0

I'm trying to connect to get a secret from google's secrets manager, and the same code works for Cloud Functions, but not for App Engine.

const { SecretManagerServiceClient } = require('@google-cloud/secret-manager');

const secretManagerServiceClient = new SecretManagerServiceClient();
const name = 'projects/000000000000/secrets/database/versions/latest';

exports.testSecretManager = async (req, res) => {
  const [version] = await secretManagerServiceClient.accessSecretVersion({ name });
  const payload = version.payload.data.toString();
  console.debug(`Payload: ${payload}`);
  res.sendStatus(200);
};

The same code works fine when I deploy it as a function.

enter image description here

But when I run the same code as a part of App Engine application. It fails with this error:

Error: 16 UNAUTHENTICATED: Failed to retrieve auth metadata with error: Could not refresh access token: Unsuccessful response status code. Request failed with status code 500
    at Object.callErrorFromStatus (/workspace/node_modules/@grpc/grpc-js/build/src/call.js:31:26)
    at Object.onReceiveStatus (/workspace/node_modules/@grpc/grpc-js/build/src/client.js:180:52)
    at Object.onReceiveStatus (/workspace/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:365:141)
    at Object.onReceiveStatus (/workspace/node_modules/@grpc/grpc-js/build/src/client-interceptors.js:328:181)
    at /workspace/node_modules/@grpc/grpc-js/build/src/call-stream.js:182:78
    at processTicksAndRejections (node:internal/process/task_queues:78:11)

I believe both Cloud Functions and App Engine are managed by the same service account “App Engine default service account”. And it has rights.

It seems like GOOGLE_APPLICATION_CREDENTIALS is missing from the environment.

console.log(process.env.GOOGLE_APPLICATION_CREDENTIALS); gives me undefined. Can this be a reason? How do I pass this environment to app engine then?

How can I deeper debug this?

Konstantin Bodnia
  • 1,372
  • 3
  • 20
  • 43
  • The is no GOOGLE_APPLICATION_CREDENTIALS env vars on Google Cloud environment, you have metadata servers. App Engine is a quite old environment and sometime has strange behavior. Can you share your app.yaml file, the service account that you use and the App Engine generation (2nd I guess but let us know)? – guillaume blaquiere Feb 07 '22 at 12:15
  • Please find [a response here](https://stackoverflow.com/a/58423252/16313960). The [official Google documentation](https://cloud.google.com/secret-manager/docs/using-other-products) doesn't list GAE as a directly supported product, however, GCE/GKE are supported out of the box, if that's an option for you. – Gourav B Sep 16 '22 at 08:54

2 Answers2

0

Make sure that Secret Manager Secret Accessor role is granted to the Service Account from IAM for the App Engine. The exact role you would need to add is: roles/secretmanager.secretAccessor. You may refer here for more details.

Also, have a look at this Stackoverflow case.

Mousumi Roy
  • 609
  • 1
  • 6
0

The Google Cloud documentation notes:

To use Secret Manager with workloads running on App Engine, you must grant any required permissions to the App Engine service.

I can verify that it worked correctly in my case (although I did have to specify the correct app ID in my secret request, and enable the Secret Accessor role for the service account in the IAM console.)

Tad
  • 4,668
  • 34
  • 35