TechQA.

Check for secretmanager resource labels on condition?

179 views Asked by At

Since secretmanager.googleapis.com/Secret or secretmanager.googleapis.com/SecretVersion doesn't allow attaching tags, thus not allowing resource.matchTag to be used as a IAM condition, I was hoping to be able to check for the existing labels (or even annotations) on the secret itself to serve as a tag.

I tried, in ascending order from the most naive attempt to the desperate one:

resource.labels.tag == "..."
api.getAttribute('secretmanager.googleapis.com/Secret', {})['labels']['tag'] == ".."
api.getAttribute('secretmanager.googleapis.com/Secret/labels', {})['tag'] == ".."
api.getAttribute('secretmanager.googleapis.com/Secret/labels/tag', "") == ".."

None of those worked, even though the documentation says that api.getAttribute() works for secretmanager

google-cloud-platform google-cloud-iam common-expression-language
Original Q&A
1

There are 1 answers

0
Qon007 On

Hei, just come accross this post and did some testing. The correct syntax seems to be:

api.getAttribute('secretmanager.googleapis.com/v1/projects/<project-id>/secrets', []).hasOnly(['labels.<label-key>=<label-value>'])

Related Questions in GOOGLE-CLOUD-PLATFORM

Related Questions in GOOGLE-CLOUD-IAM

Related Questions in COMMON-EXPRESSION-LANGUAGE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions