Skip to content

chore(secretmanager): Add samples for deleting secret annotations and updating annotation and label args #13511

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

chore(secretmanager): Add samples for deleting secret annotations and updating annotation and label args #13511

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
0943419
feat(secretmanager): Added samples for labels and annotations
durgesh-ninave-crest Jul 18, 2025
7510de8
fix(secretmanager): Update arguments labels and annotations
durgesh-ninave-crest Jul 18, 2025
61486ed
fix(secretmanager): address gemini review comments
durgesh-ninave-crest Jul 18, 2025
a129270
fix(secretmanager): update samples and testcases
durgesh-ninave-crest Jul 18, 2025
ab08321
Merge branch 'main' into secretmanager-label-and-annotation-samples
durgesh-ninave-crest Jul 22, 2025
3251152
chore(secretmanager): added assertions in test cases
durgesh-ninave-crest Jul 22, 2025
0aac15f
Merge branch 'main' into secretmanager-label-and-annotation-samples
durgesh-ninave-crest Jul 25, 2025
0703bef
chore(secretmanager): update test assertions
durgesh-ninave-crest Jul 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion secretmanager/snippets/create_secret_with_annotations.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,5 +74,5 @@ def create_secret_with_annotations(
)
args = parser.parse_args()

annotations = {args.annotation_key, args.annotation_value}
annotations = {args.annotation_key: args.annotation_value}
create_secret_with_annotations(args.project_id, args.secret_id, annotations)
2 changes: 1 addition & 1 deletion secretmanager/snippets/create_secret_with_labels.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,5 +70,5 @@ def create_secret_with_labels(
parser.add_argument("label_value", help="value of the label you want to add")
args = parser.parse_args()

labels = {args.label_key, args.label_value}
labels = {args.label_key: args.label_value}
create_secret_with_labels(args.project_id, args.secret_id, labels)
2 changes: 1 addition & 1 deletion secretmanager/snippets/create_update_secret_label.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,5 +69,5 @@ def create_update_secret_label(
parser.add_argument("label_value", help="value of the label to be added/updated")
args = parser.parse_args()

labels = {args.label_key, args.label_value}
labels = {args.label_key: args.label_value}
create_update_secret_label(args.project_id, args.secret_id, labels)
68 changes: 68 additions & 0 deletions secretmanager/snippets/delete_secret_annotation.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
#!/usr/bin/env python

# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and

# [START secretmanager_delete_secret_annotation]
import argparse

# Import the Secret Manager client library.
from google.cloud import secretmanager


def delete_secret_annotation(
project_id: str, secret_id: str, annotation_key: str
) -> secretmanager.Secret:
"""
Delete a annotation on an existing secret.
"""

# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()

# Build the resource name of the secret.
name = client.secret_path(project_id, secret_id)

# Get the secret.
response = client.get_secret(request={"name": name})

annotations = response.annotations

# Delete the annotation
annotations.pop(annotation_key, None)

# Update the secret.
secret = {"name": name, "annotations": annotations}
update_mask = {"paths": ["annotations"]}
response = client.update_secret(
request={"secret": secret, "update_mask": update_mask}
)

# Print the new secret name.
print(f"Updated secret: {response.name}")

return response


# [END secretmanager_delete_secret_annotation]

if __name__ == "__main__":
parser = argparse.ArgumentParser(
description=__doc__, formatter_class=argparse.RawDescriptionHelpFormatter
)
parser.add_argument("project_id", help="id of the GCP project")
parser.add_argument("secret_id", help="id of the secret to act on")
parser.add_argument("annotation_key", help="key of the annotation to be deleted")
args = parser.parse_args()

delete_secret_annotation(args.project_id, args.secret_id, args.annotation_key)
2 changes: 1 addition & 1 deletion secretmanager/snippets/edit_secret_annotations.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,5 +73,5 @@ def edit_secret_annotations(
)
args = parser.parse_args()

annotations = {args.annotation_key, args.annotation_value}
annotations = {args.annotation_key: args.annotation_value}
edit_secret_annotations(args.project_id, args.secret_id, annotations)
2 changes: 1 addition & 1 deletion secretmanager/snippets/regional_samples/create_regional_secret_with_annotations.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ def create_regional_secret_with_annotations(
)
args = parser.parse_args()

annotations = {args.annotation_key, args.annotation_value}
annotations = {args.annotation_key: args.annotation_value}
create_regional_secret_with_annotations(
args.project_id, args.location_id, args.secret_id, annotations
)
2 changes: 1 addition & 1 deletion secretmanager/snippets/regional_samples/create_regional_secret_with_labels.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ def create_regional_secret_with_labels(
parser.add_argument("label_value", help="value of the label you want to add")
args = parser.parse_args()

labels = {args.label_key, args.label_value}
labels = {args.label_key: args.label_value}
create_regional_secret_with_labels(
args.project_id, args.location_id, args.secret_id, labels
)
78 changes: 78 additions & 0 deletions secretmanager/snippets/regional_samples/delete_regional_secret_annotation.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
#!/usr/bin/env python

# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and

# [START secretmanager_delete_regional_secret_annotation]
import argparse

# Import the Secret Manager client library.
from google.cloud import secretmanager_v1


def delete_regional_secret_annotation(
project_id: str, location_id: str, secret_id: str, annotation_key: str
) -> secretmanager_v1.Secret:
"""
Delete a annotation on an existing secret.
"""

# Endpoint to call the regional Secret Manager API.
api_endpoint = f"secretmanager.{location_id}.rep.googleapis.com"

# Create the Secret Manager client.
client = secretmanager_v1.SecretManagerServiceClient(
client_options={"api_endpoint": api_endpoint},
)

# Build the resource name of the parent secret.
name = f"projects/{project_id}/locations/{location_id}/secrets/{secret_id}"

# Get the secret.
response = client.get_secret(request={"name": name})

annotations = response.annotations

# Delete the annotation
annotations.pop(annotation_key, None)

# Update the secret.
secret = {"name": name, "annotations": annotations}
update_mask = {"paths": ["annotations"]}
response = client.update_secret(
request={"secret": secret, "update_mask": update_mask}
)

# Print the new secret name.
print(f"Updated secret: {response.name}")

return response


# [END secretmanager_delete_regional_secret_annotation]

if __name__ == "__main__":
parser = argparse.ArgumentParser(
description=__doc__, formatter_class=argparse.RawDescriptionHelpFormatter
)
parser.add_argument("project_id", help="id of the GCP project")
parser.add_argument(
"location_id", help="id of the location where secret is to be created"
)
parser.add_argument("secret_id", help="id of the secret to act on")
parser.add_argument("annotation_key", help="key of the annotation to be deleted")
args = parser.parse_args()

delete_regional_secret_annotation(
args.project_id, args.location_id, args.secret_id, args.annotation_key
)
2 changes: 1 addition & 1 deletion secretmanager/snippets/regional_samples/edit_regional_secret_annotations.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ def edit_regional_secret_annotations(
)
args = parser.parse_args()

annotations = {args.annotation_key, args.annotation_value}
annotations = {args.annotation_key: args.annotation_value}
edit_regional_secret_annotations(
args.project_id, args.location_id, args.secret_id, annotations
)
2 changes: 1 addition & 1 deletion secretmanager/snippets/regional_samples/edit_regional_secret_label.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ def edit_regional_secret_label(
parser.add_argument("label_value", help="value of the label to be added/updated")
args = parser.parse_args()

labels = {args.label_key, args.label_value}
labels = {args.label_key: args.label_value}
edit_regional_secret_label(
args.project_id, args.location_id, args.secret_id, labels
)
19 changes: 19 additions & 0 deletions secretmanager/snippets/regional_samples/snippets_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
from regional_samples import create_regional_secret_with_labels
from regional_samples import create_regional_secret_with_tags
from regional_samples import delete_regional_secret
from regional_samples import delete_regional_secret_annotation
from regional_samples import delete_regional_secret_label
from regional_samples import delete_regional_secret_with_etag
from regional_samples import destroy_regional_secret_version
Expand Down Expand Up @@ -469,6 +470,24 @@ def test_create_regional_secret_with_label(
assert secret_id in secret.name


def test_delete_regional_secret_annotation(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add some asserts in the tests

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I followed the pattern of the other delete test cases, which is why it was missing. I've added the necessary assertion to the tests.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The assert statement doesn't verify the functionality of the sample, we should assert to verify the operation performed.
Here you could have verified that after deleting the secret annotation, it should be null. Please update similarly at all other places.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated the assertion to reflect the intended functionality of the sample.

regional_client: secretmanager_v1.SecretManagerServiceClient,
project_id: str,
location_id: str,
regional_secret: Tuple[str, str],
annotation_key: str,
) -> None:
secret_id, _ = regional_secret
delete_regional_secret_annotation.delete_regional_secret_annotation(
project_id, location_id, secret_id, annotation_key
)
with pytest.raises(exceptions.NotFound):
name = f"projects/{project_id}/locations/{location_id}/secrets/{secret_id}/versions/latest"
retry_client_access_regional_secret_version(
regional_client, request={"name": name}
)


def test_delete_regional_secret_labels(
regional_client: secretmanager_v1.SecretManagerServiceClient,
project_id: str,
Expand Down
14 changes: 14 additions & 0 deletions secretmanager/snippets/snippets_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@
from create_secret_with_user_managed_replication import create_ummr_secret
from create_update_secret_label import create_update_secret_label
from delete_secret import delete_secret
from delete_secret_annotation import delete_secret_annotation
from delete_secret_label import delete_secret_label
from delete_secret_with_etag import delete_secret_with_etag
from destroy_secret_version import destroy_secret_version
Expand Down Expand Up @@ -485,6 +486,19 @@ def test_delete_secret(
retry_client_access_secret_version(client, request={"name": name})


def test_delete_secret_annotation(
client: secretmanager.SecretManagerServiceClient,
secret: Tuple[str, str, str],
annotation_key: str,
) -> None:
project_id, secret_id, _ = secret
delete_secret_annotation(project_id, secret_id, annotation_key)
with pytest.raises(exceptions.NotFound):
print(f"{client}")
name = f"projects/{project_id}/secrets/{secret_id}/versions/latest"
retry_client_access_secret_version(client, request={"name": name})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

This test has a critical logical flaw. Deleting an annotation does not affect the secret or its versions, so checking for exceptions.NotFound when accessing a version is incorrect. The test currently passes only because the secret fixture doesn't create a version, so access_secret_version with the 'latest' alias fails.

The test should be updated to verify that the annotation is removed from the secret.

# Verify the annotation was deleted.
    secret_name = client.secret_path(project_id, secret_id)
    updated_secret = client.get_secret(request={"name": secret_name})
    assert annotation_key not in updated_secret.annotations

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@durgesh-ninave-crest can you please update, this was not addressed and we have marked this as resolved. Please add an assert statement to verify that the annotations were removed!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've already added an assertion.



def test_delete_secret_labels(
client: secretmanager.SecretManagerServiceClient,
secret: Tuple[str, str, str],
Expand Down