I am using Google Cloud Build to build a Docker image for deployment, but the program running inside needs the Secrets Manager.

I have this working from the command line with a service account, but trying to follow an example that puts the secret into an environment variable for use by Python, this one fails referring to a builder service account:

your build failed to run: generic::invalid_argument: builder service account "[email protected]" does not have secretmanager.versions.access permissions for secret "projects/myproject/secrets/mypassword"

I look in the list of service accounts and don't find this account anywhere, so how do I give it access to this if I have to do it this way?

But actually all I need is the running program to have access (I have it coded this way already and it works from the cloud shell and from the command line) ... how to hook it up with the right IAM service account to run correctly from within a deployed Docker container?

Thanks much for any guidance on this!

CodePudding user response：

The Cloud Build Service account <PROJECT_NUMBER>@cloudbuild.gserviceaccount.com is not in the Service Account List because it is a Google Managed account and is not created in your project.

Keep in mind that only the Service Accounts created in your project will appear on that list.

Instead you will find the account in the IAM main page.

Regarding your second question

how to hook it up with the right IAM service account to run correctly from within a deployed Docker container?

Well, it will depend on the resource it will run (GCE, GKE, Cloud Run, App Engine Flex) and the account assigned for the chosen product.

CodePudding user response：

Good description by Ferregina

One line solution in your case will be :

gcloud projects add-iam-policy-binding  <YOUR_PROJECT_ID> --member='serviceAccount:[email protected]' --role='roles/secretmanager.secretAccessor'