This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Community will be in read-only from July 16 - July 22 as we migrate to a new platform; refer to this community post for more details.
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Cloud Build Fails to Access Secret Manager: Permission 'secretmanager.versions.access' Denied

Posted on 01-13-2025 12:33 PM
projectlumen
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I am encountering an issue with my Cloud Build pipeline where it fails to access a secret stored in Secret Manager. Here is the error message I receive:

 
text
BUILD FAILURE: Build step failure: build step 0 "gcr.io/cloud-builders/git" failed: failed to access secret version for secret projects/projlumen123/secrets/github_pat/versions/latest: rpc error: code = PermissionDenied desc = Permission 'secretmanager.versions.access' denied for resource 'projects/projlumen123/secrets/github_pat/versions/latest' (or it may not exist).

What I Have Tried

  1. Permissions:
    • Both the Cloud Build default service account (<PROJECT_NUMBER>@cloudbuild.gserviceaccount.com) and my custom service account (projectlumen-sa@projlumen123.iam.gserviceaccount.com) have been explicitly granted the roles/secretmanager.secretAccessor role at the project level and on the specific secret (github_pat).
    IAM policy for the github_pat secret includes:
     
    text
    bindings: - members: - serviceAccount:<PROJECT_NUMBER>@cloudbuild.gserviceaccount.com - serviceAccount:projectlumen-sa@projlumen123.iam.gserviceaccount.com - serviceAccount:service-<PROJECT_NUMBER>@gcp-sa-cloudbuild.iam.gserviceaccount.com role: roles/secretmanager.secretAccessor
  2. Secret Configuration:
    • The github_pat secret exists in Secret Manager with an enabled version:
       
      bash
      gcloud secrets versions list github_pat --project=projlumen123
      Output:
       
      text
      NAME STATE CREATED 1 enabled <timestamp>
  3. Cloud Build YAML:
    My cloudbuild.yaml uses availableSecrets to securely retrieve secrets:
     
    text
    availableSecrets: secretManager: - versionName: "projects/projlumen123/secrets/github_pat/versions/latest" env: "GITHUB_PAT" - versionName: "projects/projlumen123/secrets/firebase_token/versions/latest" env: "FIREBASE_TOKEN"
  4. Testing Secret Access:
    I tested secret access manually using impersonation, and it works fine:
     
    bash
    gcloud secrets versions access latest --secret="github_pat" \ --impersonate-service-account=<PROJECT_NUMBER>@cloudbuild.gserviceaccount.com \ --project=projlumen123
    This command successfully retrieves the secret value.
  5. Cloud Build Service Account:
    The Cloud Build default service account has the roles/cloudbuild.builds.builder role and roles/secretmanager.secretAccessor role assigned at both project and secret levels.

My Setup

Questions

  1. Is there any additional permission (e.g., more granular than roles/secretmanager.secretAccessor) that I need to assign to the Cloud Build default service account?
  2. Could there be an issue with how availableSecrets is configured in my cloudbuild.yaml file?
  3. Are there any known issues or limitations with using availableSecrets in Cloud Build?

Any guidance or suggestions would be greatly appreciated! Thank you in advance for your help.

1 1 1,196
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
gcoellof
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi, try using "Project number" instead of "Project Id" in the secret path -> projects/projlumen123/secrets/firebase_token/versions/latest

You can found this secret path in the details of the secret at Secret Manager

gcoellof_0-1738169295156.png