I want to be able to grant a service account in Google Cloud access to multiple secrets based on a naming convention or even better, based on a label.
So far, it's beginning to look like GCP only provides ability to provide access based on the levels of org, folder, project or secret, and beyond that you can't get any more nuanced in how IAM is set up. See here
I thought maybe GCP's IAM conditions would allow me more flexibility here, but I haven't had any luck with that either. Using the below terraform - my SA still can access all secrets at project level.
resource "google_project_iam_member" "access_secrets" {
project = var.project_id
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${google_service_account.service-a.email}"
provider = google-beta
condition {
title = "all-service-a-secrets"
description = "All Service A secrets"
expression = "resource.name.startsWith('projects/my-project/secrets/service-a-secrets')"
}
}
Coming from primarily using AWS, I feel like permissions were a bit more flexible. It seems that perhaps the answer is to use projects more liberally, but I haven't been able to find many opinions on best ways to utilize GCP projects.
This is not currently possible, but it's on the roadmap for 2020.