{"results":[{"id":"cloudrun-secret-requires-secret-accessor-role","text":"The Cloud Run service account needs `roles/secretmanager.secretAccessor` on each referenced secret, verified at deployment time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"secretmanager-accessor-only-grants-versions-access","text":"The `roles/secretmanager.secretAccessor` role grants only `secretmanager.versions.access` — it cannot list secrets or view metadata.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"secretmanager-avoid-env-vars-and-files","text":"Best practice is to avoid passing secrets via environment variables or filesystem and instead use the Secret Manager API directly via client libraries.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"secretmanager-billing-enabled-disabled-not-destroyed","text":"Billing applies to Enabled and Disabled secret versions; Destroyed versions are free.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"secretmanager-compute-gke-cloud-platform-scope","text":"Workloads on Compute Engine or GKE require the `cloud-platform` OAuth scope to use Secret Manager.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"secretmanager-create-requires-admin-role","text":"Creating secrets requires the `roles/secretmanager.admin` (Secret Manager Admin) IAM role.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"secretmanager-creating-secret-no-auto-version","text":"Creating a secret via CLI/API does not automatically create a version; the Console creates a first version only if a value is provided during creation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"secretmanager-default-encryption-aes256-tls","text":"Secret Manager encrypts all secrets with AES-256 at rest and TLS in transit by default with no configuration required; CMEK is available for customer-controlled keys.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"secretmanager-destroyed-version-irreversible","text":"The Destroyed state for a secret version is irreversible — contents are permanently discarded and the version cannot transition to another state.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"secretmanager-disable-before-destroy","text":"Best practice is to disable secret versions before destroying them; disabling is reversible, destroying is not.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"secretmanager-editor-no-secret-access","text":"The basic `roles/editor` role does not include `secretmanager.versions.access`; only `roles/owner` among basic roles grants secret access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"secretmanager-five-predefined-iam-roles","text":"Secret Manager has five predefined IAM roles: Admin, Secret Accessor, Secret Version Adder, Secret Version Manager, and Viewer.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"secretmanager-gce-gke-cloud-platform-scope-required","text":"Workloads on Compute Engine or GKE require the `cloud-platform` OAuth scope to use Secret Manager.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"secretmanager-iam-conditions-date-and-resource","text":"Secret Manager supports IAM Conditions for date/time-based expirable access and resource-attribute filtering (e.g., secret name prefix, specific version).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"secretmanager-iam-granularity-mismatch","text":"Secret Manager IAM has a granularity mismatch between role scope and resource structure: roles are granted at the secret level (not per-version), but secrets have three version states (Enabled/Disabled/Destroyed) with distinct access semantics — and the accessor role grants only `versions.access` (no list or metadata), while the viewer role sees metadata but not payloads, forcing dual-role grants for full operational visibility without violating least privilege.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"secretmanager-iam-roles-secret-level-not-version","text":"IAM roles cannot be granted on a secret version — only on the secret itself.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"secretmanager-lowest-iam-resource-is-secret","text":"The lowest-level resource for granting Secret Manager IAM roles is the individual secret.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"secretmanager-no-expiration-production","text":"Expiration on production secrets should be avoided because it causes irreversible deletion; use time-based IAM conditions instead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"secretmanager-pin-version-not-latest","text":"Best practice is to reference secrets by specific version number in production, not the `latest` alias, to enable validation and rollback.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"secretmanager-production-access-pattern","text":"Production secret access should use the Secret Manager API directly (not env vars/files), pin to specific version numbers (not latest), and account for the fact that Cloud Run env var secrets resolve only at startup — creating a specific operational model.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":44,"limit":20,"offset":0}