GCP Secret Manager reader role with condition

SebastianV · February 27, 2025, 11:07am

Hey,

curious if anyone had the same issue and found the solution. I’m trying to create a role binding with condition which would limit access to secrets with prefix only, i.e. testing_n8n.

My custom role has following permissions:

resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.locations.get
secretmanager.locations.list
secretmanager.secrets.get
secretmanager.secrets.getIamPolicy
secretmanager.secrets.list
secretmanager.secrets.listEffectiveTags
secretmanager.secrets.listTagBindings
secretmanager.versions.get
secretmanager.versions.list

And the condition I use is:

resource.name.startsWith("projects/automation-435909/secrets/testing_n8n")

The problem is - whenever I set the condition I start getting Request failed with status code 400 error in n8n, when I try to reload secrets. But when I remove the condition it starts working. Any ideas what might be wrong here?

n8n version: 1.81.0
Database (default: SQLite): Postgres (inside Docker Compose)
n8n EXECUTIONS_PROCESS setting (default: own, main):
Running n8n via (Docker, npm, n8n cloud, desktop app): Docker Compose
Operating system: Ubuntu 24.04

n8n · February 27, 2025, 11:07am

It looks like your topic is missing some important information. Could you provide the following if applicable.

n8n version:
Database (default: SQLite):
n8n EXECUTIONS_PROCESS setting (default: own, main):
Running n8n via (Docker, npm, n8n cloud, desktop app):
Operating system:

Yo_its_prakash · February 28, 2025, 2:41pm

Are you using the External Secrets node or n8n’s native GCP Secret Manager integration?

SebastianV · March 4, 2025, 10:59am

I’m using native GCP Secret Manager integration

system · June 2, 2025, 11:00am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.