Search code examples
google-cloud-platformgoogle-cloud-rungoogle-secret-managerwidevine

Widevine with Google Cloud Video Transcoder Permissions Denied secretmanager.versions.access

I am working with Widevine with Google Cloud Video Transcoder. My service account already has the Secret Manager Secret Accessor role and my project is indeed using this service account. I have tested accessing and outputting the secrets in cloud run functions and I can see the secret being printed out in the log. I even tried granted the owner role to my service account, but still no luck.

In the Job Config of Google Cloud Video Transcoder doc, I have the encryptions setup like this:

"encryptions": [
    {
      "id": "widevine-cbcs",
      "drmSystems": {
        "widevine": {}
      },
      "mpegCenc": {
        "scheme": "cbcs"
      },
      "secretManagerKeySource": {
        "secretVersion": "projects/12345/secrets/TEST_ENCRYPTION_KEY/versions/3"
      }
    }
  ],

The secret version 3 is also indeed enabled. Everything seems to be in place but I can't figure out what seems to be going wrong here.

Full error msg: rpc error: code = PermissionDenied desc = Permission 'secretmanager.versions.access' denied for resource 'projects/12345/secrets/TEST_ENCRYPTION_KEY/versions/3' (or it may not exist).

Solution

  • According to the documentation:

    You should configure IAM permissions on your secret so that the Transcoder API can access the secret content. To do this, grant the secretmanager.secretAccessor role to the service-PROJECT_NUMBER@gcp-sa-transcoder.iam.gserviceaccount.com service account.

    service-PROJECT_NUMBER@gcp-sa-transcoder.iam.gserviceaccount.com is the service agent of transcoder api, it is a Google-managed service account that acts on behalf of a service.

    Service agents aren't created in your projects, so you won't see them when viewing your projects' service accounts. You can't access them directly.

    gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:service-PROJECT_NUMBER@gcp-sa-transcoder.iam.gserviceaccount.com" \
  --role="roles/secretmanager.secretAccessor"

    By default, service agents aren't listed in the IAM page in the Google Cloud console, even if they've been granted a role on your project. To view role grants for service agents, select the Include Google-provided role grants checkbox.