Can't access secret in GCP Secret Manager

Question

I'm trying to migrate my code from using API keys stored in the .env file to using Google Cloud Platform Secrets Manager. I've followed the instructions here but I encounter an error saying that I don't have permissions to access the secret.

import * as admin from "firebase-admin"
import { SecretManagerServiceClient } from "@google-cloud/secret-manager"

admin.initializeApp()
const secretClient = new SecretManagerServiceClient()

async function main() {
  async function getSecret(): Promise<string | null | undefined> {
    const [version] = await secretClient.accessSecretVersion({ name: "TELEGRAM_TOKEN" })

    return version.payload?.data?.toString()
  }

  const TELEGRAM_TOKEN = await getSecret()
  console.log(TELEGRAM_TOKEN)
}

main().catch(console.error)

And that's the error I get:

> node lib/app.js --telegram

{ Error: 7 PERMISSION_DENIED: Permission denied on resource project TELEGRAM_TOKEN.
    at Object.callErrorFromStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call.js:30:26)
    at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client.js:174:52)
    at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:340:141)
    at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:303:181)
    at Http2CallStream.outputStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:114:27)
    at Http2CallStream.maybeOutputStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:153:22)
    at Http2CallStream.endCall (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:140:18)
    at Http2CallStream.handleTrailers (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:262:14)
    at ClientHttp2Stream.emit (events.js:198:13)
    at emit (internal/http2/core.js:265:8)
  code: 7,
  details: 'Permission denied on resource project TELEGRAM_TOKEN.',
  metadata:
   Metadata {
     internalRepr:
      Map {
        'google.rpc.help-bin' => [Array],
        'grpc-status-details-bin' => [Array],
        'grpc-server-stats-bin' => [Array] },
     options: {} },
  note:
   'Exception occurred in retry method that was not classified as transient' }

I did create a Service Account with "Owner" permissions, downloaded it and made export GOOGLE_APPLICATION_CREDENTIALS=/Users/.... My service account .json file location is correctly displayed when I execute echo $GOOGLE_APPLICATION_CREDENTIALS.

I have really no idea what I'm doing wrong.

Answer 1

When you access a secret, you need to specify the project:

await secretClient.accessSecretVersion({ name: "TELEGRAM_TOKEN" })

should be

await secretClient.accessSecretVersion({ name: "projects/my-project/secrets/TELEGRAM_TOKEN/versions/latest" })

Answer 2

I just encountered the same problem and I personally had to add /versions/latest after specifying the project name in the secret name.

await secretClient.accessSecretVersion({
  name: "projects/my-project/secrets/TELEGRAM_TOKEN/versions/latest"
})

Answer 3

These answers guided me, but it took a long time for me to get this working. You need to enter the PROJECT_ID and not the Project-Name.

Find your Project ID:

The second column here shows the Project ID:

Now use that and run the script

await secretClient.accessSecretVersion({
  name: "projects/PROJECT_ID/secrets/SECRET_NAME/versions/latest"
})