How do I pass non-default Google Service Account credentials to SecretManagerService or SecretManagerServiceClient in Google Cloud Function production environment? Docs are here.

When running locally I can use from google.oauth2.service_account import Credentials then credentials = Credentials.from_service_account_file("some-file.json") and finally secret_client = SecretManagerServiceClient(credentials) however when deploying to GCP I don't want the credentials file stored as a json/txt file next to the source code.

If I give the App Engine default service account the Secret Accessor role and use SecretManagerServiceClient() without arguments then the script can access the secrets in deployment but it's via the default service account. I want to use a non-default account with limited scope Secret Manager Secret Accessor only for further security.

I found this a related answer but Quick Search of googleapis.dev turned up nothing for SecretManagerServiceClientBuilder.

CodePudding user response：

You have to use ADC (Application Default Credential) in cloud functions and don't provide a service account key file.

Indeed, the default service account of Cloud Functions is the App Engine default service account that is used. To use another service account, you can choose to change the cloud function identity and grand the secret accessor permission only to that service account

CodePudding user response：

I don't know all details of your case, but I am not sure it is to be done from inside the code.

If you know a service account under which the cloud function is executed, you might like to assign (at least) a Secret Manager Secret Accessor IAM role, so that your service account can read the required secret value.

If you prefer using console - it can be done from a page where permissions for a secret are listed and edited.

Ideally (from my point of view) it should be done within CICD pipeline, when your cloud function is being deployed together with all other relevant resources.