#gcp (2022-03)
Google Cloud Platform
2022-03-16
Hi :wave:,
I’m trying to limit access to secrets for specific ServiceAccount. I’m trying with the Secret Manager Admin Role and a specific condition (resource.name.startsWith("SOME_PREFIX__")).
But get the following error message:
# CREATE NEW SECRET
$ gcloud secrets create SOME_PREFIX__czerasz_test_2
ERROR: (gcloud.secrets.create) User [[email protected]] does not have permission to access projects instance [my-project-2] (or it may not exist): Permission 'secretmanager.secrets.create' denied for resource 'projects/my-project-2' (or it may not exist).
# DELETE EXISTING SECRET
$ gcloud secrets delete SOME_PREFIX__czerasz_test_1
ERROR: (gcloud.secrets.delete) PERMISSION_DENIED: Permission 'secretmanager.versions.list' denied for resource 'projects/my-project-2/secrets/SOME_PREFIX__czerasz_test_1' (or it may not exist).
Could someone point me into the right direction?
The commands mentioned above work fine without the condition.
According to the docs one has to use the Project number
It works with:
resource.name.startsWith("projects/XXXXXXXXXXXX/secrets/SOME_PREFIX__")
Are you just wanting to give a specific service account access or do you want to block anyone other than the service account? Because That wouldn’t stop someone from using going to secret permissiosn and granting the role roles/secretmanager.secretAccessor to get at the secret
If you want to block, you can try the Deny Policies that is in preview mode, https://cloud.google.com/iam/docs/deny-overview
