👀 Views: 80 💬 Answers: 1 📅 Created: 2025-06-12

gcp cloud-run secret-manager json

Hey everyone, I'm running into an issue that's driving me crazy. I'm currently deploying a service on GCP Cloud Run that needs to access sensitive configuration data stored in the Secret Manager. However, whenever the service starts, I encounter an 'Access Denied' behavior. Here’s the relevant part of my Cloud Run service configuration: ```json { "name": "my-cloud-run-service", "image": "gcr.io/my-project/my-image", "secrets": [ { "secret": "my-secret-name", "version": "latest" } ] } ``` I’ve verified that the secret exists and that I’m using the correct name. Additionally, my Cloud Run service's service account has the `Secret Manager Secret Accessor` role assigned to it. Here's the IAM policy associated with the service account: ```json { "bindings": [ { "role": "roles/secretmanager.secretAccessor", "members": [ "serviceAccount:my-cloud-run-service@my-project.iam.gserviceaccount.com" ] } ] } ``` Despite this configuration, the service logs show the following behavior when it tries to access the secret: `behavior: Access Denied: secret 'projects/my-project/secrets/my-secret-name' is disabled or not accessible by service account 'my-cloud-run-service@my-project.iam.gserviceaccount.com'`. I've checked that the secret is enabled and the service account is indeed the one used by Cloud Run. To troubleshoot, I also tried running the Cloud Run service locally using the `gcloud beta run services invoke` command, but it still fails with the same behavior. I even double-checked the permissions in IAM and the Secret Manager, and everything seems to be set correctly. Could it be a propagation delay in permissions, or am I missing something in the setup? Any insights would be greatly appreciated. I'm working on a application that needs to handle this.