Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can't access secret in GCP Secret Manager

I'm trying to migrate my code from using API keys stored in the .env file to using Google Cloud Platform Secrets Manager. I've followed the instructions here but I encounter an error saying that I don't have permissions to access the secret.

import * as admin from "firebase-admin"
import { SecretManagerServiceClient } from "@google-cloud/secret-manager"

admin.initializeApp()
const secretClient = new SecretManagerServiceClient()

async function main() {
  async function getSecret(): Promise<string | null | undefined> {
    const [version] = await secretClient.accessSecretVersion({ name: "TELEGRAM_TOKEN" })

    return version.payload?.data?.toString()
  }

  const TELEGRAM_TOKEN = await getSecret()
  console.log(TELEGRAM_TOKEN)
}

main().catch(console.error)

And that's the error I get:

> node lib/app.js --telegram

{ Error: 7 PERMISSION_DENIED: Permission denied on resource project TELEGRAM_TOKEN.
    at Object.callErrorFromStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call.js:30:26)
    at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client.js:174:52)
    at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:340:141)
    at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:303:181)
    at Http2CallStream.outputStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:114:27)
    at Http2CallStream.maybeOutputStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:153:22)
    at Http2CallStream.endCall (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:140:18)
    at Http2CallStream.handleTrailers (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:262:14)
    at ClientHttp2Stream.emit (events.js:198:13)
    at emit (internal/http2/core.js:265:8)
  code: 7,
  details: 'Permission denied on resource project TELEGRAM_TOKEN.',
  metadata:
   Metadata {
     internalRepr:
      Map {
        'google.rpc.help-bin' => [Array],
        'grpc-status-details-bin' => [Array],
        'grpc-server-stats-bin' => [Array] },
     options: {} },
  note:
   'Exception occurred in retry method that was not classified as transient' }

I did create a Service Account with "Owner" permissions, downloaded it and made export GOOGLE_APPLICATION_CREDENTIALS=/Users/.... My service account .json file location is correctly displayed when I execute echo $GOOGLE_APPLICATION_CREDENTIALS.

I have really no idea what I'm doing wrong.

like image 398
Bartek Pacia Avatar asked Apr 18 '20 00:04

Bartek Pacia


People also ask

How do I access GCP secret Manager?

To use Secret Manager on the command line, first Install or upgrade to version 338.0. 0 or higher of the Google Cloud CLI. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. To run this code, first set up a C# development environment and install the Secret Manager C# SDK.

Where is my Google secret key?

Go to the Google Maps Platform > Credentials page. On the Credentials page, click Create credentials > API key. The API key created dialog displays your newly created API key. Click Close.


3 Answers

When you access a secret, you need to specify the project:

await secretClient.accessSecretVersion({ name: "TELEGRAM_TOKEN" })

should be

await secretClient.accessSecretVersion({ name: "projects/my-project/secrets/TELEGRAM_TOKEN/versions/latest" })
like image 55
sethvargo Avatar answered Oct 23 '22 06:10

sethvargo


I just encountered the same problem and I personally had to add /versions/latest after specifying the project name in the secret name.

await secretClient.accessSecretVersion({
  name: "projects/my-project/secrets/TELEGRAM_TOKEN/versions/latest"
})
like image 8
someRandomDev Avatar answered Oct 23 '22 07:10

someRandomDev


These answers guided me, but it took a long time for me to get this working. You need to enter the PROJECT_ID and not the Project-Name.

Find your Project ID:

The second column here shows the Project ID:

enter image description here

Now use that and run the script

await secretClient.accessSecretVersion({
  name: "projects/PROJECT_ID/secrets/SECRET_NAME/versions/latest"
})
like image 5
Keet Sugathadasa Avatar answered Oct 23 '22 06:10

Keet Sugathadasa