Problem
API v1 staging integration tests are failing on the live economy endpoints because the deployed App Engine service cannot read the Auth0 client secret from Google Secret Manager.
The immediate runtime error is a 500 response from /us/economy/... with a message that Secret Manager access was denied for projects/389282473430/secrets/gateway-auth-client-secret/versions/1.
Root Cause
The App Engine runtime image still bakes GOOGLE_APPLICATION_CREDENTIALS into the container and points it at a JSON credential file generated during deploy. That forces Google ADC inside the running service to use the baked key instead of the attached App Engine runtime service account.
The runtime service account already has roles/secretmanager.secretAccessor on the gateway auth secret, but the baked credential path does not. As a result, the new Secret Manager-backed gateway auth code fails at runtime when it tries to fetch the Auth0 client secret.
Required Fix
- stop baking
GOOGLE_APPLICATION_CREDENTIALS into the runtime image
- let the deployed App Engine service use metadata-backed ADC from its attached runtime service account
- keep deploy/build auth working, but make it use GitHub OIDC Workload Identity Federation where available
- add the necessary workflow
id-token: write permissions for GCP-authenticated jobs
Result
Once this is in place, Secret Manager access for the gateway auth client secret should succeed through the App Engine runtime identity, and the live staging economy tests should stop returning 500s for this reason.
Problem
API v1 staging integration tests are failing on the live economy endpoints because the deployed App Engine service cannot read the Auth0 client secret from Google Secret Manager.
The immediate runtime error is a 500 response from
/us/economy/...with a message that Secret Manager access was denied forprojects/389282473430/secrets/gateway-auth-client-secret/versions/1.Root Cause
The App Engine runtime image still bakes
GOOGLE_APPLICATION_CREDENTIALSinto the container and points it at a JSON credential file generated during deploy. That forces Google ADC inside the running service to use the baked key instead of the attached App Engine runtime service account.The runtime service account already has
roles/secretmanager.secretAccessoron the gateway auth secret, but the baked credential path does not. As a result, the new Secret Manager-backed gateway auth code fails at runtime when it tries to fetch the Auth0 client secret.Required Fix
GOOGLE_APPLICATION_CREDENTIALSinto the runtime imageid-token: writepermissions for GCP-authenticated jobsResult
Once this is in place, Secret Manager access for the gateway auth client secret should succeed through the App Engine runtime identity, and the live staging economy tests should stop returning 500s for this reason.