Cloud Build Fails to Access Secret Manager: Permission 'secretmanager.versions.access' Denied

I am encountering an issue with my Cloud Build pipeline where it fails to access a secret stored in Secret Manager. Here is the error message I receive:

text

BUILD FAILURE: Build step failure: build step 0 “gcr.io/cloud-builders/git” failed: failed to access secret version for secret projects/projlumen123/secrets/github_pat/versions/latest: rpc error: code = PermissionDenied desc = Permission ‘secretmanager.versions.access’ denied for resource ‘projects/projlumen123/secrets/github_pat/versions/latest’ (or it may not exist).

What I Have Tried

1. Permissions:

   • Both the Cloud Build default service account (<PROJECT_NUMBER>@cloudbuild.gserviceaccount.com) and my custom service account (projectlumen-sa@projlumen123.iam.gserviceaccount.com) have been explicitly granted the roles/secretmanager.secretAccessor role at the project level and on the specific secret (github_pat).IAM policy for the github_pat secret includes:

   text

   bindings: - members: - serviceAccount:<PROJECT_NUMBER>@cloudbuild.gserviceaccount.com - serviceAccount:projectlumen-sa@projlumen123.iam.gserviceaccount.com - serviceAccount:service-<PROJECT_NUMBER>@gcp-sa-cloudbuild.iam.gserviceaccount.com role: roles/secretmanager.secretAccessor

2. Secret Configuration:

   • The github_pat secret exists in Secret Manager with an enabled version:

     bash

     gcloud secrets versions list github_pat --project=projlumen123

     Output:

     text

     NAME STATE CREATED 1 enabled

3. Cloud Build YAML:
   My cloudbuild.yaml uses availableSecrets to securely retrieve secrets:

   text

   availableSecrets: secretManager: - versionName: “projects/projlumen123/secrets/github_pat/versions/latest” env: “GITHUB_PAT” - versionName: “projects/projlumen123/secrets/firebase_token/versions/latest” env: “FIREBASE_TOKEN”

4. Testing Secret Access:
   I tested secret access manually using impersonation, and it works fine:

   bash

   gcloud secrets versions access latest --secret=“github_pat” \ –impersonate-service-account=<PROJECT_NUMBER>@cloudbuild.gserviceaccount.com \ –project=projlumen123

   This command successfully retrieves the secret value.

5. Cloud Build Service Account:
   The Cloud Build default service account has the roles/cloudbuild.builds.builder role and roles/secretmanager.secretAccessor role assigned at both project and secret levels.

My Setup

• Project ID: projlumen123
• Secret Name: github_pat
• Cloud Build Default Service Account: <PROJECT_NUMBER>@cloudbuild.gserviceaccount.com
• Custom Service Account: projectlumen-sa@projlumen123.iam.gserviceaccount.com

Questions

1. Is there any additional permission (e.g., more granular than roles/secretmanager.secretAccessor) that I need to assign to the Cloud Build default service account?
2. Could there be an issue with how availableSecrets is configured in my cloudbuild.yaml file?
3. Are there any known issues or limitations with using availableSecrets in Cloud Build?

Any guidance or suggestions would be greatly appreciated! Thank you in advance for your help.

Hi, try using “Project number” instead of “Project Id” in the secret path → projects/projlumen123/secrets/firebase_token/versions/latest

You can found this secret path in the details of the secret at Secret Manager

gcoellof_0-1738169295156.png709×263 26.4 KB