Google CloudSecret ManagerSecurity

google_secret_manager_secret cost estimation

A managed secret with versioning and IAM access. $0.06/month per active secret version, plus per-access fees beyond the free tier.

A google_secret_manager_secret stores sensitive values (API keys, database passwords, OAuth tokens) with versioning, IAM-controlled access, and rotation.

Pricing has two components.

Active secret versions: $0.06/month per active version. The version is "active" while it's not destroyed. A secret with 1 active version is $0.06/month; 5 versions is $0.30/month. Old versions can be destroyed to stop their billing.

Access operations: $0.03 per 10,000 access operations. First 10,000 operations per month are free at the project level. Applications that cache secrets in memory rarely exceed the free tier.

Replication: setting replication = AUTOMATIC stores the secret in multiple regions, billed as if each replica is a separate version. Setting replication = USER_MANAGED with a single region keeps cost minimal.

Rotation: rotation policies are free as configuration; the underlying secret rotation (typically a Cloud Function) incurs its own compute costs.

Compared to AWS and Azure: - AWS Secrets Manager: $0.40/secret/month (about 7x more than GCP). - Azure Key Vault: no per-secret fee, per-operation only.

GCP's per-version model means accounts with many secrets but few versions per secret are cheap. Accounts that retain old versions (compliance archives, rotation history) pay more per-secret.

c3x estimates active version cost from declared resources. Access operations are usage-based via c3x-usage.yml.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "google_secret_manager_secret" "db_password" {
  secret_id = "production-db-password"

  replication {
    user_managed {
      replicas {
        location = "us-central1"
      }
    }
  }

  rotation {
    next_rotation_time = "2026-12-31T00:00:00Z"
    rotation_period    = "7776000s"  # 90 days
  }
}

resource "google_secret_manager_secret_version" "db_password" {
  secret      = google_secret_manager_secret.db_password.id
  secret_data = var.db_password
}

Pricing dimensions

What you actually pay for when you provision google_secret_manager_secret.

DimensionUnitWhat's being charged
Active secret versionsper version per monthEach non-destroyed version of a secret. Multi-region replication multiplies versions.
$0.06/version/month
Access operationsper 10,000 operationsAccessSecretVersion calls. First 10,000/month free at project level.
$0.03/10,000 operations
Automatic replicationmultiplierAUTOMATIC replication stores in multiple GCP regions. Each replica counts as a separate version for billing.
User-managed replication (single region)no multiplierChoosing USER_MANAGED with one region keeps the per-version cost minimal.

Optimization tips

Common ways to reduce google_secret_manager_secret cost without changing the workload.

Use user-managed replication with single region

50%+ on per-version cost

Automatic replication doubles or triples per-version cost. For most workloads, USER_MANAGED with a single region is sufficient. Choose only the regions you actually need.

Destroy old secret versions

$0.06/version/month

Each non-destroyed version bills $0.06/month forever. Set a retention policy or manually destroy versions older than your rotation history requirement.

Cache secrets in your application

Operations cost

Reading a secret on every request is wasteful and costs operations beyond free tier. Cache for 5-15 minutes per process. Cuts access operations by 100-1000x.

Consolidate related secrets into one with JSON payload

$0.06/consolidated secret

A single secret can hold a JSON document with username + password + URL + port. Avoid creating a separate secret per field; that multiplies the per-version fee.

FAQ

Why is GCP Secret Manager so much cheaper than AWS?

GCP charges $0.06/version/month while AWS charges $0.40/secret/month. The 7x difference is a deliberate pricing decision: GCP encourages secret usage by making it cheap. For accounts with hundreds of secrets, this is a major operational cost difference.

Does c3x include the 10K free access operations?

Yes. The free tier is applied at the project level. If your project has many secrets but low aggregate access, c3x estimates close to $0 for operations.

Should I rotate secrets automatically?

Yes, but the rotation Lambda/Cloud Function adds its own cost. For secrets accessed by AWS-style trusted compute, rotation pays for itself in reduced breach risk. The configuration of rotation is free; the function executing the rotation isn't.

What about CMEK (customer-managed encryption keys)?

Secret Manager supports CMEK by default. The CMEK encrypt/decrypt operations are charged on the KMS key, not on Secret Manager. Each Secret Manager access does a KMS decrypt, which is usually within KMS's free tier.

Related resources

Google Cloud
google_compute_instance

Common Secret Manager consumer

Google Cloud
google_cloud_run_service

Cloud Run uses Secret Manager for runtime secrets

AWS
aws_secretsmanager_secret

AWS equivalent (Secrets Manager)

Azure
azurerm_key_vault

Azure equivalent (Key Vault)

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including google_secret_manager_secret.

Get StartedStar on GitHub
← Browse all Google Cloud resources