Using Azure Devops I'm developing a Cloud Run service on PROJECT_A that need to utilize a Service Account of a PROJECT_B to read logs from Stackdriver.
I've successfully deployed the Cloud Run using its gcloud commands.
gcloud run deploy [[SERVICE] --namespace=NAMESPACE] [--service-account=Service_Account@PROJECT_A.iam.gserviceaccount.com]
Since I'm storing my service account as secure file in Azure Devops, I've uploaded PROJECT_B service account to PROJECT_A GCP Secret Manager using
echo $(service_account_PROJECT_B.json) > SA_PROJECT_B.txt
gcloud secrets create SA_PROJECT_B --data-file=SA_PROJECT_B.txt --replication policy=user-managed --project=PROJECT_A
I'm finding Issues while accessing to the Service Account stored in the secret manager. Locally, when I create the client, I use:
#config.py
if DEPLOY_ENVIRONMENT == "local":
SA_PROJECT_B = os.path.join(BASE_DIR / "SA_PROJECT_B.json")
os.environ["SA_PROJECT_B"] = str(SA_PROJECT_B)
.
#client.py
from google.cloud import logging
from config import SA_PROJECT_B
logging_client = logging.Client.from_service_account_json(
SA_PROJECT_B
)
And it works.
When I execute the code from the Cloud Run, I get an error message stating that it can't cannot import name 'SA_PROJECT_B'
So here is my question: how should I reference to a secret stored in secrets manager from the code?
I've tried following this google cloud community tutorial that showed me that the issue happens when I upload the secret to secret manager.
secrets = secretmanager.SecretManagerServiceClient()
SA_PROJECT_B= secrets.access_secret_version(request={"name": "projects/"+"PROJECT_B"+"/secrets/PROJECT_B/versions/1"}).payload.data.decode("utf-8")
print(SA_PROJECT_B) returns '$(service_account_PROJECT_B.json)'
I can't understand what I'm doing wrong. Is something related with uploading a service account to gcp or something related to accessing correctly the secret manager?
