Manage your Cloud Run secrets securely with Secret Manager

preview_player
Показать описание

Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data that provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud. In this episode of Serverless Expeditions Extended, Martin demos how you can update an existing Cloud Run service to use Secret Manager without changing any code and while applying the Principle of Least Privilege. Watch to learn how you can use Secret Manager with your Cloud Run service!

Timestamps:
0:00​ - Intro
1:31 - Secret Manager
1:45 - Updating a Cloud Run service to use Secret Manager
2:48 - Putting the database password in Secret Manager
3:25 - Referencing Secret Manager from Cloud Run
3:45 - What did we achieve?
4:47 - Two other ways of accessing Secret Manager
5:42 - Wrap-up

Clarification on the video: if you mount a secret as an environment variable (and point it to the “latest” version of that secret), the latest value of the secret is loaded whenever a Cloud Run instance of your service is started. This happens all the time. So even if you don’t re-deploy your Cloud Run service yourself, the new value of the secret will eventually make it into your Cloud Run service.

#ServerlessExpeditions​ #ServerlessExpeditionsExtended #CloudRun

Product: Cloud Run, Secret Manager; fullname: Martin Omander;
Рекомендации по теме
Комментарии
Автор

he is intelligent and able to present in an understandable way! he is great!

deedetres
Автор

This is awesome, I'm glad Cloud Run now support this 🎉🎊

uxweb
Автор

so ive mounted my secret but i cannot for the life of me figure out how to access it. say ive mounted the same way as in your example. what path would i need to access from my app?

or, in my case specifically, i've mounted in `/env/admin`. can i access it like `cert('/env/admin')`?

EDIT: my problem was my build trigger was configured to use the inline cloudformation.yaml, not the repository cloudformation.yaml

Patryc
Автор

Thanks Martin, this video is very helpful!

smiljantukic
Автор

Great video 👍The only thing that I wished was in the video is related to pricing. Reason is that the docs says first 10k requests for a secret are free and then after it is $0.03 per 10k requests... so with this CloudRun integration I'm assuming that one request will be made per secret when a new container is spun up, and I'm assuming it is the same with the file mapping option... but when using the secrets manager api directly (as shown in the code sample) will it work differently? I'm guessing that each time the code runs it will be one request, but would love to know for sure :)

kenuahs
Автор

Hi, Martin, I have a question about secret manager and cloud run. I want to read a dotfile and set it to "/var/www/html/.env", for only the latest version. There are other files and folders in "/var/www/html/*", how can I do this. If I set secret version relative path to ".env", mount path to "/var/www//html", then everything in /var/www/html" get overwritten.

markxp
Автор

Hello, how to handle ssh key during building docker image for Cloud Run? SSH key is for private Git repository.

radeksmola
Автор

Hi. Can you elaborate more on the third way to access secret manager? I am using cloudrun but worrying that if we cloudrun scale the access to secret manager api will surge and give me a big surprise in my cost. ( better an example of what is the correct way to use the third way in cloudrun)

formula-box
Автор

How can i call the path of the secret mounted like local path, for example: "./cliente_secret.json", but instead using secret manager? I dont found any example. (I am not interested in retrieve the bits, only call the entire file as a "local" file on secret manager. Thank you

pablov.viteri
Автор

Could you please show a demo or point to a documentation of how to use memcache with cloud run?

orinda.harrison
Автор

It's so helpful because of what I'm doing.

payasomos
Автор

We currently calling the api during the init phase our app and exporting it to env. Is there any issue with it??

sujeshthekkepatt
Автор

Would've also been very useful with identical gcloud cli commands!

meuko
Автор

But it's still not in GA right? Is it still safe to use on production?

discoverlance
Автор

Setting secrets as environment variables is pretty insecure and bad practice though. You should definitely avoid doing this!

GaryH
Автор

Great, usually i create a secret.yaml in gke

Babbili