While testing a Google Cloud Function I wrote that attempts to access a secret stored in the Secret Manager, I get this error: Error: 7 PERMISSION_DENIED: Permission 'secretmanager.versions.access' denied for resource '<resource-name>' (or it may not exist).
My code:
const {SecretManagerServiceClient} = require('@google-cloud/secret-manager');
const secretClient = new SecretManagerServiceClient();
...
const [version] = await secretClient.accessSecretVersion({
name: secretName
});
const secret = version.payload.data.toString();
I've followed the steps in the documentation, specifying the full name of the secret in the call to the service (projects/<project-id>/secrets/<secret-name>/versions/latest
, so the problem in Can't access secret in GCP Secret Manager doesn't apply here) and giving the service account that runs my cloud functions the "Secret Manager Secret Accessor" role (which should rule out the root problem in Why isn't my Firebase app connecting to Google Secret Manager?).
I've seen this issue both when trying to trigger the function locally using curl and when testing it in the UI (GCF > Function details > Testing).
Is there anything I'm missing here?
It turns out that I gave the "Secret Manager Secret Accessor" role to the wrong service account - I gave it to the GCF administrative service account, which is used to create/update/delete functions (service-<project-id>@gcf-admin-robot.iam.gserviceaccount.com
) instead of to the runtime service account, which is what's actually used to run the function (<project-id>@appspot.gserviceaccount.com
).
Once I added the role above (among others the function needed) to the runtime service account, the function completed successfully.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With