Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Rotation Schedules for Secret Manager Secrets

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecretManager-003

To minimize the risk of unauthorized access or misuse of secrets, configure a rotation period (or rotation schedule) for your Secret Manager secrets. Setting this schedule will automatically send rotation notifications to the associated Pub/Sub topics.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security
Operational
excellence

Secret rotation is the process of regularly updating sensitive information like passwords, API keys, and encryption keys. This practice is essential for minimizing the risk of unauthorized access or misuse, especially if a secret is ever compromised. Secret Manager simplifies this process by allowing you to schedule periodic rotations. It works by sending notifications to the Pub/Sub topics linked to your secrets, based on the rotation frequency and time you specify.

Audit

To determine if rotation schedules are configured for your Secret Manager secrets, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Secret Manager console available at https://console.cloud.google.com/security/secret-manager.

04 Select the SECRETS tab to access the Secret Manager secrets created for the selected GCP project.

05 Click on the name (link) of the secret that you want to examine, listed in the Name column.

06 Select the OVERVIEW tab and check the Rotation attribute value. If the Rotation value is set to Not scheduled, the selected Secret Manager secret is not configured with a rotation period (or rotation schedule).

07 Repeat steps no. 5 and 6 for each Secret Manager secret created for the selected Google Cloud Platform (GCP) project.

08 Repeat steps no. 2 – 7 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

cc-project5-123123
cc-ai-project-123123

03 Run secrets list command (Windows/macOS/Linux) with the name of the Google Cloud project that you want to examine as the identifier parameter and custom output filters to describe the name of each Secret Manager secret created for the selected project: 

gcloud secrets list
	--project cc-project5-123123
	--format="value(name)"

04 The command output should return the names of the secrets available within the selected GCP project: 

cc-project5-api-key
cc-project5-db-access

05 Run secrets describe command (Windows/macOS/Linux) with the name of the Secret Manager secret that you want to examine as the identifier parameter and custom output filters to describe the rotation period (in seconds) configured for the selected secret: 

gcloud secrets describe cc-project5-api-key
	--format="value(rotation.rotationPeriod)"

06 The command output should return the requested rotation schedule information: 

2592000s

If the secrets describe command output does not return a rotation period (in seconds) similar to the one returned in the output example above, the selected Secret Manager secret is not configured with a rotation period (or rotation schedule).

07 Repeat steps no. 5 and 6 for each Secret Manager secret created for the selected Google Cloud Platform (GCP) project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that rotation schedules are configured for your Google Cloud Secret Manager secrets, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Secret Manager console available at https://console.cloud.google.com/security/secret-manager.

04 Select the SECRETS tab to access the Secret Manager secrets created for the selected GCP project.

05 Click on the name (link) of the secret that you want to configure, listed in the Name column.

06 Choose EDIT SECRET from the resource top-menu to change the secret resource configuration.

07 In the Rotation section, select the Set rotation period checkbox, select a rotation period from the Rotation period dropdown list, and click inside the Next rotation on box to set the timestamp indicating when the next rotation should occur.

08 In the Notifications section, choose ADD TOPIC, and select the Pub/Sub topic that will receive event notifications whenever the secret or one of its versions is changed. If you need to create a new Pub/Sub topic, click inside the Pub/Sub topic name, choose CREATE A TOPIC, provide a unique name for your new topic, and choose CREATE. The new Pub/Sub topic must grant the Pub/Sub Publisher role (roles/pubsub.publisher) to the associated service account, i.e., service-\<project-number\>@gcp-sa-secretmanager.iam.gserviceaccount.com.

09 Choose UPDATE SECRET to apply the configuration changes.

10 Repeat steps no. 5 – 9 for each Secret Manager secret that you want to configure, available within the selected Google Cloud Platform (GCP) project.

11 Repeat steps no. 2 – 10 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run pubsub topics create command (Windows/macOS/Linux) to create the Pub/Sub topic that will receive event notifications whenever the Secret Manager secret or one of its versions is changed: 

gcloud pubsub topics create cc-rotation-schedule-topic
	--project cc-project5-123123

02 The command output should return the full resource identifier of the newly created topic: 

Created topic [projects/cc-project5-123123/topics/cc-rotation-schedule-topic].

03 Run pubsub subscriptions create command (Windows/macOS/Linux) to create the Pub/Sub topic subscription that will receive alert notifications from Google Cloud Secret Manager: 

gcloud pubsub subscriptions create cc-rotation-schedule-subscription
	--topic=cc-rotation-schedule-topic
	--topic-project=cc-project5-123123

04 The command output should return the resource ID of the new Pub/Sub topic subscription: 

Created subscription [projects/cc-project5-123123/subscriptions/cc-rotation-schedule-subscription].

05 Run pubsub topics add-iam-policy-binding command (Windows/macOS/Linux) to add the required IAM policy binding to your new Pub/Sub topic. This assigns the Pub/Sub Publisher role (roles/pubsub.publisher) to the associated service account (i.e., service-\<project-number\>@gcp-sa-secretmanager.iam.gserviceaccount.com). Replace \<project-number\> with your Google Cloud Platform (GCP) project number: 

gcloud pubsub topics add-iam-policy-binding cc-rotation-schedule-topic
	--member='serviceAccount:service-123456789012@gcp-sa-secretmanager.iam.gserviceaccount.com'
	--role='roles/pubsub.publisher'

06 The command output should return the updated IAM policy (YAML format): 

Updated IAM policy for topic [cc-rotation-schedule-topic].
	bindings:
	- members:
		- serviceAccount:service-123456789012@gcp-sa-secretmanager.iam.gserviceaccount.com
		role: roles/pubsub.publisher
	etag: abcdabcdabcd
	version: 1

07 Run secrets update command (Windows/macOS/Linux) to add the newly created Pub/Sub topic to the specified Secret Manager secret: 

gcloud secrets update cc-project5-api-key
	--add-topics projects/logical-lock-345715/topics/cc-rotation-schedule-topic

08 The command output should return the name of the configured secret: 

Updated secret [cc-project5-api-key].

09 Run secrets update command (Windows/macOS/Linux) to configure the rotation period (or rotation schedule) for the selected Secret Manager secret. For --next-rotation-time parameter, specify the timestamp (in ISO 8601 format) indicating when the next rotation should occur: 

gcloud secrets update cc-project5-api-key
	--rotation-period="2592000s"
	--next-rotation-time="2025-09-10T15:30:00-05:00"

10 The command output should return the name of the configured Secret Manager secret: 

Updated secret [cc-project5-api-key].

11 Repeat steps no. 7 – 10 for each Secret Manager secret that you want to configure, available in the selected Google Cloud Platform (GCP) project.

12 Repeat steps no. 1 – 11 for each GCP project deployed in your Google Cloud account.

References

Publication date Aug 8, 2025

Related SecretManager rules