Secrets Manager audit logging
Sensitive Secrets Manager operations write dedicated audit entries. Use these events for security monitoring, compliance reporting, and incident investigation.
Resource type
Secrets Manager audit entries use resourceType: "secret". The resource identity is the secret path.
Filter audit logs by secrets.* actions to isolate secret management activity.
Logged operations
| Audit action | Operation |
|---|---|
secrets.create | Create secret |
secrets.get_value | Reveal secret value |
secrets.put_value | Add new version |
secrets.update_policy | Set or clear access policy |
secrets.destroy_version | Destroy version |
secrets.delete | Delete secret |
Fields recorded
Logged metadata is safe — secret values are never included:
| Field | Description |
|---|---|
| Region | Cloud region where the operation ran |
| Project | Project context, if applicable |
| Path | Secret path |
| Version | Secret version (where applicable) |
| Outcome | Success or failure |
| Value type | Whether string, key-value, or generated was used |
| Key count | Number of keys (for key-value format) |
| KMS key identity | Bound key (on successful reveal) |
| Client IP | Source IP of the API request |
| User agent | HTTP user agent string |
| Request ID | Correlation identifier |
Exact fields available in your audit log export depend on your organisation’s audit log configuration.
Dual KMS audit entries
Underlying KMS operations also emit audit events. Create, put value, and get value trigger kms.encrypt and kms.decrypt entries.
| Secrets Manager action | KMS audit events |
|---|---|
secrets.create | kms.encrypt |
secrets.put_value | kms.encrypt |
secrets.get_value | kms.decrypt |
A single reveal produces both secrets.get_value and kms.decrypt. Correlate both for end-to-end traceability. This is for Secret Manager, but may also be for other Services that utilise a KMS Key.
See KMS audit logging for KMS-specific fields.
Monitoring recommendations
Set up alerts or periodic reviews for:
secrets.get_value— Unusual volume or sources outside expected service accountssecrets.put_value— Unexpected rotations or writessecrets.deleteandsecrets.destroy_version— Confirm intentional lifecycle changes- Failed reveal operations — Repeated
403outcomes may indicate policy misconfiguration
Related documentation
- Audit logs — Platform-wide audit logging, retention, and security analytics
- Access control — Restrict who can perform logged operations
- Best practices — Never log values in applications
- KMS integration — Underlying encrypt/decrypt operations