Currently GoogleSecretManagerSettingsSource will unconditionally list_secrets() which requires secretmanager.secrets.list.
As far as I understand the only purpose of this list_secrets is to support the case ignore matching of the secret names.
In principle, with the current code both IAM roles Secret Manager Secret Accessor
(roles/secretmanager.secretAccessor) + Secret Manager Viewer
(roles/secretmanager.viewer) even when case_sensitive=True
If the list_secrets step is skipped then it will work with just Secret Manager Secret Accessor
(roles/secretmanager.secretAccessor).
On a related note maybe it would be nice to document that both Secret Manager Secret Accessor and Secret Manager Viewer are currently required for this to work.
Currently GoogleSecretManagerSettingsSource will unconditionally
list_secrets()which requiressecretmanager.secrets.list.As far as I understand the only purpose of this list_secrets is to support the case ignore matching of the secret names.
In principle, with the current code both IAM roles Secret Manager Secret Accessor
(roles/secretmanager.secretAccessor) + Secret Manager Viewer
(roles/secretmanager.viewer) even when
case_sensitive=TrueIf the list_secrets step is skipped then it will work with just Secret Manager Secret Accessor
(roles/secretmanager.secretAccessor).
On a related note maybe it would be nice to document that both
Secret Manager Secret AccessorandSecret Manager Viewerare currently required for this to work.