从Docker-nontsop权限拒绝Python访问GCP秘密管理器中的秘密

我正在构建一个简单的应用程序，它将Twilio凭据存储在GCP秘密管理器中，并在需要时将其拉下来。但是，我一直收到项目资源上的拒绝权限错误（403）：

谷歌。api_核心。例外。PermissionDenied:403资源项目的权限被拒绝。

我使用环境变量设置到包含服务号凭据的JSON文件的路径。

以下是我已经尝试过的：

• 确保在GCP控制台中正确设置权限。服务帐户被设置为项目的所有者和项目级别的机密访问器，以及每个机密的对象级别的机密访问器
• 确保环境变量设置正确——我已经验证了ENV变量设置正确，并且可以读取它指向的文件。我可以通过将ENV变量作为JSON文件打开来打印文件的内容
• 通过将我的JSON文件的内容与GCP控制台中的数据进行比较，确认身份验证信息是正确的
• 我使用gcloud CLI登录服务帐户，然后使用CLI命令检索相同的机密
• 我可以成功地访问数据并将数据推送到GCS存储桶，这表明凭据已从ENV变量正确加载
• 我试过用很多方法获取这些秘密。我尝试过其他方法，比如列出项目中的秘密。全部返回权限错误

作为参考，我一直遵循在https://cloud.google.com/secret-manager/docs/reference/libraries#client-图书馆安装了python，并一直在使用官方的客户端图书馆文档来探索其他可能的错误。没有什么能真正帮助我。

我已经阅读了我能找到的所有资源，没有任何帮助。有什么想法吗？

非常感谢。

编辑：在下面添加代码：

def access_secret(project_id, secret_id, version):
    """
    Access a secret- API token, etc- stored in Secret Manager

    Code from https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets#secretmanager-access-secret-version-python
    """
    client = secretmanager.SecretManagerServiceClient()

    # Build the resource name of the secret version
    name = client.secret_version_path(project_id, secret_id, version)

    # Access the secret version
    response = client.access_secret_version(name)

    # Return the secret payload
    payload = response.payload.data.decode('UTF-8')

    return payload

EDIT2：这是我运行这段代码的Dockerfile：

FROM python:3.8.2-slim-buster

WORKDIR /build

# Copy in the requirements.txt file and service account credentials
COPY requirements.txt <CREDENTIALS_FILENAME>.json /build/ 

ENV PYTHONUNBUFFERED=1 \
    GOOGLE_APPLICATION_CREDENTIALS=/build/<CREDENTIALS_FILENAME>.json \
    VOICEMAIL_TIMEOUT=55 \
    MULTIRING_TIMEOUT=15 \
    GCS_VM_BUCKET=<MY GCS BUCKET NAME> \
    GCP_PROJECT=<MY GCP PROJECT NAME> \
    PHONE_NUMBER=<PHONE NUMBER> \
    TWILIO_ACCOUNT_SID_VERSION=1 \
    TWILIO_AUTH_TOKEN_VERSION=1

# Install packages
RUN pip install -r requirements.txt

# Navigate to the directory containing the Python code
WORKDIR /code/src/

EXPOSE 5000

# Run the actual Python code
CMD ["python", "main.py"]

稍后，我将编写调用上述函数的Python代码：

GCS_VM_BUCKET = os.environ['GCS_VM_BUCKET']
GCP_PROJECT = os.environ['GCP_PROJECT']

TWILIO_SID = access_secret(GCP_PROJECT, 'TWILIO_ACCOUNT_SID', os.environ['TWILIO_ACCOUNT_SID_VERSION'])
TWILIO_AUTH_TOKEN = access_secret(GCS_PROJECT, 'TWILIO_AUTH_TOKEN', os.environ['TWILIO_AUTH_TOKEN_VERSION'])

其中，TWILIO_ACCOUNT_SID和TWILIO_AUTH_TOKEN是GCP中秘密的名称。

完整错误跟踪：

Traceback (most recent call last):   

File "/usr/local/lib/python3.8/site-packages/google/api_core/grpc_helpers.py", line 57, in error_remapped_callable                                                                                                        return callable_(*args, **kwargs)                                                                                                                                                                                     
File "/usr/local/lib/python3.8/site-packages/grpc/_channel.py", line 826, in __call__                                                                                                                                     
return _end_unary_response_blocking(state, call, False, None)                                                                                                                                                         
File "/usr/local/lib/python3.8/site-packages/grpc/_channel.py", line 729, in _end_unary_response_blocking                                                                                                                 
raise _InactiveRpcError(state)                                                                                                                                                                                      
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:                                                                                                                                                
status = StatusCode.PERMISSION_DENIED                                                                                                                                                                                   
details = "Permission denied on resource project <MY GCP PROJECT NAME>."                                                                                                                                                       
debug_error_string = "{"created":"@1588389938.954039708","description":"Error received from peer ipv4:172.217.12.138:443","file":"src/core/lib/surface
/call.cc","file_line":1056,"grpc_message":"Permission denied on resource 
project <MY GCP PROJECT NAME>.","grpc_status":7}"                                                                                                                                                               >                                                                                                                                                                                                                                                                                                                                                                                                                                               
The above exception was the direct cause of the following exception:                                                                                                                                                                                                                                                                                                                                                                            
Traceback (most recent call last):                                                                                                                                                                                        
File "main.py", line 7, in <module>                                                                                                                                                                                       
from parameters import *                                                                                                                                                                                              
File "/code/src/parameters.py", line 16, in <module>                                                                                                                                                                      
TWILIO_SID = access_secret(GCP_PROJECT, 'TWILIO_ACCOUNT_SID', 
os.environ['TWILIO_ACCOUNT_SID_VERSION'])                                                                                                         
File "/code/src/utils.py", line 46, in access_secret                                                                                                                                                                      
response = client.access_secret_version(name)                                                                                                                                                                         
File "/usr/local/lib/python3.8/site-packages/google/cloud/secretmanager_v1
/gapic/secret_manager_service_client.py", line 963, in access_secret_version                                                                    
return self._inner_api_calls["access_secret_version"](                                                                                                                                                                
File "/usr/local/lib/python3.8/site-packages/google/api_core/gapic_v1
/method.py", line 143, in __call__                                                                                                                   
return wrapped_func(*args, **kwargs)                                                                                                                                                                                  
File "/usr/local/lib/python3.8/site-packages/google/api_core/retry.py", line 
281, in retry_wrapped_func                                                                                                                   
return retry_target(                                                                                                                                                                                                  
File "/usr/local/lib/python3.8/site-packages/google/api_core/retry.py", line 
184, in retry_target                                                                                                                         
return target()                                                                                                                                                                                                       
File "/usr/local/lib/python3.8/site-packages/google/api_core/timeout.py", 
line 214, in func_with_timeout                                                                                                                  
return func(*args, **kwargs)                                                                                                                                                                                          
File "/usr/local/lib/python3.8/site-packages/google/api_core
/grpc_helpers.py", line 59, in error_remapped_callable                                                                                                        
six.raise_from(exceptions.from_grpc_error(exc), exc)                                                                                                                                                                  
File "<string>", line 3, in raise_from                                                                                                                                                                                
google.api_core.exceptions.PermissionDenied: 403 Permission denied on 
resource project <MY GCP PROJECT NAME>.