0

When deploying my Cloud Run service from the command line using a YAML file containing environment variables as secrets (gcloud.run.services.replace), the deployment fails at the "Routing traffic" stage and emits this error.

Deployment failed                                                                                                                                                                 
ERROR: (gcloud.run.services.replace) spec.template.spec.container.env[2].value_from.secret_key_ref.name: Permission denied on secret: projects/12345678900/secrets/icbm-launch-code/versions/1 for Revision service account 12345678900-compute@developer.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.

I have given the service account mentioned in the error the Secret Manager Secret Accessor role as it says and I have waited hours for consistency.

There's little else I can do. Bug?

RJC
  • 1,224
  • 2
  • 12
Luke Puplett
  • 42,091
  • 47
  • 181
  • 266
  • 2
    Use the CLI and verify that the service account has the role **gcloud projects get-iam-policy**. Also use **gcloud secrets get-iam-policy**. Permission can be granted at the project or at the secret. https://cloud.google.com/secret-manager/docs/managing-secrets#managing_access_to_secrets Double-check the service account that Cloud Run is assigned. As a final possible solution after verifying everything, redeploy the Cloud Run service. – John Hanley Dec 15 '21 at 22:29

1 Answers1

0

I created a new service account and gave it the Secret Manager Secret Accessor role, then in my YAML I set

spec.template.spec.serviceAccountName: new-service-account@blah

And redeployed, and it worked. It's concerning that the security system is unreliable.

Luke Puplett
  • 42,091
  • 47
  • 181
  • 266