Unable to read secret using GKEStartPodOperator

[Sugan Raju]

Hello,

I am trying to create a DAG using GKEStartPodOperator to trigger a task in my kubernetes cluster and am running into issues.

The python script access GCP Secret Manager to fetch secrets and that step keeps failing with the below message 

google.api_core.exceptions.PermissionDenied: 403 Permission 'secretmanager.versions.access' denied for resource

I have already created a binding of role WorkflowIdentityUser between the kubernetes service account(i believe the code uses default service account in the namespace mentioned in the dag) and the service account used to create the composer environment. 

I also verified that the service account used to created the composer environment has access to the secret.

I also verified that when i trigger the script from Kubernetes Job, it works fine. 

Can you please let me know what i am missing here? 

Thanks