Google Cloud - How to grant access to group of secrets by label or name?

Question

I want to be able to grant a service account in Google Cloud access to multiple secrets based on a naming convention or even better, based on a label.

So far, it's beginning to look like GCP only provides ability to provide access based on the levels of org, folder, project or secret, and beyond that you can't get any more nuanced in how IAM is set up. See here

I thought maybe GCP's IAM conditions would allow me more flexibility here, but I haven't had any luck with that either. Using the below terraform - my SA still can access all secrets at project level.

resource "google_project_iam_member" "access_secrets" {
project = var.project_id
role    = "roles/secretmanager.secretAccessor"
member  = "serviceAccount:${google_service_account.service-a.email}"
provider = google-beta
  
condition {
   title       = "all-service-a-secrets"
   description = "All Service A secrets"
   expression  = "resource.name.startsWith('projects/my-project/secrets/service-a-secrets')"
  }
}

Coming from primarily using AWS, I feel like permissions were a bit more flexible. It seems that perhaps the answer is to use projects more liberally, but I haven't been able to find many opinions on best ways to utilize GCP projects.

Answer 1

I'm using IAM conditional policy to grant access to secrets based on naming convention.

For example, the following conditional policy grants access to a user only to the secrets which starts with "dev-myapp1-"

resource "google_project_iam_binding" "SecretCreator" {
  project = "my-project-id"
  role    = "projects/my-project-id/roles/SecretCreator"

  members = [
    "user:user.name@example.com",
  ]

resource "google_project_iam_binding" "SecretManagerAdmin" {
  project = "my-project-id"
  role    = "roles/secretmanager.admin"

  members = [
    "user:user.name@example.com",
  ]

  condition {
    title       = "dev-myapp1-*"
    expression  = "resource.name.startsWith(\"projects/123456789012/secrets/dev-myapp1-\")" 
    # "123456789012" is the Project Number. You need to use Project Number in expression not the Project ID
    #You can get the Project Number by running the command : gcloud projects describe my-project-id
  }
}

resource "google_project_iam_binding" "SecretListViewer" {
  project = "my-project-id"
  role    = "projects/my-project-id/roles/SecretListViewer"

  members = [
    "user:user.name@example.com",
  ]

}

resource "google_project_iam_binding" "SecretManagerViewer" {
  project = "my-project-id"
  role    = "roles/secretmanager.viewer"

  members = [
    "user:user.name@example.com",
  ]

}

You may need to create two custom roles in the project to use this conditional policy. You can use the below terraform template to create custom roles in the project.

resource "google_project_iam_custom_role" "SecretListViewer" {
  role_id     = "SecretListViewer"
  title       = "SecretListViewer"
  description = "SecretListViewer"
  permissions = ["secretmanager.secrets.list"]
}

resource "google_project_iam_custom_role" "SecretCreator" {
  role_id     = "SecretCreator"
  title       = "SecretCreator"
  description = "SecretCreator"
  permissions = ["secretmanager.secrets.create"]
}

With this, the user should be able to create secrets with any name but cannot add contents to it or view or use it if the name doesn't starts with "dev-myapp1-". He will have full access to manage secrets with "dev-myapp1-". But he will not be able to view content or manage other secrets.

Answer 2

This is now possible (not sure when it was implemented) using resource.name.startsWith - however, and this tripped me up, you must use the numeric project ID and not the project name in the URL.

Answer 3

This is not currently possible, but it's on the roadmap for 2020.