We want to implement tenancy in Secret Manager within a single GCP project. The approach we’re considering is:

Using different service accounts for each tenant.

• Granting each service account access only to specific secrets via IAM policies.
• While this ensures proper access control, there’s no physical separation of data since everything remains within the same project.

Would this approach meet compliance requirements, or should we be considering additional measures? Are there any best practices or potential risks we should be aware of?

Looking forward to your insights!