Reputation: 381
Can't access secret stored in Secrets Manager from Google Cloud Function
While testing a Google Cloud Function I wrote that attempts to access a secret stored in the Secret Manager, I get this error: Error: 7 PERMISSION_DENIED: Permission 'secretmanager.versions.access' denied for resource '<resource-name>' (or it may not exist).
My code:
const {SecretManagerServiceClient} = require('@google-cloud/secret-manager');
const secretClient = new SecretManagerServiceClient();
...
const [version] = await secretClient.accessSecretVersion({
name: secretName
});
const secret = version.payload.data.toString();
I've followed the steps in the documentation, specifying the full name of the secret in the call to the service (projects/<project-id>/secrets/<secret-name>/versions/latest, so the problem in Can't access secret in GCP Secret Manager doesn't apply here) and giving the service account that runs my cloud functions the "Secret Manager Secret Accessor" role (which should rule out the root problem in Why isn't my Firebase app connecting to Google Secret Manager?).
I've seen this issue both when trying to trigger the function locally using curl and when testing it in the UI (GCF > Function details > Testing).
Is there anything I'm missing here?
Upvotes: 10
Views: 19485
Answers (3)
Reputation: 3201
All other answers here are valid and useful, however, one might need one more piece of advice that solved a problem for me: I was using a wrong secret name. I used the "short" secret name, e.g. MY_SECRET_NAME string. While to make things work, the full qualified secret name should be used, e.g. projects/<MY_PROJECT_ID>/secrets/<MY_SECRET_NAME>. When I changed this, everything worked :)
Upvotes: 3
Reputation: 131
In addition to the other suggestions, I found I had to give Secret Manager Secret Accessor access to the Default compute service account (i.e. <project_number>[email protected]).
I suspect this is as there is a sanity check as part of the Cloud Build process when building the Cloud Function that executes the top level python file. Since I access the secrets registry at this level, the Compute service account also needs access.
Upvotes: 4
Reputation: 381
It turns out that I gave the "Secret Manager Secret Accessor" role to the wrong service account - I gave it to the GCF administrative service account, which is used to create/update/delete functions (service-<project-id>@gcf-admin-robot.iam.gserviceaccount.com) instead of to the runtime service account, which is what's actually used to run the function (<project-id>@appspot.gserviceaccount.com).
Once I added the role above (among others the function needed) to the runtime service account, the function completed successfully.
Upvotes: 21
Related Questions
- Can't access secret in GCP Secret Manager
- Could not fetch secret while deploying Google Cloud Function
- GCP Cloud Function not mounting latest secret from Secret Manager
- Not able to access gcp secret manager from standalone go application
- accessing secret from google secret manager
- GCP 2nd generation Cloud Functions: How can I use Secrets?
- Google Cloud Secret Coming Out As "(MISSING)"
- Google Secret Manager secrets do not seem to work yet I can find nothing wrong
- Problems on Accessing Secret Manager on Google Cloud
- How to access Secret Manager in Cloud Function node.js10?