When deploying my Cloud Run service from the command line using a YAML file containing environment variables as secrets (gcloud.run.services.replace), the deployment fails at the "Routing traffic" stage and emits this error.
Deployment failed
ERROR: (gcloud.run.services.replace) spec.template.spec.container.env[2].value_from.secret_key_ref.name: Permission denied on secret: projects/12345678900/secrets/icbm-launch-code/versions/1 for Revision service account [email protected]. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
I have given the service account mentioned in the error the Secret Manager Secret Accessor role as it says and I have waited hours for consistency.
There's little else I can do. Bug?
I created a new service account and gave it the Secret Manager Secret Accessor role, then in my YAML I set
spec.template.spec.serviceAccountName: new-service-account@blah
And redeployed, and it worked. It's concerning that the security system is unreliable.