#gcp (2022-03)

Google Cloud Platform

2022-03-16

contact871 avatar
contact871

Hi :wave:,

I’m trying to limit access to secrets for specific ServiceAccount. I’m trying with the Secret Manager Admin Role and a specific condition (resource.name.startsWith("SOME_PREFIX__")). But get the following error message:

# CREATE NEW SECRET
$ gcloud secrets create SOME_PREFIX__czerasz_test_2
ERROR: (gcloud.secrets.create) User [[email protected]] does not have permission to access projects instance [my-project-2] (or it may not exist): Permission 'secretmanager.secrets.create' denied for resource 'projects/my-project-2' (or it may not exist).

# DELETE EXISTING SECRET
$ gcloud secrets delete SOME_PREFIX__czerasz_test_1
ERROR: (gcloud.secrets.delete) PERMISSION_DENIED: Permission 'secretmanager.versions.list' denied for resource 'projects/my-project-2/secrets/SOME_PREFIX__czerasz_test_1' (or it may not exist).

Could someone point me into the right direction?

The commands mentioned above work fine without the condition.

1
contact871 avatar
contact871

According to the docs one has to use the Project number

It works with:

resource.name.startsWith("projects/XXXXXXXXXXXX/secrets/SOME_PREFIX__")
zeid.derhally avatar
zeid.derhally

Are you just wanting to give a specific service account access or do you want to block anyone other than the service account? Because That wouldn’t stop someone from using going to secret permissiosn and granting the role roles/secretmanager.secretAccessor to get at the secret

zeid.derhally avatar
zeid.derhally

If you want to block, you can try the Deny Policies that is in preview mode, https://cloud.google.com/iam/docs/deny-overview

2022-03-23

    keyboard_arrow_up