Using Secrets in Cloud Run for Anthos on Google Cloud clusters

A common use case for a service is accessing third-party applications supplying user name and password. For Kubernetes, it's a best practice to store this type of secret information in a Kubernetes Secret object. You can learn more about using secrets in the Kubernetes Secrets documentation.

When you enable containers to access Secrets, you can choose either of these options:

  • Mount the Secret as a volume, with Secret entries available as files in the mounted volume. This is recommended because it ensures that you get the latest version of the Secret when you are reading it.
  • Pass the Secret using environment variables

This page describes how to create a Secret and then how to configure Cloud Run for Anthos on Google Cloud to use that Secret.

Creating a Secret

There are several ways to create a Secret, as described in the Kubernetes documentation on Secrets. For your convenience, the following steps show a simple way to create a Secret.

When you create a Secret, make sure you create it in the same namespace as the cluster that is running your Cloud Run service. In these instructions, the default namespace is used.

You can create a Secret using a file:

echo -n 'devuser' > ./username.txt
echo -n 'S!B\*d$zDsb' > ./password.txt
kubectl create secret generic user-creds --from-file=./username.txt --from-file=./password.txt

Or to supply the information in a single command line directly without a file:

kubectl create secret generic user-creds --from-literal=username=devuser --from-literal=password='S!B\*d$zDsb'

The Secret is created and uploaded where it is available to clusters in the default namespace.

Making a Secret available to a service

After you create a Secret, you can make it available to your Cloud Run service either as a volume or as environment variables using the Cloud Console, or the gcloud command line when you create a new service or deploy a new revision.

Console

  1. Go to Cloud Run

  2. Click Create Service if you are configuring a new service you are deploying to. If you are configuring an existing service, click on the service, then click Edit and Deploy New Revision.

  3. Under Advanced Settings, click Variables.

    image

  4. Under Reference a Secret, select the desired Secret from the pulldown menu.

    • In the Reference method pulldown menu, select the way you want to use your Secret, mounted as a volume or exposed as environment variables.
    • If you are using mount as a volume, specify the path, then click Done
    • If you are exposing as environment variables,
      1. Supply the Name of the variable and select the corresponding Secret value from the Key pulldown menu.
      2. Click Add to add another secret value.
      3. Supply the Name of the variable and select the corresponding Secret value from the Key pulldown menu.
      4. Click Done

  5. Click Create or Deploy.

Command line

To set, update, clear, or remove a Secret for a new service, use the gcloud run deploy command. You can use any of the following flags, as needed:

For example to add or update a Secret, making it available to your Cloud Run service, specify the secrets to mount or provide as environment variables:

gcloud run deploy SERVICE --update-secrets KEY1=VALUE1,KEY2=VALUE2
  • Replace SERVICE with the name of your service.
  • Replace KEY1=VALUE1,KEY2=VALUE2 with the comma separated list of desired Secret key names and values. Keys starting with a forward slash '/' are mount paths. All other keys correspond to environment variables.

You can also set, update, clear, or remove a Secret from an existing service using the gcloud beta run services update command. You can use any of the following flags, as needed:

gcloud beta run services update SERVICE --image IMAGE_URL --update-secrets KEY1=VALUE1,KEY2=VALUE2

Replace

  • Replace IMAGE_URL with a reference to the container image, for example, gcr.io/myproject/my-image:latest.
  • Replace KEY1=VALUE1,KEY2=VALUE2 with the comma separated list of desired Secret key names and values. Keys starting with a forward slash '/' are mount paths. All other keys correspond to environment variables.