Google Secrets: allow user to manage secrets it creates, without being an Admin

Question

Is it possible to assign a role on Google Secrets to allow a user to create their own secrets, view them, and share them (without being a Secrets Admin)?

Aiming to avoid granting the Secrets Admin role, I'm only being able to allow a user to create their own secrets, but they can't share nor access them. If I grant iam or access roles they are able to apply that (access and share) all secrets in the project.

Is it possible to restrict the permissions to only the secrets the user has created?

score 0 · Answer 1 · answered Dec 01 '21 at 12:46

0

One workaround I found is using a condition when granting the Secrets Admin role to only apply to secrets startingWith a certain prefix. Note: the prefix needs to have the full secret path (e.g.: projects/XXXX/secrets/prefix-,

answered Dec 01 '21 at 12:46

Tomas Romero

8,418
11
50
72

score 0 · Answer 2 · answered Dec 01 '21 at 14:58

0

There isn't a great solution for this today. The IAM condition that you propose gets pretty close.

A different approach is to allow users to each have their own projects and co-locate their secrets with their relevant workloads.

answered Dec 01 '21 at 14:58

Sandro B

315
1
3

Google Secrets: allow user to manage secrets it creates, without being an Admin

2 Answers2