The gcp:parametermanager/parameter:Parameter resource, part of the Pulumi GCP provider, defines a Parameter Manager parameter: its identifier, format type, labels, and encryption settings. This guide focuses on three capabilities: basic parameter creation, format specification for structured data, and labeling and KMS encryption.
Parameters require a GCP project with Parameter Manager API enabled. Encryption requires an existing Cloud KMS CryptoKey. The examples are intentionally small. Combine them with your own version management and IAM policies.
Create a parameter with minimal configuration
Most deployments start with a parameter ID, letting GCP apply default settings.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const parameter_basic = new gcp.parametermanager.Parameter("parameter-basic", {parameterId: "parameter"});
import pulumi
import pulumi_gcp as gcp
parameter_basic = gcp.parametermanager.Parameter("parameter-basic", parameter_id="parameter")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/parametermanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := parametermanager.NewParameter(ctx, "parameter-basic", ¶metermanager.ParameterArgs{
ParameterId: pulumi.String("parameter"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var parameter_basic = new Gcp.ParameterManager.Parameter("parameter-basic", new()
{
ParameterId = "parameter",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.parametermanager.Parameter;
import com.pulumi.gcp.parametermanager.ParameterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var parameter_basic = new Parameter("parameter-basic", ParameterArgs.builder()
.parameterId("parameter")
.build());
}
}
resources:
parameter-basic:
type: gcp:parametermanager:Parameter
properties:
parameterId: parameter
The parameterId property sets a unique identifier within the project. Without additional configuration, the parameter uses UNFORMATTED format and Google-managed encryption. The parameter resource itself doesn’t store values; those are managed through separate version resources.
Specify parameter format for structured data
When parameters store JSON or YAML configuration, declaring the format enables validation.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const parameter_with_format = new gcp.parametermanager.Parameter("parameter-with-format", {
parameterId: "parameter",
format: "JSON",
});
import pulumi
import pulumi_gcp as gcp
parameter_with_format = gcp.parametermanager.Parameter("parameter-with-format",
parameter_id="parameter",
format="JSON")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/parametermanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := parametermanager.NewParameter(ctx, "parameter-with-format", ¶metermanager.ParameterArgs{
ParameterId: pulumi.String("parameter"),
Format: pulumi.String("JSON"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var parameter_with_format = new Gcp.ParameterManager.Parameter("parameter-with-format", new()
{
ParameterId = "parameter",
Format = "JSON",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.parametermanager.Parameter;
import com.pulumi.gcp.parametermanager.ParameterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var parameter_with_format = new Parameter("parameter-with-format", ParameterArgs.builder()
.parameterId("parameter")
.format("JSON")
.build());
}
}
resources:
parameter-with-format:
type: gcp:parametermanager:Parameter
properties:
parameterId: parameter
format: JSON
The format property tells Parameter Manager what structure to expect in parameter versions. Setting it to JSON or YAML helps downstream tools parse the content correctly. The default UNFORMATTED format accepts any string data.
Tag parameters with organizational metadata
Teams use labels to organize parameters by environment, application, or cost center.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const parameter_with_labels = new gcp.parametermanager.Parameter("parameter-with-labels", {
parameterId: "parameter",
labels: {
key1: "val1",
key2: "val2",
key3: "val3",
key4: "val4",
key5: "val5",
},
});
import pulumi
import pulumi_gcp as gcp
parameter_with_labels = gcp.parametermanager.Parameter("parameter-with-labels",
parameter_id="parameter",
labels={
"key1": "val1",
"key2": "val2",
"key3": "val3",
"key4": "val4",
"key5": "val5",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/parametermanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := parametermanager.NewParameter(ctx, "parameter-with-labels", ¶metermanager.ParameterArgs{
ParameterId: pulumi.String("parameter"),
Labels: pulumi.StringMap{
"key1": pulumi.String("val1"),
"key2": pulumi.String("val2"),
"key3": pulumi.String("val3"),
"key4": pulumi.String("val4"),
"key5": pulumi.String("val5"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var parameter_with_labels = new Gcp.ParameterManager.Parameter("parameter-with-labels", new()
{
ParameterId = "parameter",
Labels =
{
{ "key1", "val1" },
{ "key2", "val2" },
{ "key3", "val3" },
{ "key4", "val4" },
{ "key5", "val5" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.parametermanager.Parameter;
import com.pulumi.gcp.parametermanager.ParameterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var parameter_with_labels = new Parameter("parameter-with-labels", ParameterArgs.builder()
.parameterId("parameter")
.labels(Map.ofEntries(
Map.entry("key1", "val1"),
Map.entry("key2", "val2"),
Map.entry("key3", "val3"),
Map.entry("key4", "val4"),
Map.entry("key5", "val5")
))
.build());
}
}
resources:
parameter-with-labels:
type: gcp:parametermanager:Parameter
properties:
parameterId: parameter
labels:
key1: val1
key2: val2
key3: val3
key4: val4
key5: val5
The labels property adds key-value metadata for filtering and cost tracking. Labels follow GCP naming rules: keys must start with a lowercase letter, and both keys and values have length and character restrictions. You can attach up to 64 labels per parameter.
Encrypt parameter versions with Cloud KMS
Sensitive configuration often requires customer-managed encryption keys for compliance.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const project = gcp.organizations.getProject({});
const parameter_with_kms_key = new gcp.parametermanager.Parameter("parameter-with-kms-key", {
parameterId: "parameter",
kmsKey: "kms-key",
});
import pulumi
import pulumi_gcp as gcp
project = gcp.organizations.get_project()
parameter_with_kms_key = gcp.parametermanager.Parameter("parameter-with-kms-key",
parameter_id="parameter",
kms_key="kms-key")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/parametermanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := organizations.LookupProject(ctx, &organizations.LookupProjectArgs{}, nil)
if err != nil {
return err
}
_, err = parametermanager.NewParameter(ctx, "parameter-with-kms-key", ¶metermanager.ParameterArgs{
ParameterId: pulumi.String("parameter"),
KmsKey: pulumi.String("kms-key"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var project = Gcp.Organizations.GetProject.Invoke();
var parameter_with_kms_key = new Gcp.ParameterManager.Parameter("parameter-with-kms-key", new()
{
ParameterId = "parameter",
KmsKey = "kms-key",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetProjectArgs;
import com.pulumi.gcp.parametermanager.Parameter;
import com.pulumi.gcp.parametermanager.ParameterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var project = OrganizationsFunctions.getProject(GetProjectArgs.builder()
.build());
var parameter_with_kms_key = new Parameter("parameter-with-kms-key", ParameterArgs.builder()
.parameterId("parameter")
.kmsKey("kms-key")
.build());
}
}
resources:
parameter-with-kms-key:
type: gcp:parametermanager:Parameter
properties:
parameterId: parameter
kmsKey: kms-key
variables:
project:
fn::invoke:
function: gcp:organizations:getProject
arguments: {}
The kmsKey property specifies a Cloud KMS CryptoKey to encrypt parameter version payloads. The format must be projects/{project}/locations/global/keyRings/{key_ring}/cryptoKeys/{crypto_key}. This gives you control over key rotation and access policies.
Beyond these examples
These snippets focus on specific parameter-level features: parameter creation and identification, format specification for structured data, and labeling and KMS encryption. They’re intentionally minimal rather than complete configuration management solutions.
The examples assume pre-existing infrastructure such as a GCP project with Parameter Manager API enabled, and a Cloud KMS CryptoKey for the encryption example. They focus on parameter resource configuration rather than version management or value storage.
To keep things focused, common parameter patterns are omitted, including:
- Parameter version creation and management
- IAM policy configuration (policyMembers)
- Parameter value storage and retrieval
- Version lifecycle and rotation
These omissions are intentional: the goal is to illustrate how each parameter feature is wired, not provide drop-in configuration management modules. See the Parameter Manager Parameter resource reference for all available configuration options.
Let's create GCP Parameter Manager Parameters
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Immutability
parameterId, project, and format. Changing any of these requires recreating the resource.UNFORMATTED (default), YAML, and JSON. The format is immutable after creation.project property is required but defaults to your provider project if not specified. Once set, it’s immutable.Labels & Metadata
labels field only manages labels in your Pulumi configuration, while effectiveLabels shows all labels on the resource, including those set by other clients and services.[\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62}. Label values must be 0-63 characters matching [\p{Ll}\p{Lo}\p{N}_-]{0,63}. Maximum 64 labels per resource, with UTF-8 encoding limited to 128 bytes.Encryption & Security
kmsKey property with the full CryptoKey resource name in format projects/{{project}}/locations/global/keyRings/{{key_ring}}/cryptoKeys/{{crypto_key}}.Import & Migration
projects/{{project}}/locations/global/parameters/{{parameter_id}}), project and ID ({{project}}/{{parameter_id}}), or just the parameter ID ({{parameter_id}}).