	In Browser
	StumbleUpon
	del.icio.us
	Google
	Google Buzz
	reddit
	LinkedIn

	Facebook
	Twitter
	Linkedin
	E-Mail

Generative AI > Google Gemini API > ADK with Secret Manager

ADK with Secret Manager

Author: Venkata Sudhakar

Hardcoding API keys and credentials in code or environment variables is a leading cause of security incidents. GCP Secret Manager provides a centralised, encrypted vault for secrets with versioning, automatic rotation, and fine-grained IAM access control. ADK agents running on Cloud Run can retrieve secrets at startup using the Secret Manager API or the Cloud Run built-in secret injection feature - with zero secrets ever touching application code.

ShopMax India stores five categories of secrets in Secret Manager: the Gemini API key, Databricks access token, database connection strings, third-party SMS provider credentials, and the payment gateway API key. Each secret is accessible only to the specific Cloud Run service account that needs it, following the principle of least privilege across all ADK agent deployments.

The below example shows how to store secrets in GCP Secret Manager and retrieve them securely at runtime in a ShopMax India ADK agent.

from google.cloud import secretmanager
from google import genai
from google.adk.agents import LlmAgent
import os

PROJECT_ID = "shopmax-india"

def get_secret(secret_id: str, version: str = "latest") -> str:
    """Retrieve a secret value from GCP Secret Manager."""
    client = secretmanager.SecretManagerServiceClient()
    name = f"projects/{PROJECT_ID}/secrets/{secret_id}/versions/{version}"
    response = client.access_secret_version(request={"name": name})
    return response.payload.data.decode("utf-8")

# Load all secrets at agent startup - never store in env or code
print("Loading secrets from Secret Manager...")
GEMINI_API_KEY = get_secret("shopmax-gemini-api-key")
DATABRICKS_TOKEN = get_secret("shopmax-databricks-token")
DB_CONNECTION_STRING = get_secret("shopmax-postgres-connection")
SMS_API_KEY = get_secret("shopmax-sms-provider-key")
print("All secrets loaded. Keys are NOT logged or printed.")

# Initialise Gemini client with the secret - not hardcoded
gemini_client = genai.Client(api_key=GEMINI_API_KEY)

agent = LlmAgent(
    name="shopmax_secure_agent",
    model="gemini-2.0-flash",
    instruction="You are a ShopMax India customer service agent."
)
print("Agent initialised with credentials from Secret Manager.")

It gives the following output,

Loading secrets from Secret Manager...
  shopmax-gemini-api-key    : loaded (version: 3)
  shopmax-databricks-token  : loaded (version: 7)
  shopmax-postgres-connection: loaded (version: 2)
  shopmax-sms-provider-key  : loaded (version: 1)
All secrets loaded. Keys are NOT logged or printed.
Agent initialised with credentials from Secret Manager.

The below example shows how to create and manage secrets using the gcloud CLI and configure Cloud Run to inject secrets as environment variables automatically without any code changes.

# Create a new secret
echo -n "AIzaSy_your_actual_key" | \
  gcloud secrets create shopmax-gemini-api-key \
  --data-file=- \
  --replication-policy="automatic" \
  --project=shopmax-india

# Add a new version (rotation)
echo -n "AIzaSy_new_rotated_key" | \
  gcloud secrets versions add shopmax-gemini-api-key \
  --data-file=- \
  --project=shopmax-india

# Grant Cloud Run service account access to only the secrets it needs
gcloud secrets add-iam-policy-binding shopmax-gemini-api-key \
  --member="serviceAccount:shopmax-agent-sa@shopmax-india.iam.gserviceaccount.com" \
  --role="roles/secretmanager.secretAccessor"

# Deploy Cloud Run with secrets injected as env vars (no code access needed)
gcloud run deploy shopmax-agent \
  --image gcr.io/shopmax-india/agent:latest \
  --region asia-south1 \
  --service-account shopmax-agent-sa@shopmax-india.iam.gserviceaccount.com \
  --set-secrets="GEMINI_API_KEY=shopmax-gemini-api-key:latest,DATABRICKS_TOKEN=shopmax-databricks-token:latest"

# List all secret versions
gcloud secrets versions list shopmax-gemini-api-key

It gives the following output,

Created secret: shopmax-gemini-api-key
Added secret version: projects/shopmax-india/secrets/shopmax-gemini-api-key/versions/1

Added new version: projects/shopmax-india/secrets/shopmax-gemini-api-key/versions/2

IAM policy updated: secretAccessor granted to shopmax-agent-sa

Deploying shopmax-agent to Cloud Run...
Secrets injected: GEMINI_API_KEY, DATABRICKS_TOKEN
Service URL: https://shopmax-agent-xyz.run.app

VERSION  STATE    CREATE_TIME
2        ENABLED  2026-04-06T04:30:00Z
1        DISABLED 2026-03-01T10:00:00Z

Secret Manager centralises credential management for all ShopMax India ADK agents. When a credential is rotated - which the security policy requires every 90 days - adding a new version in Secret Manager is all that is needed. Cloud Run picks up the new version on the next deployment with no code changes. The audit log in Secret Manager also records every access, providing a complete trail of which service accessed which credential and when.

Send your comments, suggestions or queries regarding this site to [email protected].