I created a backend in Go, which uses the Secrets Manager, and deployed it to Cloud Run. The problem is the Secret Manager api needs a Service Account credential json file to point to and that works on my local machine because I just specify the file path in a GOOGLE_APPLICATION_CREDENTIALS environment variable, but I don't have the same convenience in a Cloud Run environment. How will my backend on Cloud Run specify its GOOGLE_APPLICATION_CREDENTIALS environment variable so to speak?
Asked
Active
Viewed 2,507 times
1
sdfsdf
- 5,052
- 9
- 42
- 75
-
What do you want to achieve? Why do you need this environment variable? How do you use it? – guillaume blaquiere Apr 20 '20 at 12:27
-
For Cloud Run, manage permissions via the service account assigned to Cloud Run. https://cloud.google.com/run/docs/configuring/service-accounts – John Hanley Apr 20 '20 at 16:43
2 Answers
2
According to the official documentation
Setting Up Authentication for Server to Server Production Applications
If the environment variable isn't set, ADC uses the default service account that Compute Engine, Google Kubernetes Engine, Cloud Run, App Engine, and Cloud Functions provide, for applications that run on those services.
Therefore to access the Secret Manager from Cloud Run, Application Default Credentials (ADC) will use the default service account of Cloud Run.
EDIT
By default cloud run uses compure engine service account PROJECT_NUMBER-compute@developer.gserviceaccount.com which has the EDITOR role. You have 2 choices, either use default service account or deploy cloud run with a non default service account that you created with the Secret Manager Admin role.
Community
- 1
- 1
marian.vladoi
- 7,663
- 1
- 15
- 29
-
1That was it. Just had to go to `EDIT & DEPLOY NEW REVISION` and select owner as the service account. – sdfsdf Apr 21 '20 at 10:27
1
In addition to @marian.vladoi's great answer, in a nutshell, to access a GCP API (in your case Secret Manager API), you need to do two things:
Deploy your Cloud Run application with a specific Service Account using the
--service-accountoption (or UI equivalent).Give this Service Account permissions to do something (in this case, to access a secret).
Inside a Cloud Run container (or a GKE app, Cloud Run app, Cloud Functions app etc.) you don't need to specify a key with GOOGLE_APPLICATION_CREDENTIALS. The necessary credentials are automatically obtained while you're running on Google Cloud in any GCP client library.
ahmet alp balkan
- 42,679
- 38
- 138
- 214
-
I added the "Secret Manager Admin" role to my "@cloudbuild.gserviceaccount.com" service account and deployed a new container. Still getting a `Permission 'secretmanager.versions.access' denied for resource 'projects/my-project/secrets/API_KEY/versions/latest' (or it may not exist).` error. – sdfsdf Apr 20 '20 at 21:45
-
`@cloudbuild.gserviceaccount.com` sounds wrong. I'm not sure why you choose that account. That's not an account you own. Do a Google Search: `create service account google cloud` and please create a proper new svc account. – ahmet alp balkan Apr 23 '20 at 04:39