hi, Question on using gcp.secretmanager.Secret. Using the following code i'm getting an 403:

# Create the secret 
secret = secretmanager.Secret("my-password",
    project = project.name,                          
    replication=secretmanager.SecretReplicationArgs(
        user_managed=secretmanager.SecretReplicationUserManagedArgs(
            replicas=[
                secretmanager.SecretReplicationUserManagedReplicaArgs(
                    location="us-east1",
                ),
            ],
        ),
    ),
    secret_id="secret")

I have tried adding secret manager roles to the default compute service account, but that doesn't work. Any help with this would be appreciated!

gcp:secretmanager:Secret (my-password):
    error: 1 error occurred:
    	* Error creating Secret: googleapi: Error 403: Permission denied on resource project xxxxxxxx.
    Details:
    [
      {
        "@type": "<http://type.googleapis.com/google.rpc.Help|type.googleapis.com/google.rpc.Help>",
        "links": [
          {
            "description": "Google developer console API key",
            "url": "<https://console.developers.google.com/project/xxxxxxxx/apiui/credential>"
          }
        ]
      },
      {
        "@type": "<http://type.googleapis.com/google.rpc.ErrorInfo|type.googleapis.com/google.rpc.ErrorInfo>",
        "domain": "<http://googleapis.com|googleapis.com>",
        "metadata": {
          "consumer": "projects/xxxxxxxx",
          "service": "<http://secretmanager.googleapis.com|secretmanager.googleapis.com>"
        },
        "reason": "CONSUMER_INVALID"
      }
    ]

Hey @average-plastic-1653 ! Couple of quick questions. Are you running Pulumi CLI? Is it being run locally? If so you need to use the gcloud cli to determine which account is active on your machine. The Pulumi provider for GCP will use the logged in credentials to execute the Pulumi up commands. This could mean that it’s logged in as your personal account. Additionally. Google recommends to not use the Default Service account for the provisioning of IaC for anything more than a PoC. It’s always better to create service accounts. Provide permissions to the service account and then grant the service account user role to yourself to use that service account for IaC in development. I believe you will find your issue is that the gcloud cli authenticated account is not the default service account and therefore Pulumi is not using that account when your execute Pulumi up.

Yes I am using the CLI locally; will check that, thanks. Understood on using default service; will create a specific one.

Sweet! Let us know how you go with this!

Still getting the issue 😞 I have confirmed: 1. I'm logged in using jmajor-cntr@soteria.io a. gcloud auth application-default login 2. Active Google project using gcloud config get-value project 3. The default compute SA has: a. Secret Manager Admin b. Secret Manager Secret Accessor c. Secret Manager Secret Version Adder 4. My account has "Editor" and "Service Account User" role assigned 5. ran the config set cmd: a. pulumi config set gcp:project your-gcp-project-id

Good to hear!