Google Secret Manager: unable get value from secret manager with Spring Boot

Question

I am unable to get value from secret manager.

**Application.property:**
spring.secret.key=${sm://projects/154281748/secrets/serviceaccount/versions/1}

**bootstrap.property:**
spring.cloud.gcp.secretmanager.enabled=true
spring.cloud.gcp.secretmanager.secret-name-prefix=sm://

**pom.xml:**
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-gcp-starter-secretmanager</artifactId>             
</dependency>

**Java Code**
@Value("${spring.secret.key}")
private String key;

I am getting "//projects/154281748/secrets/serviceaccount/versions/1" value of Key.

Answer 1

Deployment and runtime are 2 different things. At deployment, user must have the permission to deploy a new service. You have 3 roles that you can find in the documentation

At runtime, by default, the App Engine default service account is used. And, as you fill it, it's not a good practice because:

• The default role is Editor, that grant the service account too much permissions
• If you have 2 different services, both have the same permissions because they use the same identity (service account)

That's why, they have finally release a great feature: user managed service account

You simply have to set the service account email in the app.yaml file, and that's all. You have a dedicated service account for your App Engine service.

---

Now you have the identity that you want at runtime. At runtime, you want to get a secret. So, you must grant the runtime identity to be able to access the secret.

HOWEVER, because you already have a specific and dedicated identity for your App Engine service, loading a service account key file from secret manager makes no sense! Use directly the runtime identity!