Poor Secret manager IAM documentation

Terraform Providers Google
1

Hi, guys.
TL;DR
How to grant access for a single user to a multiple secrets given the fact the all have the same labels and starts with the same prefix?

Description
I’m currently working on a cross-cloud project that will allow to create similar infras on different cloud providers. It is pretty clear why we have chosen Terraform to implement our solution. We already have an infra working on AWS, however migration to GCP was not smooth. We found out that there is no analogue of AWS SSM solution. After internal discussions we decided to use GCP Secrets Manager as a KV store. I know that this is not a primary usage for this, but it perfectly suits our needs.

I’ve been working with Terraform for a while and have an experience with GCP, but it’s been a while since I used it last time. Maybe my issue is pretty easy to solve, but I’ve stuck on it and can’t move forward. I’m kinda exhausted trying to figure out how everything works, so I would be more than grateful is someone could give me a helping hand on it.

My current project need is to create a set of resources with the same label and grant a VM instance with an option to read all of these (but no other) secrets. I’ve tried to RTFM :sweat_smile: regarding the secrets manager secret IAM, but the documentation is reaaaally poor. Does anybody here knows what resources should I create to grant access for many secrets to a single user? I’ve tried to create a number of iam_binding resources, but no luck - I see no attached policies at IAM panel.

Many thanks in advance,
Arsenii

2

This snippet gives roles/viewer on multiple secrets to multiple GCP users using loops. The users could instead be groups, service accounts, etc.

data "google_secret_manager_secret_version" "foo" {
  provider = google-beta
  project  = var.project_id
  secret   = "foo"
}

data "google_secret_manager_secret_version" "bar" {
  provider = google-beta
  project  = var.project_id
  secret   = "bar"
}

locals {
  members = ["user:fizz@domain.com", "user:buzz@domain.com"]
  members_to_secrets = {
    for p in setproduct(
      toset(local.members),
      toset(list(data.google_secret_manager_secret_version.foo.secret, data.google_secret_manager_secret_version.bar.secret))
    ) :
    "${p[0]}-${p[1]}" => {
      member = p[0]
      secret = p[1]
    }
  }
}

resource "google_secret_manager_secret_iam_member" "member" {
  provider = google-beta
  for_each = local.members_to_secrets

  project   = var.project_id
  role      = "roles/viewer"
  member    = each.value.member
  secret_id = each.value.secret
}