All my GCP containers use CloudBuild on my-dev-project and access secret manager on the same project (my-dev-project). However, one project requires access to secrets manger on my-prod-project. I imagine I need to add a service account, but I'm not sure how I can go about doing that for CloudBuild when it already has it's my-dev-project service account.
Question: How can I access my-prod-project secret manger from the my-dev-project CloudBuild?
You can grant the Cloud Build service account from my-dev-project permissions on the secret in my-prod-project. Get the service account's email address from my-dev-project from the IAM console; it will be in the format:
project-number@@cloudbuild.gserviceaccount.com
In my-prod-project, find the secret you wish to grant access, add that email with Secret Accessor permissions.