I have no ideas what to set here. The whole policy, binding and member stuff is very confusing IMHO. Are any of these roles? Anyway...
Trying to access the secret manager from a cloud function. The cloud function is setup using Terraform:
module "mds_reporting_cloud_function" {
source = "terraform-google-modules/scheduled-function/google"
version = "2.0.0"
project_id = var.function_gcp_project
job_name = var.function_name
job_description = var.function_description
job_schedule = var.function_cron_schedule
function_entry_point = "main"
function_source_directory = "${path.module}/../../../../src"
function_name = var.function_name
region = var.function_gcp_region
bucket_name = var.function_name
function_description = var.function_description
function_environment_variables = var.function_environment_variables
function_runtime = "python38"
topic_name = var.function_name
}
resource "google_cloudfunctions_function_iam_binding" "binding" {
project = var.function_gcp_project
region = var.function_gcp_region
cloud_function = var.function_name
role = "roles/secretmanager.secretAccessor"
members = [
"serviceAccount:${var.function_gcp_project}@appspot.gserviceaccount.com"
]
}
My understanding is, that if no service account for the cloud function is specified it will use the default App Engine service account.
The binding should 'bind' the role to the existing IAM policy of the App Engine service account.
However, it throws this error:
Error:
Error applying IAM policy for cloudfunctions cloudfunction "projects/alpine-proton-280612/locations/europe-west3/functions/mds-reporting-cloud-function":
Error setting IAM policy for cloudfunctions cloudfunction "projects/alpine-proton-280612/locations/europe-west3/functions/mds-reporting-cloud-function":
googleapi: Error 400: Role roles/secretmanager.secretAccessor is not supported for this resource.
Not sure what do.
secretAccessor
to the function. Functions do not provide the secret service. If you are trying to modify a service account and grant it an additional role, grant the permission to the project resource, not the function resource. – John HanleysecretAccessor
on the Secret Manager resource. – John Hanley