnv` — inject at build time (signing keys, npm tokens).

IAM: the minimum role is roles/secretmanager.secretAccessor granted on the specific secret (not project-wide). Creating / updating / deleting secrets needs secretmanager.admin. Auditing is via Cloud Audit Logs — every access is logged.

Pricing: $0.06 per 10k active secret versions per month + $0.03 per 10k access operations. A small app with 10 secrets costs cents. Beware of tight fetch-every-request loops — cache retrieved values in process memory.

Rotation: secrets do not auto-rotate — you wire a Cloud Scheduler + Cloud Function / Pub/Sub to generate a new version, update the downstream service (DB user's password, API key), then disable the old version.