I am developing a nodejs application that accesses secrets from gcp secret manager. I ran it locally with directing credentials using the GOOGLE_APPLICATION_CREDENTIALS variable.
Then I tried deploying this service to google cloud run, now it throws the error
Error: 7 PERMISSION_DENIED: Permission 'secretmanager.versions.access' denied
I want to know how to add credentials to cloud-run containers. I saw some implementations where the credential file is included inside the code. what is the best practice of accessing gcp resources from cloud run container?
CodePudding user response:
You might like to find a service account used by your Cloud Run, and grant that service account a relevant IAM role against the desired secret - most likely a Secret Manager Secret Accessor role (roles/secretmanager.secretAccessor).
You don’t need any credentials file. And under any circumstances, please, don't keep any credentials in a code repository.
======
Updated following @kolban comment