Cloud Identity and Access Management (Cloud IAM) roles prescribe how you can use the Secret Manager API. Below is a list of each Cloud IAM role available for Secret Manager and the capabilities granted to that role.
||Secret Manager Admin||Full access to administer Secret Manager resources.||
||Secret Manager Secret Accessor||Allows accessing the payload of secrets.||
||Secret Manager Viewer||Allows viewing metadata of all Secret Manager resources||
Principle of least privilege
When you follow the principle of least privilege, you grant the minimum level of access to resources required to perform a given task. For example, if a member needs access to a single secret, do not give that member access to other secrets or all secrets in the project or organization. If a member only needs to read a secret, don't grant that member the ability to modify the secret.
You can use Cloud IAM to grant IAM roles and permissions at the level of the Google Cloud organization, folder, project, or secret. Always apply permissions at the lowest level in the resource hierarchy.
This table shows the effective capabilities of a service account, based on the
level of the resource hierarchy where the
|Organization||Access all secrets in all projects in the organization|
|Folder||Access all secrets in all projects in the folder|
|Project||Access all secrets in the project|
|Secret||Access only that secret|
If a member only needs to access a single secret's value, don't grant that
member the ability to access all secrets. For example, you can grant a
service account the Secret Accessor role (
on a single secret.
If a member only needs to manage a single secret, don't grant that member the
ability to manage all secrets. For example, you can grant a service account
the Secret Admin role (
roles/secretmanager.admin) on a single secret.