We have a staging app and a production app. Both are appengine Node apps running the same code. In the staging app, we had no problem getting secret manager set up and the app can read the secrets. We set up the secret manager in production and the production app gets a permission denied error:

Error: 7 PERMISSION_DENIED: Permission 'secretmanager.versions.access' denied for resource 'projects/REDACTED/versions/latest' (or it may not exist).

The permissions look the same between the two and when I run the policy troubleshooter it gives me a bizarre result. For production, it reports "can access" (not true!) while for staging it reports "unknown" because I "don't have permission to view any of the principal access boundary policies" and "don't have permission to view any of the resources' deny policies" and "don't have permission to evaluate the full result" despite the fact that I'm an Owner of both projects. I even added the roles it said I needed and that didn't affect anything.

Yes, secrets manager api is authorized (it's listed when I run gcloud services list). Yes, I can create secrets with the console. I added Secret Manager Secret Accessor role as well as Secret Manager Viewer role to my service account even though those are redundant with Owner and that made no difference. I've tried everything suggested in every post here and on stack overflow/server fault and nothing has addressed this issue. Please help. Thanks.