Using secrets

Learn how to create a Secret and configure your Cloud Run for Anthos on Google Cloud services and revisions to use that Secret.

A common use case for a service is to access third-party applications through usernames and passwords. For Google Kubernetes Engine, it's a best practice to store this type of sensitive information in a Kubernetes Secret object.

To provide your containers with access to Secrets, you can mount each Secret as a volume, which makes the entries in the Secret available to the container as files. You should mount your Secret to ensure that you get the latest version of each Secret when it is read.

You can also pass a Secret using environment variables.

Creating a Secret

The following steps simply demonstrate how to create a Secret but there are several ways to create a Secret, as explained in the Secret topic.

When you create a Secret, make sure you create it in the same namespace as the cluster that is running your Cloud Run for Anthos service. In these examples, the default namespace is used.

To create a Secret in the default namespace of your cluster:

  • Create a Secret using a file:

    echo -n 'devuser' > ./username.txt
    echo -n 'S!B\*d$zDsb' > ./password.txt
    kubectl create secret generic user-creds --from-file=./username.txt --from-file=./password.txt
    
  • Create a Secret using a kubectl command only:

    kubectl create secret generic user-creds --from-literal=username=devuser --from-literal=password='S!B\*d$zDsb'
    

Making a Secret available to a service

You can set Secrets using the Cloud Console or the gcloud command-line tool command-line tool when you deploy a new service or update an existing service and deploy a revision:

Console

  1. Go to Cloud Run for Anthos in the Cloud Console:

    Go to Cloud Run

  2. Click Create Service if you are configuring a new service you are deploying to. If you are configuring an existing service, click on the service, then click Edit & Deploy New Revision.

  3. Under Advanced Settings, click Variables.

    image

  4. Under Reference a Secret, select the desired Secret from the pulldown menu.

    • In the Reference method pulldown menu, select the way you want to use your Secret, mounted as a volume or exposed as environment variables.
    • If you are using mount as a volume, specify the path, then click Done.
    • If you are exposing as environment variables:
      1. Supply the Name of the variable and select the corresponding Secret value from the Key pulldown menu.
      2. Click Add to add another secret value.
      3. Supply the Name of the variable and select the corresponding Secret value from the Key pulldown menu.
      4. Click Done.

  5. Click Create or Deploy.

Command line

You can use the gcloud command-line tool to set Secrets for new services or to update an existing services:

  • For existing services, update a Secret by running the gcloud run services update command with one of the following parameters:

    Example:

    gcloud run services update SERVICE --update-secrets KEY1=VALUE1,KEY2=VALUE2
    

    Replace:

    • SERVICE with the name of your service.
    • KEY1=VALUE1,KEY2=VALUE2 with a comma separated list of name and value pairs for each Secret. For each KEY you specify the path by starting with a forward slash / to mount a Secret as a file. Optionally, you can exclude the forward slash to mount the Secret as an environment variable. For each VALUE, specify the secret name. How to specify multiple parameters.
    • Command parameter options

      To specify several sets of key-value pairs, you can specify multiple parameters for readability. Example:
      [...]
      --update-secrets "KEY=VALUE1" \
      --update-secrets "KEY=VALUE2" \
      --update-secrets "KEY=VALUE3"
      
  • For new services, set a Secret by running the gcloud run deploy command with the --set-secrets parameter:

    gcloud run deploy SERVICE --image=IMAGE_URL --set-secrets KEY1=VALUE1,KEY2=VALUE2
    

    Replace:

    • IMAGE_URL with a reference to the container image, for example, gcr.io/myproject/my-image:latest.
    • SERVICE with the name of your service.
    • KEY1=VALUE1,KEY2=VALUE2 with a comma separated list of name and value pairs for each Secret. For each KEY you specify the path by starting with a forward slash / to mount a Secret as a file. Optionally, you can exclude the forward slash to mount the Secret as an environment variable. For each VALUE, specify the secret name. How to specify multiple parameters.
    • Command parameter options

      To specify several sets of key-value pairs, you can specify multiple parameters for readability. Example:
      [...]
      --update-secrets "KEY=VALUE1" \
      --update-secrets "KEY=VALUE2" \
      --update-secrets "KEY=VALUE3"