How do I access mounted secrets when using Google Cloud Run?

About

Asked 26/7, 2021 at 16:2 Answered 26/7, 2021 at 20:36

Solved python google-cloud-platform google-secret-manager

I have two questions:

Why can't I mount two cloud secrets in the same directory?

I have attempted to mount two secrets, FIREBASE_AUTH_SERVICE_ACCOUNT and PURCHASE_VALIDATION_SERVICE_ACCOUNT in the directory:

flask_app/src/services/firebase/service_accounts/

However I get this error, when attempting to do this: spec.template.spec.containers[0].volume_mounts[1].mount_path, Duplicate volume mount paths are forbidden Why is this?
How do I access a mounted secret using python?

I'm really not sure how to do this as I couldn't find any documentation on how to actually access the secret itself. This is the only thing I found. I am using python just for context. Would the secret be mounted as a .txt and is that mount path the folder that it is stored in or does it also specify the file name?

Sherrer answered 26/7, 2021 at 16:2 Comment(2)

Please share the code or commands you're running – Skim 26/7, 2021 at 16:41

Just fyi per their documentation on mounting secrets: "Cloud Run does not allow you to mount multiple secrets at the same path because two volume mounts cannot be mounted at the same location." – Premiere 19/7 at 15:8

With Cloud Run and Secret manager you can load a secret in 2 manners:

Load a secret in a environment variable, use --set-secrets=ENV_VAR_NAME=secretName:version
Load a secret in a file, use --set-secrets=/path/to/file=secretName:version

Therefore, you can read a secret as you read

An environment variable (something like os.getenv())
A file (something like fs.open('/path/to/file','r'))

So, your first question about directory is not clear. If you mount 2 secrets in 2 files in the same directory, no problem!

If it doesn't solve your question, please, clarify.

Violoncellist answered 26/7, 2021 at 20:36 Comment(13)

Thanks! So referring to my second question when deploying a new revision, I specify a "mount path" which is flask_app/src/services/firebase/service_accounts/ however I cannot add two secrets with the same mount path as this throws that error. – Sherrer 27/7, 2021 at 12:33

I tested with 2 secrets, in 2 different files, in the same directory and it worked well. You need to define an absolute file name, starting by / per secret. Add more detail on how you deploy if it still does not work. – Violoncellist 27/7, 2021 at 18:19

thanks for taking the time to do that. I am using the GUI to deploy. This is the information I pass in: i.imgur.com/anFXHa8.png, the mount directory is the same for both secrets, however the path to the file is different so I don't understand why it gives this error: i.imgur.com/GUOfpwY.png – Sherrer 29/7, 2021 at 0:21

add a file name at the end of the path. Else, how will you read this secret in your code if both have the same absolute path name. – Violoncellist 29/7, 2021 at 11:7

Unfortunately I have a similar scenario: if I use one secret it works. As soon as I add a second secret it does not work anymore. Non-functioning example: --update-secrets=/run/secrets/app1-credentials=serviceaccount-app1:latest,/run/secrets/app2-credentials=serviceaccount-app2:latest – Minutely 2/8, 2021 at 9:20

Yes it is. It seems that Cloud Run does not allow two secrets mapped into the same folder structure. :( Probably a bug? It also seems a bit weird when I try to configure the secrets via Google Cloud GUI... – Minutely 2/8, 2021 at 12:36

I tested with the CLI and it worked, not with the GUI – Violoncellist 2/8, 2021 at 12:40

What am I doing wrong? gcloud beta run deploy awesome-app \ --image=eu.gcr.io/awesome-project/awesome-app:1.0.0 \ --platform=managed --region=europe-west1 --allow-unauthenticated \ --service-account=cloudrun-secret-access@awesome-project.iam.gserviceaccount.com \ --vpc-connector=vpc-default-network \ --update-secrets=/run/secrets/app1-credentials=app1-credentials:latest,/run/secrets/app2-credentials=app2-credentials:latest – Minutely 2/8, 2021 at 14:42

I found a way that works. It seems that Cloud Run somehow does not allow creating more than one secret file in exactly the same target folder, so I got it working this way: gcloud beta run deploy awesome-app \ --image=eu.gcr.io/awesome-project/awesome-app:1.0.0 \ --platform=managed --region=europe-west1 --allow-unauthenticated \ --service-account=cloudrun-secret-access@awesome-project.iam.gserviceaccount.com \ --vpc-connector=vpc-default-network \ --update-secrets=/run/secrets/app1-credentials/key=app1-credentials:latest,/run/secrets/app2-credentials/key=app2-credentials:latest – Minutely 4/8, 2021 at 5:9

I too had issues with same dir for 2 secrets: --set-secrets=/etc/secrets/pgp_key_password=PGP_KEY_PASSWORD:latest,/etc/secrets/pgp_key=PGP_KEY:latest It only accepts the last of the list. The UI does not fix it. The "show command line" button in the UI showed the same CLI commands I had tried already, so no help there. Finally, I tried to perform the deployment via the UI with my two secrets and hit this error: spec.template.spec.containers[0].volumeMounts[1].mountPath Duplicate volume mount paths are forbidden Given the examples in the CLI docs I would say this is a bug. – Quianaquibble 16/12, 2021 at 6:33

The line fs.open('/path/to/file','w') will overwrite the file. I think you meant "r". – Crowl 10/11, 2022 at 8:13

I have my secret at /secrets/admin and I try and read from /secrets/admin but I keep getting not found – Buffer 22/1, 2023 at 23:30

my problem was my build trigger was configured to use the inline cloudformation.yaml, not the repository cloudformation.yaml – Buffer 24/1, 2023 at 6:58

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags