Describe the issue

The Google Secret Manager persistence has partial support for regional secrets, but several bugs prevent it from working correctly:

1. Missing version suffix in regional secret path

In getSecret(), the regional resource name is constructed without /versions/latest:

// Current (broken)
val resourceName = "projects/$projectId/locations/$region/secrets/${coordinate.fullCoordinate}"
// Should be
val resourceName = "projects/$projectId/locations/$region/secrets/${coordinate.fullCoordinate}/versions/$LATEST_VERSION"

This causes accessSecretVersion() to fail because it requires a version reference.

2. Replication policy incompatible with regional secrets

getReplicationPolicy() always returns Automatic replication, but regional secrets cannot use automatic replication. Attempting to create a regional secret with automatic replication results in an API error from Google.

3. No CMEK (Customer-Managed Encryption Keys) support

Regional secrets often require CMEK for compliance. There is currently no way to specify a KMS key name for encrypting secrets at rest.

Expected behavior

• Regional secrets should be readable (include /versions/latest in resource path)
• Regional secrets should be creatable (skip automatic replication policy)
• CMEK should be configurable via kmsKeyName in SecretPersistenceConfig or via SECRET_STORE_GCP_KMS_KEY_NAME env var for system-level secrets

Affected file

airbyte-config/config-secrets/src/main/kotlin/secrets/persistence/GoogleSecretManagerPersistence.kt

Internal Tracking: https://github.com/airbytehq/oncall/issues/11695