Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Implement Least Privilege Access for Secret Manager Secrets using Cloud IAM

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: SecretManager-001

Ensure that IAM roles with administrative permissions are not assigned to IAM identities (users, groups, and service accounts) managing Secret Manager secrets. This helps enforce the Principle of Least Privilege (POLP) by granting members (principals) only the minimum access necessary to complete their tasks.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

One of the most prevalent security vulnerabilities in Google Cloud is misconfigured access permissions. To minimize security risks, avoid assigning IAM roles with admin privileges to IAM members (principals) on a regular basis. IAM members with administrator roles (Owner, Editor, or Secret Manager Admin role) can create, update, and delete Secret Manager resources. To adhere to the Principle of Least Privilege (POLP), assign IAM members only the minimal permissions required for their tasks and remove any overly permissive administrator roles.

Audit

To determine whether the IAM identities managing Secret Manager secrets are using roles with administrative permissions, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Secret Manager console available at https://console.cloud.google.com/security/secret-manager.

04 Select the SECRETS tab to access the Secret Manager secrets created for the selected GCP project.

05 Click on the name (link) of the secret that you want to examine, listed in the Name column.

06 Select the PERMISSIONS tab and choose VIEW BY PRINCIPALS to list all the IAM members (principals) that have access to the selected Secret Manager resource.

07 Click inside the Filter box and perform the following actions:

  1. Select Role, type Owner, and press Enter to return the principals with the Owner role.
  2. Select OR, choose Role, type Editor, and press Enter to return the members with the Editor role.
  3. Select OR, choose Role, type Secret Manager Admin, and press Enter to return the principals with the Secret Manager Admin role, which grants full access to administer Secret Manager resources.

08 If the filtering process in the previous step identifies one or more IAM members, the selected Secret Manager secret is configured to grant principals administrative access using IAM roles.

09 Repeat steps no. 5 – 8 for each Secret Manager secret created for the selected Google Cloud Platform (GCP) project.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

cc-project5-123123
cc-ai-project-123123

03 Run secrets list command (Windows/macOS/Linux) with the name of the Google Cloud project that you want to examine as the identifier parameter and custom output filters to describe the name of each Secret Manager secret created for the selected project: 

gcloud secrets list
	--project cc-project5-123123
	--format="value(name)"

04 The command output should return the names of the secrets available within the selected GCP project: 

cc-project5-api-key
cc-project5-db-access

05 Run secrets get-iam-policy command (Windows/macOS/Linux) with the name of the Secret Manager secret that you want to examine as the identifier parameter and custom output filters to describe the Cloud IAM policy defined for the selected secret: 

gcloud secrets get-iam-policy cc-project5-api-key
	--format="default(bindings)"

06 The command output should return the requested IAM policy bindings: 

bindings:
	- members:
		- serviceAccount:123456789012@cloudservices.gserviceaccount.com
		- user:username1@domain.com
		role: roles/editor
	- members:
		- user:username2@domain.com
		role: roles/owner
	- members:
		- user:username3@domain.com
		role: roles/secretmanager.admin

Check the name of each IAM role (i.e., role property value) returned by the secrets get-iam-policy command output to determine the permissions granted to the principals (members) defined for the associated IAM policy. If one or more principals have the role property set to roles/owner, roles/editor, and/or roles/secretmanager.admin, as shown in the example above, the Cloud IAM policy defined for the selected Secret Manager secret is configured with administrative permissions.

07 Repeat steps no. 5 and 6 for each Secret Manager secret deployed for the selected Google Cloud Platform (GCP) project.

Remediation / Resolution

To ensure that IAM roles with administrative permissions are not used for Secret Manager secrets management, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Secret Manager console available at https://console.cloud.google.com/security/secret-manager.

04 Select the SECRETS tab to access the Secret Manager secrets created for the selected GCP project.

05 Click on the name (link) of the secret that you want to configure, listed in the Name column.

06 Select the PERMISSIONS tab and choose VIEW BY PRINCIPALS to list all the IAM members (principals) that have access to the selected Secret Manager resource.

07 Choose the principal with admin permissions that you want to configure and click on the Edit principal button (i.e., pencil icon) to modify the member permissions. The panel with the principal permissions opens.

08 In the Assign roles section, perform the following actions:

  1. Identify the administrator-based roles (i.e., Owner, Editor, and Secret Manager Admin roles) assigned to the selected principal and click on the Delete role button (i.e., bin icon) next to each admin role to remove the role binding.
  2. Choose Add another role and select an IAM role that follows the Principle of Least Privilege (POLP) from the Select a role dropdown list to attach the appropriate role to the selected principal. Use Add another role button to add as many roles as needed, according to the selected identity access requirements.

09 Choose SAVE to apply the permission changes.

10 Repeat steps no. 5 – 9 for each Secret Manager secret that you want to configure, available within the selected Google Cloud Platform (GCP) project.

Using GCP CLI

01 Run secrets remove-iam-policy-binding command (Windows/macOS/Linux) with the name of the Secret Manager secret that you want to configure as the identifier parameter, to remove an administrator-based binding (e.g., roles/secretmanager.admin) from the IAM policy associated with selected secret. Repeat this step for each administrator-based binding configured for your secret policy: 

gcloud secrets remove-iam-policy-binding cc-project5-api-key
	--member='user:username3@domain.com'
	--role='roles/secretmanager.admin'

02 The command output should return the modified IAM policy: 

bindings:
	- members:
		- serviceAccount:123456789012@cloudservices.gserviceaccount.com
		- user:username1@domain.com
		role: roles/editor
	- members:
		- user:username2@domain.com
		role: roles/owner
	etag: abcd1234abcd
	version: 1

03 Run secrets add-iam-policy-binding command (Windows/macOS/Linux) with the name of the Secret Manager secret that you want to configure as the identifier parameter, to add a new binding to the Cloud IAM policy associated with selected secret. Use the --role parameter to specify the IAM role required by the selected principal, that follows the Principle of Least Privilege (POLP). As an example, the following command assigns the Secret Manager Secret Accessor (i.e., roles/secretmanager.secretAccessor) to the specified principal. The Secret Manager Secret Accessor role allows accessing the payload of Secret Manager secret: 

gcloud secrets add-iam-policy-binding cc-project5-api-key
	--member='user:username3@domain.com'
	--role='roles/secretmanager.secretAccessor'

04 The command output should return the modified IAM policy: 

bindings:
	- members:
		- serviceAccount:123456789012@cloudservices.gserviceaccount.com
		- user:username1@domain.com
		role: roles/editor
	- members:
		- user:username2@domain.com
		role: roles/owner
	- members:
		- user:username3@domain.com
		role: roles/secretmanager.secretAccessor
	etag: abcd1234abcd
	version: 1

05 Repeat steps no. 1 - 4 for each Secret Manager secret that you want to configure, available in the selected Google Cloud Platform (GCP) project.

References

Publication date Aug 8, 2025

Related SecretManager rules