I've got a cloud function that needs to install dependencies from a private pypi.

• I've set up a secret called pypi_password for the project and given it the correct value.
• I've set up a service account to do deployment and given that service account roles/secretmanager.secretAccessor.
• I've added --update-secrets PYPI_PASSWORD=pypi_password:latest to my deploy command so the function should have access to the secret.
• I've added --extra-index-url=https://account:${PYPI_PASSWORD}@pypi.my-company.com/pypi to my function's requirements.txt.

When I deploy, I briefly see

before the during-deployment pip install fails because my credentials aren't right.

To investigate, I've gone and added an extra ${PYPI_PASSWORD} in my requirements.txt to a portion that's not starred-out in deploy's printed outputs, like: --extra-index-url=https://${PYPI_PASSWORD}account:${PYPI_PASSWORD}@pypi.my-company.com/pypi.

What I see is that the value of ${PYPI_PASSWORD} is coming out as %7BPYPI_PASSWORD%!D(MISSING), which makes it seem like the environment variable doesn't exist.

But shouldn't the secret be accessible as an environment variable this way? This makes no sense to me, and I can't find a solution in the documentation.

I've discovered that I need to make a distinction between run time variables and build time variables.

Basically, by trying to access a Secret in a requirements.txt, I'm trying to use it before it's fully defined and available. The only variables accessible when the dependencies are being installed are build variables.

If I put my password in one of those, it works, so this means Secrets are only available at run time, which makes them kind of useless for this. (ahem, Google)

I'm not so happy about still having the password in plain text for anyone who can view the function, but at least this gets it out of the source code.