
Widevine with Google Cloud Video Transcoder Permissions Denied secretmanager.versions.access

I am working with Widevine with Google Cloud Video Transcoder. My service account already has the Secret Manager Secret Accessor role and my project is indeed using this service account. I have tested accessing and outputting the secrets in cloud run functions and I can see the secret being printed out in the log. I even tried granted the owner role to my service account, but still no luck.

In the Job Config of Google Cloud Video Transcoder doc, I have the encryptions setup like this:

"encryptions": [
      "id": "widevine-cbcs",
      "drmSystems": {
        "widevine": {}
      "mpegCenc": {
        "scheme": "cbcs"
      "secretManagerKeySource": {
        "secretVersion": "projects/12345/secrets/TEST_ENCRYPTION_KEY/versions/3"

The secret version 3 is also indeed enabled. Everything seems to be in place but I can't figure out what seems to be going wrong here.

Full error msg: rpc error: code = PermissionDenied desc = Permission 'secretmanager.versions.access' denied for resource 'projects/12345/secrets/TEST_ENCRYPTION_KEY/versions/3' (or it may not exist).


  • According to the documentation:

    You should configure IAM permissions on your secret so that the Transcoder API can access the secret content. To do this, grant the secretmanager.secretAccessor role to the service account. is the service agent of transcoder api, it is a Google-managed service account that acts on behalf of a service.

    Service agents aren't created in your projects, so you won't see them when viewing your projects' service accounts. You can't access them directly.

    gcloud projects add-iam-policy-binding PROJECT_ID \
      --member="" \

    By default, service agents aren't listed in the IAM page in the Google Cloud console, even if they've been granted a role on your project. To view role grants for service agents, select the Include Google-provided role grants checkbox.