This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Secret Manager and vertex AI permission issue with service account

Posted on 03-26-2024 03:35 AM
rashmi_sudhakar
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

HI All,

I am using vertex ai and secret manager. I am able to create the client and access the secret when i run the script using my own account, but when I run the same code with the service account I come across the _InactiveRpcError /permission denied error.

PermissionDenied: 403 Request had insufficient authentication scopes. [reason: "ACCESS_TOKEN_SCOPE_INSUFFICIENT"
domain: "googleapis.com"
metadata {
key: "method"
value: "google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion"
}
metadata {
key: "service"
value: "secretmanager.googleapis.com"
}

I have tried providing the access to all the required agents/accounts. I have the keys file as well, I am unable to provide the path to the file as it says file not found when I use it.

Can anyone please help?

Regards,

Rashmi Sudhakar

 

0 3 2,348
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
maricarp
Staff
Reply posted on --/--/---- --:-- AM

Based on the documentation, to access a secret version, the service account must have the required role “Secret Manager Accessor” (roles/secretmanager.secretAccessor).  

Furthermore, if you have created a custom service account, as stated in the documentation:

To provide access to your project and your resources, grant a role to the service account:

gcloud projects add-iam-policy-binding PROJECT_ID --member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com" --role=ROLE

You could also check this documentation to see a sample component that prints out the previously created secret.

Hope this helps.

0 Likes

Posted on --/--/---- --:-- AM
rashmi_sudhakar
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi @maricarp ,

I have tried implementing the above mentioned steps, but still it errors the same. Please let me know if there is any other workaround.

Regards,

Rashmi Sudhakar

Posted on --/--/---- --:-- AM
aaron-keesing
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

@rashmi_sudhakarAccording to here: https://cloud.google.com/vertex-ai/docs/general/access-control#grant_service_agents_access_to_other_..., you need to use a custom service account to run the jobs, so they can use the https://www.googleapis.com/auth/cloud-platform scope to access secret manager.

0 Likes
Top Solution Authors
View all