Using gcp secretmanager with cloudrun
TypeScriptTo integrate Google Cloud Secret Manager with Cloud Run using Pulumi, you will first need to create a secret in Secret Manager. Then, you will set up a Cloud Run service that can access this secret. The secret values will be made available to your Cloud Run service as environment variables, from which your application can retrieve them.
Here's a step-by-step process of how the integration works:
-
Create a Secret: Use
gcp.secretmanager.Secret
to create a new secret in Secret Manager. This object is responsible for holding sensitive information, such as API keys, passwords, or certificates. -
Add a Secret Version: With
gcp.secretmanager.SecretVersion
, you add a new version of the secret, which contains the actual secret data that you want to use in your application. -
Set Up Cloud Run Service: The
gcp.cloudrun.Service
resource allows you to define a new Cloud Run service. This service will be configured to use the secret from Secret Manager. -
Reference Secret in Cloud Run: Within the Cloud Run service definition, you reference the secret using
volumes
andvolumeMounts
. Here, the secret will be available to your application's runtime environment as if it were a file within the container’s file system. -
Configure IAM Policies: If needed, use resources like
gcp.cloudrun.IamMember
orgcp.cloudrun.IamPolicy
to define IAM policies that control access to the Cloud Run service.
Below is a TypeScript program that demonstrates these steps using Pulumi:
import * as pulumi from "@pulumi/pulumi"; import * as gcp from "@pulumi/gcp"; // Create a secret in Secret Manager const mySecret = new gcp.secretmanager.Secret("my-secret", { replication: { automatic: true, }, }); // Add a new version of the secret const mySecretVersion = new gcp.secretmanager.SecretVersion("my-secret-version", { secret: mySecret.name, secretData: pulumi.secret("my-super-secret-data"), // Ensure this is encrypted in Pulumi's state }); // Set up a Cloud Run service const myCloudRunService = new gcp.cloudrun.Service("my-cloudrun-service", { location: "us-central1", // Replace with your desired region template: { spec: { containers: [{ image: "gcr.io/my-project/my-app-image:latest", // Replace with your container image URL volumeMounts: [{ name: "my-secret-volume", mountPath: "/etc/secrets", readOnly: true, }], }], volumes: [{ name: "my-secret-volume", secret: { secretName: mySecret.name, items: [{ key: "latest", path: "my-secret", mode: 0o400, }], }, }], }, }, }, { // Additional options can be passed here. }); // Export the URL of the Cloud Run Service export const cloudRunServiceUrl = myCloudRunService.statuses[0].url;
Explanation:
- The
gcp.secretmanager.Secret
creates a new "secret" object within Google Secret Manager. gcp.secretmanager.SecretVersion
adds a specific version of the secret data that you wish to use.- We define the
myCloudRunService
Cloud Run service and set it up to use the secret in its deployment. Note thatgcp.cloudrun.Service
has been setup with avolumes
block that references the secret. ThevolumeMounts
section inside the container spec specifies the path inside the container where the secret will be accessible. - We're making sure that sensitive data is handled securely by using
pulumi.secret
to encrypt secret values in Pulumi's state files. - Finally, we export the URL of the deployed Cloud Run service, which lets us interact with the running service.
Make sure to replace
"gcr.io/my-project/my-app-image:latest"
with the path to your container image stored in Google Container Registry or any other container image registry that Cloud Run can access. Likewise, revise the location, project ID, and secret content as necessary. The secret data added here is just an example and in a real-world scenario, this will be your sensitive data.Remember not to hard-code sensitive data in your Pulumi program. You can use environment variables, Pulumi configuration, or other secure methods to handle such data.
-