feat: add checksums in Secret Manager (#244)

Users can now use checksums for data integrity assurance when adding and
accessing SecretVersions.

------


- [ ] Regenerate this pull request now.

chore: use gapic-generator-python 0.62.1

fix: resolve DuplicateCredentialArgs error when using credentials_file

committer: parthea
PiperOrigin-RevId: 425964861

Source-Link: googleapis/googleapis@84b1a5a

Source-Link: googleapis/googleapis-gen@4fb761b
Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiNGZiNzYxYmJkODUwNmFjMTU2ZjQ5YmFjNWYxODMwNmFhOGViM2FhOCJ9

packages/google-cloud-secret-manager/google/cloud/secretmanager_v1/services/secret_manager_service/async_client.py

@@ -262,7 +262,7 @@ async def list_secrets(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([parent])
         if request is not None and has_flattened_params:
@@ -368,7 +368,7 @@ async def create_secret(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([parent, secret_id, secret])
         if request is not None and has_flattened_params:
@@ -457,7 +457,7 @@ async def add_secret_version(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([parent, payload])
         if request is not None and has_flattened_params:
@@ -537,7 +537,7 @@ async def get_secret(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([name])
         if request is not None and has_flattened_params:
@@ -622,7 +622,7 @@ async def update_secret(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([secret, update_mask])
         if request is not None and has_flattened_params:
@@ -692,7 +692,7 @@ async def delete_secret(
                 sent along with the request as metadata.
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([name])
         if request is not None and has_flattened_params:
@@ -770,7 +770,7 @@ async def list_secret_versions(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([parent])
         if request is not None and has_flattened_params:
@@ -857,7 +857,7 @@ async def get_secret_version(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([name])
         if request is not None and has_flattened_params:
@@ -939,7 +939,7 @@ async def access_secret_version(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([name])
         if request is not None and has_flattened_params:
@@ -1029,7 +1029,7 @@ async def disable_secret_version(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([name])
         if request is not None and has_flattened_params:
@@ -1109,7 +1109,7 @@ async def enable_secret_version(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([name])
         if request is not None and has_flattened_params:
@@ -1190,7 +1190,7 @@ async def destroy_secret_version(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([name])
         if request is not None and has_flattened_params:

packages/google-cloud-secret-manager/google/cloud/secretmanager_v1/services/secret_manager_service/client.py

@@ -478,7 +478,7 @@ def list_secrets(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([parent])
         if request is not None and has_flattened_params:
@@ -584,7 +584,7 @@ def create_secret(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([parent, secret_id, secret])
         if request is not None and has_flattened_params:
@@ -673,7 +673,7 @@ def add_secret_version(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([parent, payload])
         if request is not None and has_flattened_params:
@@ -753,7 +753,7 @@ def get_secret(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([name])
         if request is not None and has_flattened_params:
@@ -838,7 +838,7 @@ def update_secret(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([secret, update_mask])
         if request is not None and has_flattened_params:
@@ -908,7 +908,7 @@ def delete_secret(
                 sent along with the request as metadata.
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([name])
         if request is not None and has_flattened_params:
@@ -986,7 +986,7 @@ def list_secret_versions(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([parent])
         if request is not None and has_flattened_params:
@@ -1073,7 +1073,7 @@ def get_secret_version(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([name])
         if request is not None and has_flattened_params:
@@ -1155,7 +1155,7 @@ def access_secret_version(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([name])
         if request is not None and has_flattened_params:
@@ -1235,7 +1235,7 @@ def disable_secret_version(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([name])
         if request is not None and has_flattened_params:
@@ -1315,7 +1315,7 @@ def enable_secret_version(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([name])
         if request is not None and has_flattened_params:
@@ -1396,7 +1396,7 @@ def destroy_secret_version(
 
         """
         # Create or coerce a protobuf request object.
-        # Sanity check: If we got a request object, we should *not* have
+        # Quick check: If we got a request object, we should *not* have
         # gotten any keyword arguments that map to the request.
         has_flattened_params = any([name])
         if request is not None and has_flattened_params:

packages/google-cloud-secret-manager/google/cloud/secretmanager_v1/services/secret_manager_service/transports/grpc.py

@@ -168,8 +168,11 @@ def __init__(
         if not self._grpc_channel:
             self._grpc_channel = type(self).create_channel(
                 self._host,
+                # use the credentials which are saved
                 credentials=self._credentials,
-                credentials_file=credentials_file,
+                # Set ``credentials_file`` to ``None`` here as
+                # the credentials that we saved earlier should be used.
+                credentials_file=None,
                 scopes=self._scopes,
                 ssl_credentials=self._ssl_channel_credentials,
                 quota_project_id=quota_project_id,

packages/google-cloud-secret-manager/google/cloud/secretmanager_v1/services/secret_manager_service/transports/grpc_asyncio.py

@@ -213,8 +213,11 @@ def __init__(
         if not self._grpc_channel:
             self._grpc_channel = type(self).create_channel(
                 self._host,
+                # use the credentials which are saved
                 credentials=self._credentials,
-                credentials_file=credentials_file,
+                # Set ``credentials_file`` to ``None`` here as
+                # the credentials that we saved earlier should be used.
+                credentials_file=None,
                 scopes=self._scopes,
                 ssl_credentials=self._ssl_channel_credentials,
                 quota_project_id=quota_project_id,

packages/google-cloud-secret-manager/google/cloud/secretmanager_v1/types/resources.py

@@ -154,6 +154,13 @@ class SecretVersion(proto.Message):
         etag (str):
             Output only. Etag of the currently stored
             [SecretVersion][google.cloud.secretmanager.v1.SecretVersion].
+        client_specified_payload_checksum (bool):
+            Output only. True if payload checksum specified in
+            [SecretPayload][google.cloud.secretmanager.v1.SecretPayload]
+            object has been received by
+            [SecretManagerService][google.cloud.secretmanager.v1.SecretManagerService]
+            on
+            [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.AddSecretVersion].
     """
 
     class State(proto.Enum):
@@ -176,6 +183,7 @@ class State(proto.Enum):
         proto.MESSAGE, number=5, message="ReplicationStatus",
     )
     etag = proto.Field(proto.STRING, number=6,)
+    client_specified_payload_checksum = proto.Field(proto.BOOL, number=7,)
 
 
 class Replication(proto.Message):
@@ -281,8 +289,8 @@ class Replica(proto.Message):
 
 
 class CustomerManagedEncryption(proto.Message):
-    r"""Configuration for encrypting secret payloads using customer-
-    anaged encryption keys (CMEK).
+    r"""Configuration for encrypting secret payloads using
+    customer-managed encryption keys (CMEK).
 
     Attributes:
         kms_key_name (str):
@@ -490,9 +498,31 @@ class SecretPayload(proto.Message):
         data (bytes):
             The secret data. Must be no larger than
             64KiB.
+        data_crc32c (int):
+            Optional. If specified,
+            [SecretManagerService][google.cloud.secretmanager.v1.SecretManagerService]
+            will verify the integrity of the received
+            [data][google.cloud.secretmanager.v1.SecretPayload.data] on
+            [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.AddSecretVersion]
+            calls using the crc32c checksum and store it to include in
+            future
+            [SecretManagerService.AccessSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion]
+            responses. If a checksum is not provided in the
+            [SecretManagerService.AddSecretVersion][google.cloud.secretmanager.v1.SecretManagerService.AddSecretVersion]
+            request, the
+            [SecretManagerService][google.cloud.secretmanager.v1.SecretManagerService]
+            will generate and store one for you.
+
+            The CRC32C value is encoded as a Int64 for compatibility,
+            and can be safely downconverted to uint32 in languages that
+            support this type.
+            https://cloud.google.com/apis/design/design_patterns#integer_types
+
+            This field is a member of `oneof`_ ``_data_crc32c``.
     """
 
     data = proto.Field(proto.BYTES, number=1,)
+    data_crc32c = proto.Field(proto.INT64, number=2, optional=True,)
 
 
 __all__ = tuple(sorted(__protobuf__.manifest))