I created a secret on the Secrets Manager console. Then I took tried using the Go code quickstart guide like

ctx := context.Background()
client, err := secretmanager.NewClient(ctx)
if err != nil {
    log.Println(err)
}

// Build the request.
req := &secretmanagerpb.AccessSecretVersionRequest{
    Name: "projects/my-project/secrets/API_KEY/versions/latest",
}

// Call the API.
result, err := client.AccessSecretVersion(ctx, req)
if err != nil {
    log.Println(err)
}

but then I get

rpc error: code = PermissionDenied desc = Permission 'secretmanager.versions.access' denied for resource 'projects/my-project/secrets/API_KEY/versions/latest' (or it may not exist)

which makes sense because how does the secrets manager api even know that my code has admin privileges?

As suggested by @sethvargo,follow the below authentication setup instructions to resolve the error:

1. Install the client library.

2. To run the client library, you must first set up authentication.

   2.a Create the service account. Replace NAME with a name for the service account.

    gcloud iam service-accounts create NAME
   

   2.b Grant roles to the service account. Run the following command once for each of the following IAM roles: roles/owner

   Replace PROJECT_ID with your project ID.

   Replace ROLE with each individual role.

    gcloud projects add-iam-policy-binding PROJECT_ID --member="serviceAccount:NAME@PROJECT_ID.iam.gserviceaccount.com" --role=ROLE
   

   2.c Generate the key file. Replace FILE_NAME with a name for the key file.

   gcloud iam service-accounts keys create FILE_NAME.json --iam-account=NAME@PROJECT_ID.iam.gserviceaccount.com
   

3. Provide authentication credentials to your application code by setting the environment variable GOOGLE_APPLICATION_CREDENTIALS.

Run the below command:

export GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"

4. Use the client Library.

Refer to the documentation for more information