I'm trying to migrate my code from using API keys stored in the .env
file to using Google Cloud Platform Secrets Manager. I've followed the instructions here but I encounter an error saying that I don't have permissions to access the secret.
import * as admin from "firebase-admin"
import { SecretManagerServiceClient } from "@google-cloud/secret-manager"
admin.initializeApp()
const secretClient = new SecretManagerServiceClient()
async function main() {
async function getSecret(): Promise<string | null | undefined> {
const [version] = await secretClient.accessSecretVersion({ name: "TELEGRAM_TOKEN" })
return version.payload?.data?.toString()
}
const TELEGRAM_TOKEN = await getSecret()
console.log(TELEGRAM_TOKEN)
}
main().catch(console.error)
And that's the error I get:
> node lib/app.js --telegram
{ Error: 7 PERMISSION_DENIED: Permission denied on resource project TELEGRAM_TOKEN.
at Object.callErrorFromStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call.js:30:26)
at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client.js:174:52)
at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:340:141)
at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:303:181)
at Http2CallStream.outputStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:114:27)
at Http2CallStream.maybeOutputStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:153:22)
at Http2CallStream.endCall (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:140:18)
at Http2CallStream.handleTrailers (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:262:14)
at ClientHttp2Stream.emit (events.js:198:13)
at emit (internal/http2/core.js:265:8)
code: 7,
details: 'Permission denied on resource project TELEGRAM_TOKEN.',
metadata:
Metadata {
internalRepr:
Map {
'google.rpc.help-bin' => [Array],
'grpc-status-details-bin' => [Array],
'grpc-server-stats-bin' => [Array] },
options: {} },
note:
'Exception occurred in retry method that was not classified as transient' }
I did create a Service Account with "Owner" permissions, downloaded it and made export GOOGLE_APPLICATION_CREDENTIALS=/Users/...
. My service account .json file location is correctly displayed when I execute echo $GOOGLE_APPLICATION_CREDENTIALS
.
I have really no idea what I'm doing wrong.
To use Secret Manager on the command line, first Install or upgrade to version 338.0. 0 or higher of the Google Cloud CLI. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. To run this code, first set up a C# development environment and install the Secret Manager C# SDK.
Go to the Google Maps Platform > Credentials page. On the Credentials page, click Create credentials > API key. The API key created dialog displays your newly created API key. Click Close.
When you access a secret, you need to specify the project:
await secretClient.accessSecretVersion({ name: "TELEGRAM_TOKEN" })
should be
await secretClient.accessSecretVersion({ name: "projects/my-project/secrets/TELEGRAM_TOKEN/versions/latest" })
I just encountered the same problem and I personally had to add /versions/latest
after specifying the project name in the secret name.
await secretClient.accessSecretVersion({
name: "projects/my-project/secrets/TELEGRAM_TOKEN/versions/latest"
})
These answers guided me, but it took a long time for me to get this working. You need to enter the PROJECT_ID
and not the Project-Name
.
Find your Project ID:
The second column here shows the Project ID:
Now use that and run the script
await secretClient.accessSecretVersion({
name: "projects/PROJECT_ID/secrets/SECRET_NAME/versions/latest"
})
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With