Google Cloud Platform Secret Manager API 403 Error
In our project that runs in the Google Cloud Platform (GCP) we are seeing the following HTTP 403 error in the Google Cloud Console / APIs & Services:
google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion
I'm trying to figure out what exactly is causing the error, but I can not find anything in the Google Cloud Console / Log Explorer. I tried using this query:
resource.type="audited_resource"
protoPayload.serviceName="secretmanager.googleapis.com"
protoPayload.status.code>=400
I also tried this via the termin:
gcloud logging read 'protoPayload.status.code=403' --project="my-project" --format="json"
Now I'm running out of ideas. The problem occured first on August 8th, 2024 around 6:00a.m. Central European Summer Time (CEST).
I'm grateful for any idea!
In order to query Secret Manager you may need to enable Data Access audit logs for Secret Manager.
See Secret Manager Audit Logging which explains which permission types gets which service methods.
However please note: when I tried this, my data access audit logs don't include
authenticationInfo(and so noprincipalEmail). This may be a requirement|consequence of Data Access audit logs with Secret Manager service (I'm not sure) and so, enabling these logs may be helpful but not conclusive as you won't know who|what made the erroneous calls.
Browse: https://console.cloud.google.com/iam-admin/audit?project=${PROJECT}
And enable "Admin Read", "Data Read" and|or "Data Write"
You should then see cloudaudit.googleapis.com%2Fdata_access added to your logs:
gcloud logging list --project=${PROJECT}
NAME
projects/{PROJECT}/logs/cloudaudit.googleapis.com%2Factivity
projects/{PROJECT}/logs/cloudaudit.googleapis.com%2Fdata_access
And can, e.g.:
FILTER="
log_id(\"cloudaudit.googleapis.com%2Fdata_access\")
severity=ERROR
"
gcloud logging read "${FILTER}" \
--project=${PROJECT}
insertId: ...
logName: projects/{PROJECT}/logs/cloudaudit.googleapis.com%2Fdata_access
protoPayload:
'@type': type.googleapis.com/google.cloud.audit.AuditLog
authenticationInfo: {}
authorizationInfo:
- permission: secretmanager.secrets.get
permissionType: ADMIN_READ
resourceAttributes:
name: projects/{NUMBER}/secrets/{NAME}
service: secretmanager.googleapis.com
type: secretmanager.googleapis.com/Secret
methodName: google.cloud.secrets.v1beta1.SecretManagerService.GetSecret
request:
'@type': type.googleapis.com/google.cloud.secrets.v1beta1.GetSecretRequest
name: projects/{PROJECT}/secrets/{NAME}
requestMetadata:
callerIp: ...
callerSuppliedUserAgent: ...
destinationAttributes: {}
requestAttributes:
auth: {}
time: '2024-08-09T00:00:00.00000000Z'
resourceName: projects/{NUMBER}/secrets/{NAME}
serviceName: secretmanager.googleapis.com
status:
code: 7
message: PERMISSION_DENIED
receiveTimestamp: '2024-08-09T00:00:00.000000000Z'
resource:
labels:
method: google.cloud.secrets.v1beta1.SecretManagerService.GetSecret
project_id: {PROJECT}
service: secretmanager.googleapis.com
type: audited_resource
severity: ERROR
timestamp: '2024-08-09T00:00:00.000000000Z'
I don't understand why authenticationInfo is empty.
This may (!?) be a consequence of Data Access logging.
- Google Cloud Platform: SSH to Google cloud instance will have "Permission denied (publickey)"
- Unable to assign iam.serviceAccounts.signBlob permission
- how to disable soft delete from a GCS bucket
- GCP load balancer 502 server error and "backend_connection_closed_before_data_sent_to_client" IIS 10
- Duplicate events in Eventarc triggered Google Cloud Run service
- Extract a string value from a JSON field in GCP log analytics
- GitLab LDAP Authentication Issues (SSL_connect, user auth)
- I got this error when i try to SignIN[GSI_LOGGER-TOKEN_CLIENT]: The OAuth token was not passed to gapi.client - Flutter,GoogleSignIn
- How to Setup Different Maintenance windows for Node Pools Within the Same GKE
- Understanding customer and service producer VPC networks in Private Service Access
- Why is BigQuery so slow on non-large data sizes?
- Is it possible to identify who triggered a GCB build?
- GCP - How do you create a URL Redirect path rule with gcloud url-maps?
- "Unsupported service account" errors from gcloud when deploying --gen2 functions with --build-service-account
- How to decode Google CloudEvent data?
- How to connect to GCP VM instance with password using SSH?
- testing google sheet editor addon fails with error 403
- Google Cloud SQL connection to flutter
- New Trace and Span Generated even after using TraceId and SpanID from Remote Context
- I can't get Future to complete with a value
- Connecting to Endpoint API on Android Client
- Post Count not updating in firebase react
- Previously successful Cloud Run Service & Job deploy process with resource level IAM grants not working anymore for certain projects
- "Deadline" error when embedding video with Google Vertex AI multimodal embedding modal
- Firebase function deployment timing out
- Deploying to GCP App Engine from terminal produces contradictory error messages
- Stripe Error: No signatures found matching the expected signature for payload
- Firestore .where + Filter.and queries not working
- How to use Google Cloud Firestore local emulator for python and for testing purpose
- How to serialize a ComputeRoutesResponse