Question posted in 
I’m trying to migrate my code from using API keys stored in the .env file to using Google Cloud Platform Secrets Manager. I’ve followed the instructions here but I encounter an error saying that I don’t have permissions to access the secret.
import * as admin from "firebase-admin"
import { SecretManagerServiceClient } from "@google-cloud/secret-manager"
admin.initializeApp()
const secretClient = new SecretManagerServiceClient()
async function main() {
async function getSecret(): Promise<string | null | undefined> {
const [version] = await secretClient.accessSecretVersion({ name: "TELEGRAM_TOKEN" })
return version.payload?.data?.toString()
}
const TELEGRAM_TOKEN = await getSecret()
console.log(TELEGRAM_TOKEN)
}
main().catch(console.error)
And that’s the error I get:
> node lib/app.js --telegram
{ Error: 7 PERMISSION_DENIED: Permission denied on resource project TELEGRAM_TOKEN.
at Object.callErrorFromStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call.js:30:26)
at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client.js:174:52)
at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:340:141)
at Object.onReceiveStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:303:181)
at Http2CallStream.outputStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:114:27)
at Http2CallStream.maybeOutputStatus (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:153:22)
at Http2CallStream.endCall (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:140:18)
at Http2CallStream.handleTrailers (/Users/bartekpacia/dev/node/telegram-lang-enforcer/node_modules/@grpc/grpc-js/build/src/call-stream.js:262:14)
at ClientHttp2Stream.emit (events.js:198:13)
at emit (internal/http2/core.js:265:8)
code: 7,
details: 'Permission denied on resource project TELEGRAM_TOKEN.',
metadata:
Metadata {
internalRepr:
Map {
'google.rpc.help-bin' => [Array],
'grpc-status-details-bin' => [Array],
'grpc-server-stats-bin' => [Array] },
options: {} },
note:
'Exception occurred in retry method that was not classified as transient' }
I did create a Service Account with "Owner" permissions, downloaded it and made export GOOGLE_APPLICATION_CREDENTIALS=/Users/.... My service account .json file location is correctly displayed when I execute echo $GOOGLE_APPLICATION_CREDENTIALS.
I have really no idea what I’m doing wrong.
3
Answers
When you access a secret, you need to specify the project:
should be
I just encountered the same problem and I personally had to add
/versions/latestafter specifying the project name in the secret name.These answers guided me, but it took a long time for me to get this working. You need to enter the
PROJECT_IDand not theProject-Name.Find your Project ID:
The second column here shows the Project ID:
Now use that and run the script