Since secretmanager.googleapis.com/Secret
or secretmanager.googleapis.com/SecretVersion
doesn't allow attaching tags, thus not allowing resource.matchTag
to be used as a IAM condition, I was hoping to be able to check for the existing labels (or even annotations) on the secret itself to serve as a tag.
I tried, in ascending order from the most naive attempt to the desperate one:
resource.labels.tag == "..."
api.getAttribute('secretmanager.googleapis.com/Secret', {})['labels']['tag'] == ".."
api.getAttribute('secretmanager.googleapis.com/Secret/labels', {})['tag'] == ".."
api.getAttribute('secretmanager.googleapis.com/Secret/labels/tag', "") == ".."
None of those worked, even though the documentation says that api.getAttribute()
works for secretmanager
Hei, just come accross this post and did some testing. The correct syntax seems to be: