The roles/secretmanager.admin role includes permissions to create and manage secrets but not to access secret versions (i.e., view values). However, it includes the permission to access versions. Actually, the admin role includes secretmanager.versions.access, so it can view values.
To separate manage from view, you need roles/secretmanager.secretVersionManager (manage versions without access) and roles/secretmanager.secretManager (manage secrets). Wait, the correct combination is roles/secretmanager.secretVersionManager (create/disable/destroy versions) and roles/secretmanager.secretManager (create/update/delete secrets). Neither includes secretmanager.versions.access.
The roles/secretmanager.viewer allows viewing metadata but not values. The roles/secretmanager.secretAccessor allows accessing versions. To manage without viewing, combine roles that exclude access.
Check accurate roles: roles/secretmanager.admin includes all permissions including access. roles/secretmanager.secretManager includes manage secrets but not access versions? Let's verify: roles/secretmanager.secretManager has permissions: secretmanager.secrets.create, secretmanager.secrets.delete, secretmanager.secrets.get, secretmanager.secrets.update, secretmanager.secrets.list. It does NOT include secretmanager.versions.access. roles/secretmanager.secretVersionManager has permissions: secretmanager.versions.create, secretmanager.versions.disable, secretmanager.versions.destroy, secretmanager.versions.enable, secretmanager.versions.get, secretmanager.versions.list. It does NOT include secretmanager.versions.access.
So combining these two roles allows managing secrets and versions but not accessing the payload. roles/secretmanager.viewer allows viewing metadata but not accessing payload. roles/secretmanager.secretAccessor allows accessing payload. So the correct two are secretManager and secretVersionManager.