0

I am developing a nodejs application that accesses secrets from gcp secret manager. I ran it locally with directing credentials using the GOOGLE_APPLICATION_CREDENTIALS variable.

Then I tried deploying this service to google cloud run, now it throws the error

 Error: 7 PERMISSION_DENIED: Permission 'secretmanager.versions.access' denied

I want to know how to add credentials to cloud-run containers. I saw some implementations where the credential file is included inside the code. what is the best practice of accessing gcp resources from cloud run container?

EDPChinthana
  • 144
  • 1
  • 10

1 Answers1

2

You might like to find a service account used by your Cloud Run, and grant that service account a relevant IAM role against the desired secret - most likely a Secret Manager Secret Accessor role (roles/secretmanager.secretAccessor).

You don’t need any credentials file. And under any circumstances, please, don't keep any credentials in a code repository.

======

Updated following @kolban comment

al-dann
  • 2,545
  • 1
  • 12
  • 22
  • 3
    I believe this is the documentation link that @al-dann is talking about. https://cloud.google.com/run/docs/securing/service-identity – Kolban Feb 13 '22 at 20:09