Secrets such as aws key and secret, google service account json, database id and password etc. can be easily encrypted and decrypted with https://cloud.google.com/kms/. Cloud KMS does not directly store secrets. It can encrypt secrets that you store elsewhere, i.e. the key itself is stored within KMS.
Let's illustrate with a real world example step by step. We can encrypt and decrypt a service account json file for compute instances. These instances are a part of an elasticsearch cluster. The google cloud admin creates the service account. The service account is used by the Terraform to provision the compute instances as shown in https://www.terraform.io/docs/providers/google/r/compute_instance.html. The developers want a copy of the service account 's json file so that they can develop & test with the elasticsearch cluster. The google cloud admin creates the plain text service json file, where and how to store it safely and securely? Storing on admin's laptop is not 100% safe and secur