Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Can't grant permissions on secrets

See original GitHub issue

In our new deployments, I’ve been trying to assign secretmanager.secretAccessor on a specific secret to a given service account.

Is this an impossible feat? I’ve managed to create a type provider for the secret manager API, but cannot assign the required permissions.

This is a minimal deployment of the secret:

resources:
  # Service account needing secretAccessor
  - name: account-user123
    type: iam.v1.serviceAccount
    properties:
      accountId: user123
      displayName: user123

  # Create secret
  - name: secret-parent-up-auth_secret
    action: [PROJECT_ID]/secret-manager:secretmanager.projects.secrets.create
    properties:
      replication:
        automatic: {}
      parent: projects/[PROJECT_ID]
      secretId: auth_secret
    metadata:
      runtimePolicy:
        - CREATE
      dependsOn:
        - api-secretmanager
        - type-provider-secret-manager

  # Delete secret
  - name: secret-parent-down-auth_secret
    action: [PROJECT_ID]/secret-manager:secretmanager.projects.secrets.delete
    properties:
      name: projects/155387989549/secrets/auth_secret
    metadata:
      runtimePolicy:
        - DELETE
      dependsOn:
        - type-provider-secret-manager

  # Deploy secret version
  - name: secret-version-auth_secret_payload
    action: [PROJECT_ID]/secret-manager:secretmanager.projects.secrets.addVersion
    properties:
      parent: projects/[PROJECT_ID]/secrets/auth_secret
      payload:
        data: c3RhcmZpc2g=
    metadata:
      dependsOn:
        - secret-parent-up-auth_secret

  # Deploy secret manager type provider
  - name: type-provider-secret-manager
    type: gcp-types/deploymentmanager-v2beta:typeProviders
    properties:
      name: secret-manager
      descriptorUrl: https://secretmanager.googleapis.com/$discovery/rest?version=v1beta1
      options:
        inputMappings:
          - fieldName: Authorization
            location: HEADER
            value: $.concat("Bearer ", $.googleOauth2AccessToken())

Issue Analytics

State:
Created 3 years ago
Reactions:2
Comments:5 (1 by maintainers)

Top GitHub Comments

1reaction

m0arcommented, Sep 3, 2020

What does work, but gives access to all project secrets (which is obviously too generous):

  - name: iam-projectRole-user123-secretAccessor
    type: gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding
    properties:
      resource: [PROJECT_ID]
      role: roles/secretmanager.secretAccessor
      member: serviceAccount:user123@[PROJECT_ID].iam.gserviceaccount.com
    metadata:
      dependsOn:
        - account-user123
        - secret-version-auth_secret_payload

0reactions

m0arcommented, Sep 15, 2020

@ocsig Got it, thanks for the insights ❤️