How do I pass non-default Google Service Account credentials to SecretManagerService or SecretManagerServiceClient in Google Cloud Function production environment? Docs are here.
When running locally I can use from google.oauth2.service_account import Credentials then credentials = Credentials.from_service_account_file("some-file.json") and finally secret_client = SecretManagerServiceClient(credentials) however when deploying to GCP I don't want the credentials file stored as a json/txt file next to the source code.
If I give the App Engine default service account the Secret Accessor role and use SecretManagerServiceClient() without arguments then the script can access the secrets in deployment but it's via the default service account. I want to use a non-default account with limited scope Secret Manager Secret Accessor only for further security.
I found this a related answer but Quick Search of googleapis.dev turned up nothing for SecretManagerServiceClientBuilder.
You have to use ADC (Application Default Credential) in cloud functions and don't provide a service account key file.
Indeed, the default service account of Cloud Functions is the App Engine default service account that is used. To use another service account, you can choose to change the cloud function identity and grand the secret accessor permission only to that service account