googlecodelabs
[how-to-run-inference-cloud-run-gpu-vllm]: Secret Manager Specified, but cannot gcloud builds submit in correct IAM
When I use
gcloud builds submit --config=cloudbuild.yaml
I cannot get the HF_TOKEN
starting build "a28645bb-48dc-457c-b0e0-b92af2cfea2e"
FETCHSOURCE
Fetching storage object: gs://leafy-bond-456001-r7_cloudbuild/source/1751427648.545912-519434a2e43a4b659f1a055ec74b390d.tgz#1751427649385822
Copying gs://leafy-bond-456001-r7_cloudbuild/source/1751427648.545912-519434a2e43a4b659f1a055ec74b390d.tgz#1751427649385822...
/ [0 files][ 0.0 B/ 1.0 KiB]
/ [1 files][ 1.0 KiB/ 1.0 KiB]
Operation completed over 1 objects/1.0 KiB.
BUILD
Already have image (with digest): gcr.io/cloud-builders/docker
ERROR
ERROR: build step 0 "gcr.io/cloud-builders/docker" failed: failed to access secret version for secret projects/leafy-bond-456001-r7/secrets/HF_TOKEN/versions/latest: rpc error: code = PermissionDenied desc = Permission 'secretmanager.versions.access' denied for resource 'projects/leafy-bond-456001-r7/secrets/HF_TOKEN/versions/latest' (or it may not exist).
I try to assign to all user Secret Manager and it can be run.
Try granting the default compute service account the Secret Manager Accessor role. I've updated the codelab to include this step.
PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:[email protected]" \
--role="roles/secretmanager.secretAccessor"
