feat: add ADK Secret Manager sample agents with global and regional support and pytest integration (#14101)

Co-authored-by: Amit Modak <amitmodak@google.com>

Author: amitmodak

secretmanager/snippets-adk/README.md

@@ -0,0 +1,99 @@
+# ADK Secret Manager Samples
+
+This directory contains samples demonstrating how to use the Agent Development Kit (ADK) with Google Cloud Secret Manager.
+
+## Folders
+*   `agent_global`: Sample for accessing secrets from a global Secret Manager instance.
+*   `agent_regional`: Sample for accessing secrets from a regional Secret Manager endpoint.
+
+## Prerequisites
+
+1.  **Create and activate a virtual environment**:
+    ```bash
+    python3 -m venv .venv
+    source .venv/bin/activate
+    ```
+
+2.  **Set up Application Default Credentials**:
+    ```bash
+    gcloud auth application-default login
+    ```
+
+3.  **Install dependencies**:
+    You need to install dependencies for the specific sample or test you want to run.
+    
+    For global agent samples and tests:
+    ```bash
+    pip install -r agent_global/requirements.txt
+    ```
+
+    For regional agent samples and tests:
+    ```bash
+    pip install -r agent_regional/requirements.txt
+    ```
+
+4.  **Set up environment variables**:
+    *   `GOOGLE_CLOUD_PROJECT`: Your Google Cloud Project ID. (Required for both samples and tests).
+    
+    The following environment variables are **only required when running the samples manually**. The tests will generate and use their own temporary secrets automatically.
+    
+    *   `ADK_TEST_SECRET_ID`: The ID of the secret to access.
+    *   `ADK_TEST_SECRET_VERSION` (Optional): The version of the secret (defaults to `latest`).
+    *   `GOOGLE_CLOUD_PROJECT_LOCATION` (Required for regional samples): The region where the secret is located (e.g., `us-central1`).
+
+## Running the Samples
+
+The samples are designed to be run from this directory (`snippets-adk`) using the `adk run` command.
+
+### Global Secret Manager Agent
+
+1.  **Create a `.env` file** alongside `agent_global.py` in the `agent_global` directory:
+    ```env
+    GOOGLE_GENAI_USE_VERTEXAI=1
+    GOOGLE_CLOUD_PROJECT=your-project-id
+    GOOGLE_CLOUD_LOCATION=your-region
+    ```
+    *Note: Replace `your-project-id` with your GCP project ID and `your-region` with your desired region.*
+
+2.  **Run the agent**:
+    ```bash
+    export GOOGLE_CLOUD_PROJECT="your-project-id"
+    export ADK_TEST_SECRET_ID="your-secret-id"
+    adk run agent_global
+    ```
+
+### Regional Secret Manager Agent
+
+1.  **Create a `.env` file** alongside `agent_regional.py` in the `agent_regional` directory:
+    ```env
+    GOOGLE_GENAI_USE_VERTEXAI=1
+    GOOGLE_CLOUD_PROJECT=your-project-id
+    GOOGLE_CLOUD_LOCATION=your-region
+    ```
+    *Note: Replace `your-project-id` with your GCP project ID and `your-region` with your desired region.*
+
+2.  **Run the agent**:
+    ```bash
+    export GOOGLE_CLOUD_PROJECT="your-project-id"
+    export GOOGLE_CLOUD_PROJECT_LOCATION="your-region"
+    export ADK_TEST_SECRET_ID="your-secret-id"
+    adk run agent_regional
+    ```
+
+## Running the Tests
+
+The tests are located within the specific agent folders and run the samples using `adk run`.
+
+To run tests for the global agent:
+```bash
+pip install -r agent_global/requirements.txt
+pip install -r agent_global/requirements-test.txt
+pytest agent_global/snippets_adk_test.py
+```
+
+To run tests for the regional agent:
+```bash
+pip install -r agent_regional/requirements.txt
+pip install -r agent_regional/requirements-test.txt
+pytest agent_regional/snippets_adk_test.py
+```

secretmanager/snippets-adk/agent_global/agent.py

@@ -0,0 +1,55 @@
+#!/usr/bin/env python
+
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+"""
+ADK agent for accessing secrets from global Secret Manager.
+"""
+
+import os
+
+from google.adk import Agent
+from google.adk.integrations.secret_manager.secret_client import SecretManagerClient
+
+# Fetch secret from global Secret Manager
+project_id = os.environ.get("GOOGLE_CLOUD_PROJECT")
+secret_id = os.environ.get("ADK_TEST_SECRET_ID")
+secret_version = os.environ.get("ADK_TEST_SECRET_VERSION", "latest")
+
+if not project_id or not secret_id:
+    raise ValueError("GOOGLE_CLOUD_PROJECT and ADK_TEST_SECRET_ID environment variables must be set.")
+
+resource_name = f"projects/{project_id}/secrets/{secret_id}/versions/{secret_version}"
+
+print("Fetching secret from global Secret Manager...")
+# Initialize Secret Manager Client (Global)
+client = SecretManagerClient()
+
+# Fetch secret
+try:
+    secret_payload = client.get_secret(resource_name)
+    print("Successfully fetched secret.")
+    # The secret_payload can now be used by the agent or its tools as required.
+except Exception as e:
+    print(f"Error fetching secret: {e}")
+    raise e
+
+# Initialize Agent
+root_agent = Agent(
+    model='gemini-2.5-flash',
+    name='root_agent',
+    description='A helpful assistant for user questions.',
+    instruction='Answer user questions to the best of your knowledge',
+)
+
+print("Agent initialized successfully.")

secretmanager/snippets-adk/agent_global/noxfile_config.py

@@ -0,0 +1,38 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default TEST_CONFIG_OVERRIDE for python repos.
+
+# You can copy this file into your directory, then it will be inported from
+# the noxfile.py.
+
+# The source of truth:
+# https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/noxfile_config.py
+
+TEST_CONFIG_OVERRIDE = {
+    # You can opt out from the test for specific Python versions.
+    "ignored_versions": ["2.7", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12"],
+    # Old samples are opted out of enforcing Python type hints
+    # All new samples should feature them
+    "enforce_type_hints": True,
+    # An envvar key for determining the project id to use. Change it
+    # to 'BUILD_SPECIFIC_GCLOUD_PROJECT' if you want to opt in using a
+    # build specific Cloud project. You can also use your own string
+    # to use your own Cloud project.
+    "gcloud_project_env": "GOOGLE_CLOUD_PROJECT",
+    # "gcloud_project_env": "BUILD_SPECIFIC_GCLOUD_PROJECT",
+    # A dictionary you want to inject into your test. Don't put any
+    # secrets here. These values will override predefined values.
+    "envs": {},
+}

secretmanager/snippets-adk/agent_global/requirements-test.txt

@@ -0,0 +1 @@
+pytest==8.2.0

secretmanager/snippets-adk/agent_global/requirements.txt

@@ -0,0 +1 @@
+google-adk>=1.29

secretmanager/snippets-adk/agent_global/snippets_adk_test.py

@@ -0,0 +1,102 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+
+import os
+import subprocess
+import time
+from typing import Iterator
+import uuid
+
+from google.api_core import exceptions
+from google.cloud import secretmanager
+import pytest
+
+CURRENT_DIR = os.path.dirname(os.path.abspath(__file__))
+PARENT_DIR = os.path.dirname(CURRENT_DIR)
+
+
+@pytest.fixture()
+def client() -> secretmanager.SecretManagerServiceClient:
+    return secretmanager.SecretManagerServiceClient()
+
+
+@pytest.fixture()
+def project_id() -> str:
+    return os.environ["GOOGLE_CLOUD_PROJECT"]
+
+
+@pytest.fixture()
+def secret_id(
+    client: secretmanager.SecretManagerServiceClient, project_id: str
+) -> Iterator[str]:
+    secret_id = f"python-adk-test-{uuid.uuid4()}"
+    yield secret_id
+
+    # Teardown: delete the secret
+    secret_path = client.secret_path(project_id, secret_id)
+    print(f"Deleting secret {secret_id}...")
+    try:
+        # Wait a bit to avoid conflicts if operations are still pending
+        time.sleep(2)
+        client.delete_secret(request={"name": secret_path})
+    except exceptions.NotFound:
+        pass
+
+
+def test_agent_global(
+    client: secretmanager.SecretManagerServiceClient, project_id: str, secret_id: str
+) -> None:
+    # Create the secret
+    parent = f"projects/{project_id}"
+    print(f"Creating secret {secret_id}...")
+    client.create_secret(
+        request={
+            "parent": parent,
+            "secret_id": secret_id,
+            "secret": {"replication": {"automatic": {}}},
+        }
+    )
+
+    # Add a version
+    secret_path = client.secret_path(project_id, secret_id)
+    print(f"Adding version to {secret_id}...")
+    client.add_secret_version(
+        request={
+            "parent": secret_path,
+            "payload": {"data": b"test-payload"},
+        }
+    )
+
+    # Set environment variables required by the agent
+    # GOOGLE_CLOUD_PROJECT is already set in the environment (required to run this test)
+    os.environ["ADK_TEST_SECRET_ID"] = secret_id
+    os.environ["ADK_TEST_SECRET_VERSION"] = "latest"
+
+    print(f"Running adk run agent_global from {PARENT_DIR}...")
+    # Run the sample using adk run
+    result = subprocess.run(
+        ["adk", "run", "agent_global"],
+        input="exit\n",
+        capture_output=True,
+        text=True,
+        cwd=PARENT_DIR,
+    )
+
+    print("STDOUT:")
+    print(result.stdout)
+    print("STDERR:")
+    print(result.stderr)
+
+    assert result.returncode == 0
+    assert "Successfully fetched secret" in result.stdout
+    assert "Agent initialized successfully" in result.stdout

secretmanager/snippets-adk/agent_regional/agent.py

@@ -0,0 +1,56 @@
+#!/usr/bin/env python
+
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+"""
+ADK agent for accessing secrets from regional Secret Manager.
+"""
+
+import os
+
+from google.adk import Agent
+from google.adk.integrations.secret_manager.secret_client import SecretManagerClient
+
+# Fetch secret from regional Secret Manager
+project_id = os.environ.get("GOOGLE_CLOUD_PROJECT")
+location = os.environ.get("GOOGLE_CLOUD_PROJECT_LOCATION")
+secret_id = os.environ.get("ADK_TEST_SECRET_ID")
+secret_version = os.environ.get("ADK_TEST_SECRET_VERSION", "latest")
+
+if not project_id or not location or not secret_id:
+    raise ValueError("GOOGLE_CLOUD_PROJECT, GOOGLE_CLOUD_PROJECT_LOCATION, and ADK_TEST_SECRET_ID environment variables must be set.")
+
+resource_name = f"projects/{project_id}/locations/{location}/secrets/{secret_id}/versions/{secret_version}"
+
+print(f"Fetching secret from regional Secret Manager ({location})...")
+# Initialize Secret Manager Client (Regional)
+client = SecretManagerClient(location=location)
+
+# Fetch secret
+try:
+    secret_payload = client.get_secret(resource_name)
+    print("Successfully fetched secret.")
+    # The secret_payload can now be used by the agent or its tools as required.
+except Exception as e:
+    print(f"Error fetching secret: {e}")
+    raise e
+
+# Initialize the agent
+root_agent = Agent(
+    model='gemini-2.5-flash',
+    name='root_agent',
+    description='A helpful assistant for user questions.',
+    instruction='Answer user questions to the best of your knowledge',
+)
+
+print("Agent initialized successfully.")

secretmanager/snippets-adk/agent_regional/noxfile_config.py

@@ -0,0 +1,38 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default TEST_CONFIG_OVERRIDE for python repos.
+
+# You can copy this file into your directory, then it will be inported from
+# the noxfile.py.
+
+# The source of truth:
+# https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/noxfile_config.py
+
+TEST_CONFIG_OVERRIDE = {
+    # You can opt out from the test for specific Python versions.
+    "ignored_versions": ["2.7", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12"],
+    # Old samples are opted out of enforcing Python type hints
+    # All new samples should feature them
+    "enforce_type_hints": True,
+    # An envvar key for determining the project id to use. Change it
+    # to 'BUILD_SPECIFIC_GCLOUD_PROJECT' if you want to opt in using a
+    # build specific Cloud project. You can also use your own string
+    # to use your own Cloud project.
+    "gcloud_project_env": "GOOGLE_CLOUD_PROJECT",
+    # "gcloud_project_env": "BUILD_SPECIFIC_GCLOUD_PROJECT",
+    # A dictionary you want to inject into your test. Don't put any
+    # secrets here. These values will override predefined values.
+    "envs": {},
+}

secretmanager/snippets-adk/agent_regional/requirements-test.txt

@@ -0,0 +1 @@
+pytest==8.2.0