Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from http://cloud.google.com/functions/docs/configuring/secrets below:

Configure secrets for services | Cloud Run Documentation

Stay organized with collections Save and categorize content based on your preferences.

Your service might need to have dependencies requiring API keys, passwords, certificates, or other sensitive information. For Cloud Run, Google recommends that you store this type of sensitive information in a secret created in Secret Manager.

You can make a secret available to your containers in either of two ways:

• Mount each secret as a volume, which makes the secret available to the container as files. Reading a volume always fetches the secret value from Secret Manager, so it can be used with the latest version. This method also works well with secret rotation.
• Pass a secret using environment variables. Environment variables are resolved at instance startup time, so if you use this method, Google recommends that you pin the secret to a particular version rather than using latest.

For more information, refer to the Secret Manager best practices document.

During service deployment, all secrets used, whether as environment variable or mounted as a volume, are checked to ensure the service account used to run the container has access to them. If any check fails, the service deployment fails.

During runtime, when instances start up:

• If the secret is an environment variable, the value of the secret is retrieved prior to starting the instance, so if secret retrieval fails, the instance does not start.
• If the secret is mounted as a volume, no check is performed during instance startup. However, during runtime, if a secret is inaccessible, attempts to read the mounted volume will fail.

When you mount a secret volume, the identity owning the files and directories differs depending on the workload's execution environment and on whether the deployment consists of one or multiple containers.

In the first generation execution environment where you are deploying a single container, the secret volume is owned by the identity used for the container. In all other cases, the volume is owned by root. This includes:

• First generation execution environment where you are deploying multiple containers
• The second generation environment

1. Enable the Secret Manager API.

   Enable the API

2. Use an existing secret or, create a secret in Secret Manager, as described in Create a secret.

To get the permissions that you need to configure secrets, ask your administrator to grant you the following IAM roles:

• Cloud Run Admin (roles/run.admin) on the Cloud Run service
• Service Account User (roles/iam.serviceAccountUser) on the service identity

To allow Cloud Run to access the secret, the service identity must have the following role:

• Secret Manager Secret Accessor (roles/secretmanager.secretAccessor)

For instructions on how to add the service identity principal to the Secret Manager Secret Accessor role, see Manage access to secrets.

For a list of IAM roles and permissions that are associated with Cloud Run, see Cloud Run IAM roles and Cloud Run IAM permissions. If your Cloud Run service interfaces with Google Cloud APIs, such as Cloud Client Libraries, see the service identity configuration guide. For more information about granting roles, see deployment permissions and manage access.

Any configuration change leads to the creation of a new revision. Subsequent revisions will also automatically get this configuration setting unless you make explicit updates to change it.

You can make a secret accessible to your service using the Google Cloud console, the Google Cloud CLI, or a YAML file when you deploy a new service or update an existing service, and deploy a revision. Click the tab of your choice:

1. In the Google Cloud console, go to Cloud Run:

   Go to Cloud Run

2. Select Services from the menu, and click Deploy container to configure a new service. Fill out the initial service settings page, then click Container(s), Volumes, Networking, Security to expand the service configuration page.

3. If you are configuring an existing service, click the service, and click Edit and deploy new revision.

4. Follow the steps to mount the secret as a volume, or expose the secret as an environment variable.

   • To expose the secret as an environment variable:

     1. Click the Container(s) tab.
     2. In the Variables and Secrets tab, click Reference a secret.
     3. In the Name 1 field, enter the name of the environment variable.
     4. From the Secret list, select the secret you want to use.
     5. From the Version 1 list, select the version of the secret to reference.
     6. Click Done.
     7. Click Create or Deploy.

   • To mount secret as a volume:

     1. Click the Volumes tab and select Add volume.
     2. In the Volume type list, select Secret.
     3. In the Volume name field, enter a name or accept the default name.
     4. From the Secret list, select the secret you want to use.
     5. In the Path 1 field, enter the name of the file to mount.
     6. In the Version 1 list, select the version of the secret to reference. By default, the latest version is selected. You can select a specific version if you want.
     7. Click Done.
     8. Navigate to the Container(s) tab to mount your secret to the container.
     9. In the Volume mounts tab, and click Mount volume.
     10. From the Name 1 list, select your volume name.
     11. In the Mount path 1 field, enter the mount path for this secret. This is the directory where all versions of your secret are placed.
     12. Click Done.
     13. Click Create or Deploy.

To make a secret accessible to your service, enter one of the following commands.

• To mount the secret as a volume when deploying a service:

  gcloud run deploy SERVICE --image IMAGE_URL  \
  --update-secrets=PATH=SECRET_NAME:VERSION

  Replace the following:

  • SERVICE: the name of your service.
  • IMAGE_URL: a reference to the container image, for example, us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL follows the format of LOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG
  • PATH: the mount path of the volume and filename of the secret. It must start with a leading slash—for example: /etc/secrets/dbconfig/password, where /etc/secrets/dbconfig/ is the mount path of the volume, and password is the filename of the secret.
  • SECRET_NAME: the secret name in the same project—for example, mysecret.
  • VERSION: the secret version. Use latest for latest version, or a number—for example, 2.

• To expose the secret as an environment variable when deploying a service:

  gcloud run deploy SERVICE \
  --image IMAGE_URL \
  --update-secrets=ENV_VAR_NAME=SECRET_NAME:VERSION

  Replace the following:

  • SERVICE: the name of your service.
  • IMAGE_URL: a reference to the container image, for example, us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL follows the format of LOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG .
  • ENV_VAR_NAME: the name of the environment variable you want to use with the secret.
  • SECRET_NAME: the secret name in the same project—for example, mysecret.
  • VERSION: the secret version. Use latest for latest version, or a number—for example, 2.

• You can update multiple secrets at the same time. To do this, separate the configuration options for each secret with a comma. The following command updates one secret mounted as a volume and another secret exposed as an environment variable.

  To update existing secrets, enter the following command:

  gcloud run deploy SERVICE --image IMAGE_URL \
  --update-secrets=PATH=SECRET_NAME:VERSION,ENV_VAR_NAME=SECRET_NAME:VERSION

• To clear existing secrets and make a new secret accessible to the service, use the --set-secrets flag:

  gcloud run services update SERVICE \
  --set-secrets="ENV_VAR_NAME=SECRET_NAME:VERSION"

1. If you are creating a new service, skip this step. If you are updating an existing service, download its YAML configuration:

   gcloud run services describe SERVICE --format export > service.yaml

2. For secrets exposed as environment variables, under env, update the ENV_VAR, VERSION, and/or SECRET_NAME as desired. If you have multiple secrets mounted as environment variables, you will have multiples of these attributes.

   apiVersion: serving.knative.dev/v1
   kind: Service
   metadata:
     name: SERVICE
   spec:
     template:
       metadata:
         name: REVISION
       spec:
         containers:
         - image: IMAGE_URL
           env:
           - name: ENV_VAR
             valueFrom:
               secretKeyRef:
                 key: VERSION
                 name: SECRET_NAME

3. For secrets mounted as file paths, update the MOUNT_PATH, VOLUME_NAME, VERSION, FILENAME, and/or SECRET_NAME as desired. If you have multiple secrets mounted as file paths, you will have multiples of these attributes.

   apiVersion: serving.knative.dev/v1
   kind: Service
   metadata:
     name: SERVICE
   spec:
     template:
       metadata:
         name: REVISION
       spec:
         containers:
         - image: IMAGE_URL
           volumeMounts:
           - mountPath: MOUNT_PATH
             name: VOLUME_NAME
         volumes:
         - name: VOLUME_NAME
           secret:
             items:
             - key: VERSION
               path: FILENAME
             secretName: SECRET_NAME

   Note that VOLUME_NAME can be set to any name.

   Replace the following:

   • SERVICE: the name of your Cloud Run service.
   • IMAGE_URL: a reference to the container image, for example, us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL follows the format of LOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG .
   • REVISION with a new revision name or delete it (if present). If you supply a new revision name, it must meet the following criteria:
     • Starts with SERVICE-
     • Contains only lowercase letters, numbers and -
     • Does not end with a -
     • Does not exceed 63 characters

4. Replace the service with its new configuration using the following command:

   gcloud run services replace service.yaml

1. Create a secret and a secret version.

2. Create a service account and grant it access to the secret:

3. Secret Manager secrets can be accessed from Cloud Run as mounted file paths or as environment variables.

   1. For secrets mounted as file paths, reference the Secret Manager resource in the volumes parameter. The name corresponds with an entry in the volume_mounts parameter:

   2. For secrets exposed as environment variables, reference the Secret Manager resource in the env parameter:

To reference a secret from another project, verify that your project's service account has access to the secret.

1. In the Google Cloud console, go to Cloud Run:

   Go to Cloud Run

2. Select Services from the menu, and click Deploy container to configure a new service. Fill out the initial service settings page, then click Container(s), Volumes, Networking, Security to expand the service configuration page.

3. If you are configuring an existing service, click the service, and click Edit and deploy new revision.

4. Follow the steps to mount the secret as a volume, or expose the secret as an environment variable.

   • To expose the secret as an environment variable:

     1. Click the Container(s) tab.
     2. In the Variables and Secrets tab, click Reference a secret.
     3. In the Name 1 field, enter the name of the environment variable.
     4. From the Secret list, click Enter secret manually.

     5. Enter the secret's resource ID in the following format:

        projects/PROJECT_NUMBER/secrets/SECRET_NAME
        

        Replace the following:

        • PROJECT_NUMBER with your Google Cloud project number. For detailed instructions on how to find your project number, see Creating and managing projects.

        • SECRET_NAME: The name of the secret in Secret Manager.

     6. From the Version 1 list, select the version of the secret to reference.

     7. Click Done.

     8. Click Create or Deploy.

   • To mount secret as a volume:

     1. Click the Volumes tab and select Add volume.
     2. In the Volume type list, select Secret.
     3. In the Volume name field, enter a name or accept the default name.
     4. From the Secret list, click Enter secret manually.

     5. Enter the secret's resource ID in the following format:

        projects/PROJECT_NUMBER/secrets/SECRET_NAME
        

        Replace the following:

        • PROJECT_NUMBER with your Google Cloud project number. For detailed instructions on how to find your project number, see Creating and managing projects.

        • SECRET_NAME: The name of the secret in Secret Manager.

     6. In the Path 1 field, enter the name of the file to mount.

     7. In the Version 1 list, select the version of the secret to reference. By default, the latest version is selected. You can select a specific version if you want.

     8. Click Done.

     9. Navigate to the Container(s) tab to mount your secret to the container.

     10. In the Volume mounts tab, and click Mount volume.

     11. From the Name 1 list, select your volume name.

     12. In the Mount path 1 field, enter the mount path for this secret. This is the directory where all versions of your secret are placed.

     13. Click Done.

     14. Click Create or Deploy.

• To mount a secret as a volume when deploying a service:

  gcloud run deploy SERVICE --image IMAGE_URL  \
  --update-secrets=PATH=projects/PROJECT_NUMBER/secrets/SECRET_NAME:VERSION

  Replace the following:

  • SERVICE: the name of your service.
  • IMAGE_URL: a reference to the container image, for example, us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL follows the format of LOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG .
  • PATH: the mount path of the volume and filename of the secret. It must start with a leading slash—for example: /etc/secrets/dbconfig/password, where /etc/secrets/dbconfig/ is the mount path of the volume, and password is the filename of the secret.
  • PROJECT_NUMBER with the project number for the project the secret was created in.
  • SECRET_NAME: the secret name—for example, mysecret.
  • VERSION with the secret version. Use latest for latest version, or a number—for example, 2.

1. If you are creating a new service, skip this step. If you are updating an existing service, download its YAML configuration:

   gcloud run services describe SERVICE --format export > service.yaml

Due to constraints around API compatibility, the secret locations must be stored in an annotation.

1. For secrets exposed as environment variables:

   apiVersion: serving.knative.dev/v1
   kind: Service
   metadata:
     name: SERVICE
   spec:
     template:
       metadata:
         annotations:
           run.googleapis.com/secrets: SECRET_LOOKUP_NAME:projects/PROJECT_NUMBER/secrets/SECRET_NAME
       spec:
         containers:
         - image: IMAGE_URL
           env:
           - name: ENV_VAR
             valueFrom:
               secretKeyRef:
                 key: VERSION
                 name: SECRET_LOOKUP_NAME

   Replace the following:

   • SERVICE: the name of your service.
   • IMAGE_URL: a reference to the container image, for example, us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL follows the format of LOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG
   • ENV_VAR
   • PROJECT_NUMBER: the project number for the project the secret was created in.
   • SECRET_NAME: the secret name—for example, mysecret.
   • VERSION: the secret version. Use latest for latest version, or a number—for example, 2.
   • SECRET_LOOKUP_NAME: any name that has a valid secret name syntax—for example, my-secret, it can be the same as SECRET_NAME.

2. For secrets mounted as file paths:

   apiVersion: serving.knative.dev/v1
   kind: Service
   metadata:
     name: SERVICE
   spec:
     template:
       metadata:
         annotations:
           run.googleapis.com/secrets: SECRET_LOOKUP_NAME:projects/PROJECT_NUMBER/secrets/SECRET_NAME
       spec:
         containers:
         - image: IMAGE_URL
           volumeMounts:
           - mountPath: MOUNT_PATH
             name: VOLUME_NAME
         volumes:
         - name: VOLUME_NAME
           secret:
             items:
             - key: VERSION
               path: FILENAME
             secretName: SECRET_LOOKUP_NAME

   Replace the following:

   • SERVICE: the name of your service.
   • IMAGE_URL: a reference to the container image, for example, us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL follows the format of LOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG .
   • PATH: the mount path of the volume and filename of the secret. It must start with a leading slash—for example: /etc/secrets/dbconfig/password, where /etc/secrets/dbconfig/ is the mount path of the volume, and password is the filename of the secret.
   • PROJECT_NUMBER: the project number for the project the secret was created in.
   • SECRET_NAME: the secret name—for example, mysecret.
   • VERSION: the secret version. Use latest for latest version, or a number—for example, 2.
   • SECRET_LOOKUP_NAME: any name that has a valid secret name syntax—for example, my-secret, it can be the same as SECRET_NAME.
   • VOLUME_NAME: any name—for example, my-volume, it can be the same as SECRET_NAME.

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

For secrets exposed as environment variables:

resource "google_cloud_run_v2_service" "default" {
  name     = "SERVICE_NAME"
  location = "REGION"

  template {
    containers {
      image = "IMAGE_URL"
      env {
        name = "SECRET_NAME"
        value_source {
          secret_key_ref {
            secret = "projects/PROJECT_ID/secrets/SECRET_NAME"
            version = "VERSION"
          }
        }
      }
    }
  }
}

Replace the following:

• SERVICE_NAME: the name of your Cloud Run job.
• REGION: the Google Cloud region. For example, europe-west1.
• IMAGE_URL: a reference to the container image, for example, us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL follows the format of LOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG .
• SECRET_NAME: the secret name—for example mysecret.
• PROJECT_ID: the project ID the secret was created in.
• VERSION: the secret version. Use latest for latest version, or a number—for example, 2.

For secrets mounted as file paths:

resource "google_cloud_run_v2_service" "default" {
  name     = "SERVICE_NAME"
  location = "REGION"

  template {
    containers {
      image = "IMAGE_URL"

      volume_mounts {
        name       = "VOLUME_NAME"
        mount_path = "MOUNT_PATH"
      }
    }

    volumes {
      name = "VOLUME_NAME"
      secret {
        secret = "projects/PROJECT_ID/secrets/SECRET_NAME"
      }
    }
  }
}

Replace the following:

• SERVICE_NAME: the name of your Cloud Run job.
• REGION with the Google Cloud region. For example, europe-west1.
• IMAGE_URL: a reference to the container image, for example, us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL follows the format of LOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG
• VOLUME_NAME: any name—for example, my-volume, it can be the same as SECRET_NAME
• MOUNT_PATH: the mount path of the volume and filename of the secret. It must start with a leading slash—for example: /etc/secrets/dbconfig/password, where /etc/secrets/dbconfig/ is the mount path of the volume, and password is the filename of the secret.
• PROJECT_ID: the project ID the secret was created in.
• SECRET_NAME: the secret name—for example mysecret.

To view the current secrets settings for your Cloud Run service:

1. In the Google Cloud console, go to Cloud Run:

   Go to Cloud Run

2. Click the service you are interested in to open the Service details page.

3. Click the Revisions tab.

4. In the details panel at the right, the secrets setting is listed under the Container tab.

1. Use the following command:

   gcloud run services describe SERVICE

2. Locate the secrets setting in the returned configuration.

You can remove secrets from a service using either the Google Cloud console or the gcloud CLI:

1. In the Google Cloud console, go to Cloud Run:

   Go to Cloud Run

2. Select your service from the list, and click Edit and deploy new revision.

3. Click the Container(s) tab.

4. To delete secrets mounted as a volume, select the Volume mounts tab, and hold the pointer over the secret you want to remove, then click delete Delete.

5. To delete secrets exposed as an environment variable, select the Variables and secrets tab, and hold the pointer over the secret you want to remove, then click delete Delete.

6. Click Deploy.

You can remove all secrets from a service or specify one or more secrets to remove:

• To remove all secrets, run the following command:

  gcloud run deploy SERVICE --image IMAGE_URL \
  --clear-secrets
  

  Replace the following:

  • SERVICE: the name of your service.
  • IMAGE_URL: a reference to the container image, for example, us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL follows the format of LOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG .

• To specify a list of secrets to remove, use the --remove-secrets flag. The following command removes one secret mounted as a volume and another secret exposed as an environment variable:

  gcloud run deploy SERVICE --image IMAGE_URL \
  --remove-secrets=ENV_VAR_NAME,SECRET_FILE_PATH
  

  Replace the following:

  • SERVICE: the name of your service.
  • IMAGE_URL: a reference to the container image, for example, us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL follows the format of LOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG .
  • ENV_VAR_NAME: the name of the environment variable.

  • SECRET_FILE_PATH: the full path of the secret. For example, /mnt/secrets/primary/latest, where /mnt/secrets/primary/ is the mount path and latest is the secret path. You can also specify the mount and secret paths separately:

        --set-secrets MOUNT_PATH:SECRET_PATH=SECRET:VERSION
    

For examples on accessing secrets in your code as environment variables, refer to the tutorial on end user authentication, particularly the section Handling sensitive configuration with Secret Manager.

Cloud Run does not allow you to mount secrets at /dev, /proc and /sys, or on their subdirectories.

If you are mounting secrets on /tmp and you are using first generation execution environment, refer to the known issue on mounting secrets on /tmp.

Cloud Run does not allow you to mount multiple secrets at the same path because two volume mounts cannot be mounted at the same location.

If the secret is mounted as a volume in Cloud Run, and the last directory in the volume mount path already exists, then any files or folders in the existing directory become inaccessible.

For example, if a secret called my-secret is mounted to path /etc/app_data, all the contents inside the app_data directory will be overwritten, and the only visible file is /etc/app_data/my-secret.

To avoid overwriting files in an existing directory, create a new directory for mounting the secret, for example, /etc/app_data/secrets, so that the mount path for the secret is /etc/app_data/secrets/my-secret.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-08-07 UTC.

[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[],[]]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4