I am working with Widevine with Google Cloud Video Transcoder. My service account already has the Secret Manager Secret Accessor role and my project is indeed using this service account. I have tested accessing and outputting the secrets in cloud run functions and I can see the secret being printed out in the log. I even tried granted the owner role to my service account, but still no luck.
In the Job Config of Google Cloud Video Transcoder doc, I have the encryptions setup like this:
"encryptions": [
{
"id": "widevine-cbcs",
"drmSystems": {
"widevine": {}
},
"mpegCenc": {
"scheme": "cbcs"
},
"secretManagerKeySource": {
"secretVersion": "projects/12345/secrets/TEST_ENCRYPTION_KEY/versions/3"
}
}
],
The secret version 3 is also indeed enabled. Everything seems to be in place but I can't figure out what seems to be going wrong here.
Full error msg: rpc error: code = PermissionDenied desc = Permission 'secretmanager.versions.access' denied for resource 'projects/12345/secrets/TEST_ENCRYPTION_KEY/versions/3' (or it may not exist).
I am working with Widevine with Google Cloud Video Transcoder. My service account already has the Secret Manager Secret Accessor role and my project is indeed using this service account. I have tested accessing and outputting the secrets in cloud run functions and I can see the secret being printed out in the log. I even tried granted the owner role to my service account, but still no luck.
In the Job Config of Google Cloud Video Transcoder doc, I have the encryptions setup like this:
"encryptions": [
{
"id": "widevine-cbcs",
"drmSystems": {
"widevine": {}
},
"mpegCenc": {
"scheme": "cbcs"
},
"secretManagerKeySource": {
"secretVersion": "projects/12345/secrets/TEST_ENCRYPTION_KEY/versions/3"
}
}
],
The secret version 3 is also indeed enabled. Everything seems to be in place but I can't figure out what seems to be going wrong here.
Full error msg: rpc error: code = PermissionDenied desc = Permission 'secretmanager.versions.access' denied for resource 'projects/12345/secrets/TEST_ENCRYPTION_KEY/versions/3' (or it may not exist).
1 Answer
Reset to default 1According to the documentation:
You should configure IAM permissions on your secret so that the Transcoder API can access the secret content. To do this, grant the secretmanager.secretAccessor role to the [email protected] service account.
[email protected] is the service agent of transcoder api, it is a Google-managed service account that acts on behalf of a service.
Service agents aren't created in your projects, so you won't see them when viewing your projects' service accounts. You can't access them directly.
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:[email protected]" \
--role="roles/secretmanager.secretAccessor"
By default, service agents aren't listed in the IAM page in the Google Cloud console, even if they've been granted a role on your project. To view role grants for service agents, select the Include Google-provided role grants checkbox.
/projects/12345but generally fully-qualified resource names use Project ID not Project Number. Are you confident you have the correct path? – DazWilkin Commented Feb 17 at 3:26[email protected], which is also the default compute service account. It has already been granted thesecretmanager.secretAccessorrole. Not only that, myapp engine default service account,compute engine default service accountalso has the role. My cloud run function is using another service account that i defined under edit > runtime settings -> runtime service account. This service account also has the secretAccessor role. – HNG Commented Feb 17 at 11:16