[airbyte-platform] Google Secret Manager regional secrets broken + missing CMEK support

[erik-astranis]

Describe the issue

The Google Secret Manager persistence has partial support for regional secrets, but several bugs prevent it from working correctly:

1. Missing version suffix in regional secret path

In getSecret(), the regional resource name is constructed without /versions/latest:

// Current (broken)
val resourceName = "projects/$projectId/locations/$region/secrets/${coordinate.fullCoordinate}"
// Should be
val resourceName = "projects/$projectId/locations/$region/secrets/${coordinate.fullCoordinate}/versions/$LATEST_VERSION"

This causes accessSecretVersion() to fail because it requires a version reference.

2. Replication policy incompatible with regional secrets

getReplicationPolicy() always returns Automatic replication, but regional secrets cannot use automatic replication. Attempting to create a regional secret with automatic replication results in an API error from Google.

3. No CMEK (Customer-Managed Encryption Keys) support

Regional secrets often require CMEK for compliance. There is currently no way to specify a KMS key name for encrypting secrets at rest.

Expected behavior

• Regional secrets should be readable (include /versions/latest in resource path)
• Regional secrets should be creatable (skip automatic replication policy)
• CMEK should be configurable via kmsKeyName in SecretPersistenceConfig or via SECRET_STORE_GCP_KMS_KEY_NAME env var for system-level secrets

Affected file

airbyte-config/config-secrets/src/main/kotlin/secrets/persistence/GoogleSecretManagerPersistence.kt

---

Internal Tracking: https://github.com/airbytehq/oncall/issues/11695

[octavia-bot]

AI Triage Starting...

Thank you for opening this issue! I'm an AI assistant that will do an initial review and may:

• Ask clarifying questions if needed
• Suggest relevant documentation or workarounds
• Flag this for internal visibility

Note: Community issues are reviewed on a best-effort basis and do not have a guaranteed response time. For additional help:

• Join the Airbyte Community Slack to connect with other users and community members
• If you're an Airbyte Cloud customer, you can open a support ticket or contact your account representative, referencing this issue URL

View playbook

• 🔗 Session URL: https://app.devin.ai/sessions/97ce9f85854a4832a21bb5c5203b3e69

✅ Devin AI session created successfully!

[devin-ai-integration]

Hi erik-astranis, thank you for reporting this issue!

This is a very well-documented bug report — the three distinct problems you've identified in GoogleSecretManagerPersistence.kt are clearly laid out with code references, which is very helpful.

To summarize what I see here:

1. Missing /versions/latest suffix — The regional secret path in getSecret() is missing the version reference, causing accessSecretVersion() to fail.
2. Replication policy incompatible with regional secrets — getReplicationPolicy() always returns Automatic, which is invalid for regional secrets.
3. No CMEK support — Regional secrets often require customer-managed encryption keys for compliance, and there's currently no way to configure a KMS key.

I've escalated this to the internal engineering team for investigation. Note that item #2 (the replication policy issue) has also been reported by another community member and is tracked in an existing internal issue.

I'll follow up shortly with the internal tracking link.

---

Need more help? Join Airbyte Community Slack for peer support, or if you're a Cloud customer, open a support ticket referencing this URL.

[erik-astranis]

PR submitted: airbytehq/airbyte-platform#438

These changes have been tested and are running in production on our self-hosted Airbyte deployment.

[devin-ai-integration]

This issue is being tracked internally: https://github.com/airbytehq/oncall/issues/11695