Home > Blockchain >  Google Cloud Secrets Manager denies access to App Engine application but works with Google Cloud Fun
Google Cloud Secrets Manager denies access to App Engine application but works with Google Cloud Fun

Time:03-11

I'm trying to connect to get a secret from google's secrets manager, and the same code works for Cloud Functions, but not for App Engine.

const { SecretManagerServiceClient } = require('@google-cloud/secret-manager');

const secretManagerServiceClient = new SecretManagerServiceClient();
const name = 'projects/000000000000/secrets/database/versions/latest';

exports.testSecretManager = async (req, res) => {
  const [version] = await secretManagerServiceClient.accessSecretVersion({ name });
  const payload = version.payload.data.toString();
  console.debug(`Payload: ${payload}`);
  res.sendStatus(200);
};

The same code works fine when I deploy it as a function.

enter image description here

But when I run the same code as a part of App Engine application. It fails with this error:

Error: 16 UNAUTHENTICATED: Failed to retrieve auth metadata with error: Could not refresh access token: Unsuccessful response status code. Request failed with status code 500
    at Object.callErrorFromStatus (/workspace/node_modules/@grpc/grpc-js/build/src/call.js:31:26)
    at Object.onReceiveStatus (/workspace/node_modules/@grpc/grpc-js/build/src/client.js:180:52)
    at Object.onReceiveStatus (/workspace/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:365:141)
    at Object.onReceiveStatus (/workspace/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:328:181)
    at /workspace/node_modules/@grpc/grpc-js/build/src/call-stream.js:182:78
    at processTicksAndRejections (node:internal/process/task_queues:78:11)

I believe both Cloud Functions and App Engine are managed by the same service account “App Engine default service account”. And it has rights.

It seems like GOOGLE_APPLICATION_CREDENTIALS is missing from the environment.

console.log(process.env.GOOGLE_APPLICATION_CREDENTIALS); gives me undefined. Can this be a reason? How do I pass this environment to app engine then?

How can I deeper debug this?

CodePudding user response:

Make sure that Secret Manager Secret Accessor role is granted to the Service Account from IAM for the App Engine. The exact role you would need to add is: roles/secretmanager.secretAccessor. You may refer here for more details.

Also, have a look at this Stackoverflow case.

CodePudding user response:

Please find here a beautifully written answer.

And, also the official Google documentation which doesn't list GAE as a directly supported product, however, GCE/GKE are supported out of the box, if that's an option for you.

Page link:https//www.codepudding.com/Blockchain/330605.html

Prev:Issues webview Android application
Next:Groovy compilation fails: Unable to load class 'org.grails.io.support.Resource'
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding