Node.js - 在本地访问 Google Secret Manager

Question

I can't seem to figure it out. All I want to do is access a test secret that's been created for me, when locally running my appliction. I was given a service-account.json that looks as follows, which I was told to use for local access, but I can't find any documentation or any other resources that show what to do with the file.

{
  "type": "service_account",
  "project_id": "test-dev-project",
  "private_key_id": "12cea3c45d67d0d89f0ccfca1bede23d4d56c7b8",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBg1234\n-----END PRIVATE KEY-----\n",
  "client_email": "my-secrets-email@test-dev-project.iam.gserviceaccount.com",
  "client_id": "123456789012345678901",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/my-secrets-email%40test-dev-project.iam.gserviceaccount.com"
}

What little I could glean from the docs was that I should "set" its path via Powershell, but even when I do, and then run node index.js again, I still get the exact same error:

Error: 7 PERMISSION_DENIED: Secret Manager API has not been used in project 123456789012 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/secretmanager.googleapis.com/overview?project=123456789012 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.

My only other experience with these kinds of service-account files is with Firebase Functions, and there you set the file path as an argument to the app initialization function, so I thought I'd have to do something similar here, but I can't find anything that indicates such.

Here's what my Node project looks like, in its entirety:

// ./index.js
(async() => {
  const { SecretManagerServiceClient } = require('@google-cloud/secret-manager');
  const client = new SecretManagerServiceClient();
  const SOME_APIKEY = await client.accessSecretVersion({ name: 'latest' });
  console.log('key:', SOME_APIKEY);
})();

// ./package.json
{
  "name": "google-secret-attempt-17",
  "main": "index.js",
  "scripts": {},
  "dependencies": {
    "@google-cloud/secret-manager": "^3.10.1"
  }
}

// ./service-account.json (already posted its content above)

The steps that I've been trying is:

1. Run $env:GOOGLE_APPLICATION_CREDENTIALS="./service-account.json" in Powershell
2. Run node index.js in Powershell

I've also tried explicitly setting process.env.GOOGLE_APPLICATION_CREDENTIALS = './service-account.json' at the start of my index.js and then running step 2, but that resulted in exactly the same outcome, so I don't know what to do anymore.

Any insight into where I'm going wrong or anything else would be highly appreciated.

Answer 1

Looks like Secrets Manager api is not enabled in the concerned project. Please ask the person who provided the the service-account.json file to visit https://console.developers.google.com/apis/api/secretmanager.googleapis.com/overview?project=123456789012 and enable the API. Once complete you should be able to access the api.