Check for secretmanager resource labels on condition?

172 views Asked by At

Since secretmanager.googleapis.com/Secret or secretmanager.googleapis.com/SecretVersion doesn't allow attaching tags, thus not allowing resource.matchTag to be used as a IAM condition, I was hoping to be able to check for the existing labels (or even annotations) on the secret itself to serve as a tag.

I tried, in ascending order from the most naive attempt to the desperate one:

resource.labels.tag == "..."
api.getAttribute('secretmanager.googleapis.com/Secret', {})['labels']['tag'] == ".."
api.getAttribute('secretmanager.googleapis.com/Secret/labels', {})['tag'] == ".."
api.getAttribute('secretmanager.googleapis.com/Secret/labels/tag', "") == ".."

None of those worked, even though the documentation says that api.getAttribute() works for secretmanager

1

There are 1 answers

0
Qon007 On

Hei, just come accross this post and did some testing. The correct syntax seems to be:

api.getAttribute('secretmanager.googleapis.com/v1/projects/<project-id>/secrets', []).hasOnly(['labels.<label-key>=<label-value>'])