[Secret Manager] Secret Manager Integration

[anovis]

A built in integration with Secret Manager to inject secrets into cloudfunctions. Currently the options are to supply env variable, or to write the secret manager logic yourself.

example config.json

"secrets": {
  "GH_TOKEN": projects/{project_id}/secrets/GH_TOKEN/versions/2",
  "OTHER_TOKEN"
}

with default being projects/{project_id}/secrets/{secret_name}/versions/latest

then in your code you would use config.secrets to access

from goblet.config import Config

config = Config()
@app.route("/reveal")
def reveal_secret():
    return config.secrets.GH_TOKEN

[anovis]

looks like gcp support secret manager integration in preview

https://cloud.google.com/blog/products/serverless/cloud-functions-integrates-with-google-secret-manager

should have a beta flag where we can enable some of these features.

[anovis]

looks like it is only supported for gcloud cli and the console for now. will continue to monitor for the v1beta api to include this feature

[aebrahim]

FYI googleapis/python-functions#130

[anovis]

interesting. goblet actually calls the rest api directly via https://cloud.google.com/functions/docs/reference/rest, so i am wondering if there is another library that handles the secret volumes .

their docs only show console and gcloud https://cloud.google.com/functions/docs/configuring/secrets#making_a_secret_accessible_to_a_function

[amirbtb]

Secrets in Cloud Functions are finally in GA 🥳
GCP Release Notes
But it looks like their docs is still only showing console and gcloud..

[anovis]

Interestingly, goblet supports secrets already with the cloudrun backend since we actually use a gcloud command behind the scenes to build and deploy the container.

will continue to look into secret support for the cloudfunction backend

[anovis]

looks like secrets are added to v1 endpoints now https://cloud.google.com/functions/docs/reference/rest/v1/projects.locations.functions