0

I am trying to access a secret stored in secrets manager.

I created a service account with owner role. I created a key from it. I run:

import os
os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = './keyfile.json'
from google.cloud import secretmanager
secret_client = secretmanager.SecretManagerServiceClient()
secret_name = f'projects/{project_id}/secrets/{secret_id}/versions/{version_id}'
response = secret_client.access_secret_version(request={"name": secret_name})

but I get:

google.api_core.exceptions.PermissionDenied: 403 Permission 'secretmanager.versions.access' 
denied for resource 'projects/myprojnumber/secrets/mysecret/versions/1' (or it may not exist).

I checked the secret_name was the same as the secret's value in secret manager.

I have tried adding Secret Manager Secret Accessor and Secret Manager Viewer roles.

Edit: running this from cloud shell.

schoon
  • 2,858
  • 3
  • 46
  • 78
  • It would be helpful if you could add the `gcloud secrets versions access` equivalent command to demonstrate that the secret*version exists. – DazWilkin Jul 14 '22 at 15:56
  • Also, please demonstrate that the Service Account was created for the correct project (`{project_id}`) and with owner role. Also that the key exists and that the code is able to reference it correctly as `./keyfile.json`. Either of these being incorrect would originate the forbidden (403) error. We need to determine whether the code is authorized or whether the secret*version does not exist. – DazWilkin Jul 14 '22 at 15:59
  • My suspect is that the code is not using the SA and instead the credeentials of the Cloud Shell. When you create the Secret Manager Client explicitly set the credentials from the SA you may want – Puteri Jul 14 '22 at 16:05
  • Thanks everyone. Can you point me at code that'll help me do this? I'm a bit of a newbie. – schoon Jul 14 '22 at 16:11

1 Answers1

1

I think the issue is that the code is taking the Default Credentials of the Cloud Shell instead of using your SA key.

You can specify the credentials when creating the client

from google.cloud import secretmanager
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file("./keyfile.json")

secret_client = secretmanager.SecretManagerServiceClient(credentials=credentials)
secret_name = f'projects/{project_id}/secrets/{secret_id}/versions/{version_id}'
response = secret_client.access_secret_version(request={"name": secret_name})

Another option using some of the methods found in the library docs:

from google.cloud import secretmanager

secret_client = secretmanager.SecretManagerServiceClient.from_service_account_file("./keyfile.json")
secret_name = f'projects/{project_id}/secrets/{secret_id}/versions/{version_id}'
response = secret_client.access_secret_version(request={"name": secret_name})

Just as an advice, being newbie does not mean you cannot Google a little more to search for something like how to use a SA as credential for the client of the library you're using.

For example you could easily find this doc which shows a sample.

Anyway, good luck with GCP!

Puteri
  • 3,348
  • 4
  • 12
  • 27
  • Thanks you for this. I can't access the keyfile https://stackoverflow.com/questions/72992940/how-do-i-get-vertex-ai-pipelines-to-see-cloudshell-files – schoon Jul 15 '22 at 11:21