Accessing Google Secrets from an application running on a Google Cloud VM instance - Assigning Cloud APIs to VM
I'm using Google Secrets to store API keys and other application specific "secrets". When I deploy my application to a VM instance using a docker container, I want it to access the Google Secrets using the VM's associated service account.
I have gotten this working using the following:
- Assigning the "Secret Manager Secret Accessor" permission to the Service Account.
- Giving my VM access to all APIs:
From a security perspective and recommended best practice, I don't want to give access to all APIs. The default access option doesn't work and I can't figure out from the list which options to enable to allow access to Google Secrets from my VM.
TLDR - Which Cloud API(s) do I need to give my Google Compute VM instance access to so that it can access Google Secrets without giving it access to all of the Cloud APIs?
According to the Secret Manager documentation, you need the cloud-platform OAuth scope.
Note: To access the Secret Manager API from within a Compute Engine instance or a Google Kubernetes Engine node (which is also a Compute Engine instance), the instance must have the cloud-platform OAuth scope. For more information about access scopes in Compute Engine, see Service account permissions in the Compute Engine documentation.
I'm not sure you can set this scope in the web UI, though you can set it through the command line.
Possible Alternative
What I do, rather than setting scopes on VMs, is create a service account specifically for the VMs (instead of using the default service account) and then give this service account access to specific resources (like the specific Secrets it should have access to, rather than all of them). When you do this in the web UI, the access scopes disappear and you are instructed to use IAM roles to control VM access like so:
- Google Compute Engine and ADC Application Default Credentials
- Is there a way to connect cloud firestore to realtime database using Cloud functions?
- Pyspark on GCP Dataproc - Partial reading of data for gzip encoded Cloud Storage files
- Google Cloud Functions - ImportError: cannot import name 'InvalidKeyError' from 'jwt.exceptions'
- _CHANGE_TYPE not working when streaming Google Big Query rows from Pub/Sub
- Realtime database `onValueWritten` event does not trigger in emulator
- Error 400: invalid_scope with Postman and Google OAuth2
- Firebase Firestore REST Request - Query and Filter
- `IAM_PERMISSION_DENIED` on a deployed service on GCP, but no errors on localhost
- Error 400 invalid JSON Payload Unknown name generationConfig on an AI API Curl command
- Restricting usage for an Android key for a Google API
- Google Cloud Function The request was aborted because there was no available instance
- How to properly create URL Masking for Cloud Functions to create a NEG?
- Deploying an Angular app on Google Cloud with minimal costs
- Cloud Run For Anthos With Terraform
- Flagging a row in new column based on conditions on previous and current rows
- Cant access Firebase Admin SDK via Node.js on my VPS, but I can on my local machine
- TypeError: __call__() missing 1 required positional argument: 'context' error when deploying on GCP
- Why GCP loadbalancer frontend has only two ports enabled?
- New Google place api using google OAuth, ask failed to refresh token
- Is it possible to display context of the search result in gcp logging
- Is there float32 precision on Google TPU?
- BigQuery : is it possible to iterate over an array?
- oauth 2 parameters can only have a single value: scope
- Correct use of gcloud --sort-by combined with --limit
- Is PIVOT Operator supported in Big Query Materialized view?
- App attestation failed with Firebase App check in release on Android
- Why doesn't the offline cloud firestore documentation have code for offline query indexes for flutter?
- Migrating from legacy Google FCM to HTTP v1 for push notifications
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console