Your service might need to have dependencies requiring API keys, passwords, certificates, or other sensitive information. For Cloud Run, Google recommends that you store this type of sensitive information in a secret created in Secret Manager.
You can make a secret available to your containers in either of two ways:
- Mount each secret as a volume, which makes the secret available to the container as files. Reading a volume always fetches the secret value from Secret Manager, so it can be used with the latest version. This method also works well with secret rotation.
- Pass a secret using environment variables. Environment variables are resolved at instance startup time, so if you use this method, Google recommends that you pin the secret to a particular version rather than using latest.
For more information, refer to the Secret Manager best practices document.
How secrets are checked at deployment and runtime
During service deployment, all secrets used, whether as environment variable or mounted as a volume, are checked to ensure the service account used to run the container has access to them. If any check fails, the service deployment fails.
During runtime, when instances start up:
- If the secret is an environment variable, the value of the secret is retrieved prior to starting the instance, so if secret retrieval fails, the instance does not start.
- If the secret is mounted as a volume, no check is performed during instance startup. However, during runtime, if a secret is inaccessible, attempts to read the mounted volume will fail.
Volume ownership differs by execution environment and deployment type
When you mount a secret volume, the identity owning the files and directories differs depending on the workload's execution environment and on whether the deployment consists of one or multiple containers.
In the first generation execution environment where you are deploying a single container, the secret volume is owned by the identity used for the container. In all other cases, the volume is owned by root. This includes:
- First generation execution environment where you are deploying multiple containers
- The second generation environment
Before you begin
You can use an existing Secret Manager secret or create a new secret.
Required roles
To get the permissions that you need to configure secrets, ask your administrator to grant you the following IAM roles:
-
Cloud Run Admin (
roles/run.admin
) on the Cloud Run service -
Service Account User (
roles/iam.serviceAccountUser
) on the service identity
To allow Cloud Run to access the secret, the service identity must have the following role:
- Secret Manager Secret Accessor (
roles/secretmanager.secretAccessor
)
For instructions on how to add the service identity principal to the Secret Manager Secret Accessor role, see Manage access to secrets.
For a list of IAM roles and permissions that are associated with Cloud Run, see Cloud Run IAM roles and Cloud Run IAM permissions. If your Cloud Run service interfaces with Google Cloud APIs, such as Cloud Client Libraries, see the service identity configuration guide. For more information about granting roles, see deployment permissions and manage access.
Make a secret accessible to Cloud Run
Any configuration change leads to the creation of a new revision. Subsequent revisions will also automatically get this configuration setting unless you make explicit updates to change it.
You can make a secret accessible to your service using the Google Cloud console, the Google Cloud CLI, or a YAML file when you deploy a new service or update an existing service and deploy a revision:
Console
In the Google Cloud console, go to Cloud Run:
Click Deploy container and select Service to configure a new service. If you are configuring an existing service, click the service, then click Edit and deploy new revision.
If you are configuring a new service, fill out the initial service settings page, then click Container(s), volumes, networking, security to expand the service configuration page.
Click the Container tab.
- Under Secrets:
- Click Reference a Secret.
- Select the secret you want to use from the Secret pulldown list.
- In the Reference method pulldown menu, select the way you want to use your secret, mounted as a volume or exposed as environment variables.
- If you are mounting the secret as a volume:
- Under Mount path, specify the mount path you are using for secrets.
- By default, the latest version is selected. You can select a specific version if you want. Under Specified paths for secret versions, specify the path to the version and the version number.
- Click Done.
- If you are exposing the secret as an environment variable:
- Supply the Name of the variable and select the secret version, or latest to always use the current secret version.
- Click Done.
- Under Secrets:
Click Create or Deploy.
gcloud
To make a secret accessible to your service, enter one of the following commands.
To mount the secret as a volume when deploying a service:
gcloud run deploy SERVICE --image IMAGE_URL \ --update-secrets=PATH=SECRET_NAME:VERSION
Replace:
SERVICE
with the name of your service.- IMAGE_URL with a reference to the container image, for
example,
us-docker.pkg.dev/cloudrun/container/hello:latest
. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL has the shapeLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG
PATH
with the mount path of the volume and filename of the secret. It must start with a leading slash, for example:/etc/secrets/dbconfig/password
, where/etc/secrets/dbconfig/
is the mount path of the volume, andpassword
is the filename of the secret.SECRET_NAME
with the secret name in the same project, e.g.mysecret
.VERSION
with the secret version. Uselatest
for latest version, or a number, for example,2
.
To expose the secret as an environment variable when deploying a service:
gcloud run deploy SERVICE \ --image IMAGE_URL \ --update-secrets=ENV_VAR_NAME=SECRET_NAME:VERSION
Replace:
SERVICE
with the name of your service.- IMAGE_URL with a reference to the container image, for
example,
us-docker.pkg.dev/cloudrun/container/hello:latest
. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL has the shapeLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG
ENV_VAR_NAME
with the name of the environment variable you want to use with the secret.SECRET_NAME
with the secret name in the same project, e.g.mysecret
.VERSION
with the secret version. Uselatest
for latest version, or a number, for example,2
.
You can update multiple secrets at the same time. To do this, separate the configuration options for each secret with a comma. The following command updates one secret mounted as a volume and another secret exposed as an environment variable.
To update existing secrets, enter the following command:
gcloud run deploy SERVICE --image IMAGE_URL \ --update-secrets=PATH=SECRET_NAME:VERSION,ENV_VAR_NAME=SECRET_NAME:VERSION
To clear existing secrets and make a new secret accessible to the service, use the
--set-secrets
flag:gcloud run services update SERVICE \ --set-secrets="ENV_VAR_NAME=SECRET_NAME:VERSION"
YAML
If you are creating a new service, skip this step. If you are updating an existing service, download its YAML configuration:
gcloud run services describe SERVICE --format export > service.yaml
For secrets exposed as environment variables, under
env
, update the ENV_VAR, VERSION, and/or SECRET_NAME as desired. If you have multiple secrets mounted as environment variables, you will have multiples of these attributes.apiVersion: serving.knative.dev/v1 kind: Service metadata: name: SERVICE spec: template: metadata: name: REVISION spec: containers: - image: IMAGE_URL env: - name: ENV_VAR valueFrom: secretKeyRef: key: VERSION name: SECRET_NAME
For secrets mounted as file paths, update the MOUNT_PATH, VOLUME_NAME, VERSION, FILENAME, and/or SECRET_NAME as desired. If you have multiple secrets mounted as file paths, you will have multiples of these attributes.
apiVersion: serving.knative.dev/v1 kind: Service metadata: name: SERVICE spec: template: metadata: name: REVISION spec: containers: - image: IMAGE_URL volumeMounts: - mountPath: MOUNT_PATH name: VOLUME_NAME volumes: - name: VOLUME_NAME secret: items: - key: VERSION path: FILENAME secretName: SECRET_NAME
Note that
VOLUME_NAME
can be set to any name.Replace
- SERVICE with the name of your Cloud Run service
- IMAGE_URL with a reference to the container image, for
example,
us-docker.pkg.dev/cloudrun/container/hello:latest
. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL has the shapeLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG
- REVISION with a new revision name or delete it (if present). If you supply a new revision name, it must meet the following criteria:
- Starts with
SERVICE-
- Contains only lowercase letters, numbers and
-
- Does not end with a
-
- Does not exceed 63 characters
- Starts with
Replace the service with its new configuration using the following command:
gcloud run services replace service.yaml
Terraform
Create a secret and a secret version.
Create a service account and grant it access to the secret:
Secret Manager secrets can be accessed from Cloud Run as mounted file paths or as environment variables.
For secrets mounted as file paths, reference the Secret Manager resource in the
volumes
parameter. Thename
corresponds with an entry in thevolume_mounts
parameter:For secrets exposed as environment variables, reference the Secret Manager resource in the
env
parameter:
Referencing secrets from other projects
You can reference a secret from another project, if your project's service account has been allowed to access the secret.
Console
In the Google Cloud console, go to Cloud Run:
Click Deploy container and select Service to configure a new service. If you are configuring an existing service, click the service, then click Edit and deploy new revision.
If you are configuring a new service, fill out the initial service settings page, then click Container(s), volumes, networking, security to expand the service configuration page.
Click the Container tab.
- Under Secrets:
- Click Reference a Secret.
- Select Don't see your secret? Enter secret resource ID from the Secret pulldown list to
display the following form:
- In the Add a secret by resource ID form, enter the secret from
the other project, in the format
projects/PROJECT_NUMBER/secrets/SECRET_NAME
. You can alternatively copy and paste the resource ID from the other project if you have access to it, by selecting the secret, clicking the Actions ellipsis at the right of the secret, and selecting Copy resource ID from the pulldown menu. - Click Add secret.
- In the Reference method pulldown menu, select the way you want to use your secret, mounted as a volume or exposed as environment variables.
- If you are mounting the secret as a volume:
- Under Mount path, specify the mount path you are using for secrets.
- By default, the latest version is selected. You can select a specific version if you want. Under Specified paths for secret versions, specify the path to the version and the version number.
- Click Done.
- If you are exposing the secret as an environment variable:
- Supply the Name of the variable and select the secret version, or latest to always use the current secret version.
- Click Done.
- Under Secrets:
Click Create or Deploy.
gcloud
To mount a secret as a volume when deploying a service:
gcloud run deploy SERVICE --image IMAGE_URL \ --update-secrets=PATH=projects/PROJECT_NUMBER/secrets/SECRET_NAME:VERSION
Replace:
SERVICE
with the name of your service.- IMAGE_URL with a reference to the container image, for
example,
us-docker.pkg.dev/cloudrun/container/hello:latest
. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL has the shapeLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG
PATH
with the mount path of the volume and filename of the secret. It must start with a leading slash, for example:/etc/secrets/dbconfig/password
, where/etc/secrets/dbconfig/
is the mount path of the volume, andpassword
is the filename of the secret.PROJECT_NUMBER
with the project number for the project the secret was created in.SECRET_NAME
with the secret name, e.g.mysecret
.VERSION
with the secret version. Uselatest
for latest version, or a number, for example,2
.
YAML
If you are creating a new service, skip this step. If you are updating an existing service, download its YAML configuration:
gcloud run services describe SERVICE --format export > service.yaml
Due to constraints around API compatibility, the secret locations must be stored in an annotation.
For secrets exposed as environment variables:
apiVersion: serving.knative.dev/v1 kind: Service metadata: name: SERVICE spec: template: metadata: annotations: run.googleapis.com/secrets: SECRET_LOOKUP_NAME:projects/PROJECT_NUMBER/secrets/SECRET_NAME spec: containers: - image: IMAGE_URL env: - name: ENV_VAR valueFrom: secretKeyRef: key: VERSION name: SECRET_LOOKUP_NAME
Replace:
SERVICE
with the name of your service.- IMAGE_URL with a reference to the container image, for
example,
us-docker.pkg.dev/cloudrun/container/hello:latest
. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL has the shapeLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG
ENV_VAR
PROJECT_NUMBER
with the project number for the project the secret was created in.SECRET_NAME
with the secret name, e.g.mysecret
.VERSION
with the secret version. Uselatest
for latest version, or a number, for example,2
.SECRET_LOOKUP_NAME
with any name that has a valid secret name syntax (e.g.my-secret
), it can be the same asSECRET_NAME
For secrets mounted as file paths:
apiVersion: serving.knative.dev/v1 kind: Service metadata: name: SERVICE spec: template: metadata: annotations: run.googleapis.com/secrets: SECRET_LOOKUP_NAME:projects/PROJECT_NUMBER/secrets/SECRET_NAME spec: containers: - image: IMAGE_URL volumeMounts: - mountPath: MOUNT_PATH name: VOLUME_NAME volumes: - name: VOLUME_NAME secret: items: - key: VERSION path: FILENAME secretName: SECRET_LOOKUP_NAME
Replace:
SERVICE
with the name of your service.- IMAGE_URL with a reference to the container image, for
example,
us-docker.pkg.dev/cloudrun/container/hello:latest
. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL has the shapeLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG
PATH
with the mount path of the volume and filename of the secret. It must start with a leading slash, for example:/etc/secrets/dbconfig/password
, where/etc/secrets/dbconfig/
is the mount path of the volume, andpassword
is the filename of the secret.PROJECT_NUMBER
with the project number for the project the secret was created in.SECRET_NAME
with the secret name, e.g.mysecret
.VERSION
with the secret version. Uselatest
for latest version, or a number, for example,2
.SECRET_LOOKUP_NAME
with any name that has a valid secret name syntax (e.g.my-secret
), it can be the same asSECRET_NAME
VOLUME_NAME
with any name (e.g.my-volume
), it can be the same asSECRET_NAME
View secrets settings
To view the current secrets settings for your Cloud Run service:
Console
In the Google Cloud console, go to Cloud Run:
Click the service you are interested in to open the Service details page.
Click the Revisions tab.
In the details panel at the right, the secrets setting is listed under the Container tab.
gcloud
Use the following command:
gcloud run services describe SERVICE
Locate the secrets setting in the returned configuration.
Use secrets in your code
For examples on accessing secrets in your code as environment variables, refer to the tutorial on end user authentication, particularly the section Handling sensitive configuration with Secret Manager.
Disallowed paths and limitations
Cloud Run does not allow you to mount secrets at /dev
,
/proc
and /sys
, or on their subdirectories.
If you are mounting secrets on /tmp
and you are using
first generation execution environment,
refer to the known issue on
mounting secrets on /tmp
.
Cloud Run does not allow you to mount multiple secrets at the same path because two volume mounts cannot be mounted at the same location.
Overriding a directory
If the secret is mounted as a volume in Cloud Run, and the last directory in the volume mount path already exists, then any files or folders in the existing directory become inaccessible.
For example, if a secret called my-secret
is mounted to path
/etc/app_data
, all the contents inside the app_data
directory will be
overwritten, and the only visible file is /etc/app_data/my-secret
.
To avoid overwriting files in an existing directory, create a new directory for
mounting the secret, for example, /etc/app_data/secrets
, so that the mount
path for the secret is /etc/app_data/secrets/my-secret
.