Skip to content
/ secret-loader-medium Public

Description and usage of secret-loader into a real project and in relation with the medium article

License

Apache-2.0 license
13 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

guillaumeblaquiere/secret-loader-medium

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
server.go
server.go
 
 
start.sh
start.sh
 
 

Repository files navigation

Secret loader Medium

This project is in relation with the medium article that explain how to preload secret in Cloud Run without changing the application code

The process run a script before running the app. It works only on environment variable. In serverless environment, only Cloud Run is compliant. (and App Engine Flexible, because it's compliant with container)

Test the secret-loader

The test is performed with Cloud Run.

Create a secret

Create a secret into secret manager

echo "my super secret" | gcloud beta secrets create --data-file=- --replication-policy=automatic my-secret

Create a service account

You have to allow Cloud Run service account to access to secret manager

Create the service account

gcloud iam service-accounts create cr-access-secret

Either allow full access to secret manager and can access to all secrets

gcloud projects add-iam-policy-binding \
--member=serviceAccount:cr-access-secret@<PROJECT_ID>.iam.gserviceaccount.com \
--role=roles/secretmanager.secretAccessor <PROJECT_ID>

Or allow the access to a specific secret

gcloud beta secrets add-iam-policy-binding  \
--member=serviceAccount:cr-access-secret@<PROJECT_ID>.iam.gserviceaccount.com \
--role=roles/secretmanager.secretAccessor my-secret

Build the test container

The test container only print the environment variable when you call the root URL. 2 versions exists

Build the script version based on gcloud SDK

gcloud builds submit -t gcr.io/<PROJECT_ID>/secret-loader

The file start.sh contains a bash script and use gcloud command for loading the secret. The Dockerfile file is used during the build. The latest layer is the gcloud SDK container. It's a big image (700Mb)

Deploy the container

The container must be deployed with the previously created service account and with the secret in parameter

gcloud run deploy --image=gcr.io/<PROJECT_ID>/secret-loader --platform=managed  \
--region=us-central1 --allow-unauthenticated \
--service-account=cr-access-secret@<PROJECT_ID>.iam.gserviceaccount.com \
--set-env-vars=super_secret=secret:/my-secret#1 secret-loader

Test the secret loader transformation

Perform a simple curl on the URL and check the environment variable super_secret value returned

curl https://secret-loader.<project-hash>-uc.a.run.app

License

This library is licensed under Apache 2.0. Full license text is available in LICENSE.

About

Description and usage of secret-loader into a real project and in relation with the medium article

Resources

Readme

License

Apache-2.0 license
Activity

Stars

13 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages