https://pulumi.com logo
#getting-started
Title
# getting-started
v

victorious-actor-74328

09/22/2023, 9:48 AM
Hi, I'm currently deploying a application using cloud run on gcp using go, this application requires secrets. I'm wondering if it's possible to mount secrets from Google Secret Manager (like described here) using pulumi.
s

straight-cartoon-24485

09/22/2023, 10:51 AM
not sure if you can directly reuse your existing secrets, maybe have a look at https://www.pulumi.com/docs/cli/commands/pulumi_stack_change-secrets-provider/ for inspiration
v

victorious-actor-74328

09/22/2023, 10:57 AM
my goal was to try to avoid using the secrets directly with environment variables, if possible. looking at the documentation for cloudrun there is ServiceTemplateSpecVolumeArgs which contains secrets, but i can't find any examples of usage for this.
s

straight-cartoon-24485

09/22/2023, 11:24 AM
by env variables you mean
Pulumi.<stack>.yaml
variables + secrets, or shell env vars? I store all my secrets with
pulumi config set --secret dbPassword S3cr37
https://www.pulumi.com/docs/concepts/secrets/
v

victorious-actor-74328

09/22/2023, 11:27 AM
secret inside the env variables to the cloud run service. like:
Copy code
Envs: cloudrun.ServiceTemplateSpecContainerEnvArray{
	&cloudrun.ServiceTemplateSpecContainerEnvArgs{
	Name:  pulumi.String("foo"),
	Value: pulumi.String("bar"),
},
s

straight-cartoon-24485

09/22/2023, 11:30 AM
so why wouldn't this work?
Copy code
Envs: cloudrun.ServiceTemplateSpecContainerEnvArray{
	&cloudrun.ServiceTemplateSpecContainerEnvArgs{
	Name: config.requireSecret("foo"), 
	Value: config.requireSecret("bar"), 
},
in conjunction with the first link Though you might need:
Copy code
pulumi.interpolate`${config.requireSecret("foo")}
v

victorious-actor-74328

09/22/2023, 12:34 PM
So i figured it out, seems like cloudrunv2 has support for secret references, so it will be:
Copy code
&cloudrunv2.ServiceTemplateContainerEnvArgs{
	Name: pulumi.String("foo"),
	ValueSource: &cloudrunv2.ServiceTemplateContainerEnvValueSourceArgs{
		SecretKeyRef: &cloudrunv2.ServiceTemplateContainerEnvValueSourceSecretKeyRefArgs{
			Secret:  pulumi.String("my_super_secret"),
			Version: pulumi.String("latest"),
		},
	},
},