01 Sign in to the Google Cloud Management Console.
02 Select the GCP project that you want to access from the console top navigation bar.
03 Navigate to the API Library page available at https://console.cloud.google.com/apis/library.
04 Type Secret Manager API in the Search for API & Services search box and press Enter.
05 Click on the name of the Secret Manager API to open the API overview page.
06 On the API overview page, choose ENABLE to enable the Secret Manager API for your GCP project.
07 Navigate to Secret Manager page at https://console.cloud.google.com/security/secret-manager.
08 A Secret Manager secret is an encrypted wrapper around a collection of secret data versions. Choose CREATE SECRET and follow the setup wizard to create the Secret Manager secret that will replace the secret information stored in cleartext within the function environment variable.
09 For Name, enter the name of the environment variable that you are replacing. This will be the secret variable that will be referenced in your code.
10 For Secret value, enter the value from the environment variable that you are replacing. This is the actual value of the variable that will be referenced from your code.
11 Configure the secret encryption, replication policy, secret rotation and expiration based on your application requirements, then choose CREATE SECRET to create your new Secret Manager secret.
12 To grant your function's service account access to the new secret, open the newly created Secret Manager secret, select the PERMISSIONS tab, and choose GRANT ACCESS.
13 On the Grant access to "[secret-name]" panel, enter the service account that your function uses for its identity in the New principals box and select Secret Manager Secret Accessor from the Role dropdown list. Choose SAVE to apply the changes.
14 Modify your function configuration to use the new secret managed by Secret Manager. Navigate to the Cloud Functions console available at https://console.cloud.google.com/functions.
15 Click on the name (link) of the function that you want to configure and choose EDIT.
16 Choose Runtime, build, connections and security settings and select the SECURITY AND IMAGE REPO tab.
17 Under Secrets, choose ADD A SECRET REFERENCE and follow the setup process to create the secret reference that will replace the secret information stored in cleartext within the function environment variable. Choose DONE to save the changes.
18 Select NEXT and choose DEPLOY to deploy the function changes.
19 After the secret information that replaced the environment variable has been successfully referenced, you can safely remove the non-compliant environment variable from your function configuration. Choose EDIT from the function main menu, and select RUNTIME/BUILD depending on the environment variable type.
20 Use the Delete item (trash bin icon) button to remove any environment variable that holds secret, sensitive information, listed in the Runtime environment variables/Build environment variables section.
21 Select NEXT and choose DEPLOY to deploy the function changes.
22 Repeat steps no. 7 - 21 for each Google Cloud function deployed within the selected GCP project.
23 Repeat steps no. 2 – 22 for each GCP project available in your Google Cloud Platform (GCP) account.