Use GCloud CLI to list secrets that have label but no value

Question

We use labels in Secret Manager to label secrets corresponding to a particular service, for example, "reports" vs "rostering", and I would like to be able to list secrets with such a label, however, these labels have no value, so this fails to return any results:

gcloud secrets list --filter="labels.reports:*"

How can I use the gcloud CLI to list secrets matching a label with no value?

Answer 1

You can only achieve the desired filtering effect for valueless labels by looking for those that are less than one of the last ASCII characters:

gcloud secrets --project 'khan-academy' list --format json --filter 'labels.reports<}'

The GCP console (where regular valueless label filtering works) sends an HTTP request to https://cloudconsole-pa.clients6.google.com/v3/entityServices/SecretsEntityService/schemas/SECRETS_GRAPHQL:batchGraphql, with payload:

{locale: "en_US", orderBy: [{field: "name", order: "ASCENDING"}], filter: "labels:prod#*"}

However, labels:prod#* doesn't work with the gcloud CLI.