Using Secrets in Cloud Run for Anthos on Google Cloud clusters

A common use case for a service is accessing third-party applications supplying user name and password. For Kubernetes, it's a best practice to store this type of secret information in a Kubernetes Secret object. You can learn more about using secrets in the Kubernetes Secrets documentation.

When you enable containers to access Secrets, you can choose either of these options:

  • Mount the Secret as a volume, with Secret entries available as files in the mounted volume. This is recommended because it ensures that you get the latest version of the Secret when you are reading it.
  • Pass the Secret using environment variables

This page describes how to create a Secret and then how to configure Cloud Run for Anthos on Google Cloud to use that Secret.

Creating a Secret

There are several ways to create a Secret, as described in the Kubernetes documentation on Secrets. For your convenience, the following steps show a simple way to create a Secret.

When you create a Secret, make sure you create it in the same namespace as the cluster that is running your Cloud Run service. In these instructions, the default namespace is used.

You can create a Secret using a file:

echo -n 'devuser' > ./username.txt
echo -n 'S!B\*d$zDsb' > ./password.txt
kubectl create secret generic user-creds --from-file=./username.txt --from-file=./password.txt

Or to supply the information in a single command line directly without a file:

kubectl create secret generic user-creds --from-literal=username=devuser --from-literal=password='S!B\*d$zDsb'

The Secret is created and uploaded where it is available to clusters in the default namespace.

Making a Secret available to a service

After you create a Secret, you can make it available to your Cloud Run service either as a volume or as environment variables

To make the Secret available to a service

Console

  1. Go to Cloud Run

  2. Click CREATE SERVICE if you are referencing a Secret on a new service you are deploying to.

    1. Fill out the Create Service form as desired, then click Next
    2. Enter the container image URL.
    3. Click Show Advanced Settings.
  3. If you are referencing a Secret on an existing service, click the service, then click EDIT & DEPLOY NEW REVISION.

  4. In the SHOW ADVANCED SETTINGS form click the Variables & Secrets tab.

  5. Under Reference a Secret, select your Secret from the pulldown menu.

  6. In the Reference method pulldown menu, select the way you want to use your Secret, mounted as a volume or exposed as environment variables.

  7. If you are using mount as a volume, specify the path, then click Done.

  8. If you are exposing as environment variables,

    1. Supply the Name of the variable and select the corresponding Secret value from the Key pulldown menu.
    2. Click Add to add another secret value.
    3. Supply the Name of the variable and select the corresponding Secret value from the Key pulldown menu.
    4. Click Done
  9. Click Create or Deploy.

Command line

To set, update, clear, or remove a Secret for a new service, use the gcloud run deploy command. You can use any of the following flags, as needed:

For example to add or update a Secret, specify the secrets to mount or provide as environment variables:

gcloud run deploy [SERVICE] --update-secrets KEY1=VALUE1,KEY2=VALUE2
  • Replace [SERVICE] with the name of your service.
  • Replace KEY1=VALUE1,KEY2=VALUE2, with the comma separated list of desired Secret key names and values. Keys starting with a forward slash '/' are mount paths. All other keys correspond to environment variables.

You can also set, update, clear, or remove a Secret from an existing service using the gcloud alpha run services update command. You can use any of the following flags, as needed:

gcloud alpha run services update [SERVICE] --image gcr.io/[PROJECT-ID]/[IMAGE] --update-secrets KEY1=VALUE1,KEY2=VALUE2

Replace

  • Replace [SERVICE] with the name of your service.
  • [PROJECT-ID] with your Google Cloud project ID.
  • [IMAGE] with the name of your image.
  • Replace KEY1=VALUE1,KEY2=VALUE2, with the comma separated list of desired Secret key names and values. Keys starting with a forward slash '/' are mount paths. All other keys correspond to environment variables.