GCP: how to access proj-1 secret manager from proj-2 CloudBuild?

Question

All my GCP containers use CloudBuild on my-dev-project and access secret manager on the same project (my-dev-project). However, one project requires access to secrets manger on my-prod-project. I imagine I need to add a service account, but I'm not sure how I can go about doing that for CloudBuild when it already has it's my-dev-project service account.

Question: How can I access my-prod-project secret manger from the my-dev-project CloudBuild?

sethvargo · Accepted Answer · 2021-05-17T15:53:16.093

1

You can grant the Cloud Build service account from my-dev-project permissions on the secret in my-prod-project. Get the service account's email address from my-dev-project from the IAM console; it will be in the format:

project-number@@cloudbuild.gserviceaccount.com

In my-prod-project, find the secret you wish to grant access, add that email with Secret Accessor permissions.

edited May 17 '21 at 15:53

answered May 17 '21 at 15:02

sethvargo

26,739
10
86
156

Thank you! I was a bit confused, I'll do this. – Kevin Danikowski May 17 '21 at 15:22

GCP: how to access proj-1 secret manager from proj-2 CloudBuild?

1 Answers1