Hi, I'm currently deploying a application using cloud run on gcp using go, this application requires secrets. I'm wondering if it's possible to mount secrets from Google Secret Manager (like described here) using pulumi.

not sure if you can directly reuse your existing secrets, maybe have a look at https://www.pulumi.com/docs/cli/commands/pulumi_stack_change-secrets-provider/ for inspiration

my goal was to try to avoid using the secrets directly with environment variables, if possible. looking at the documentation for cloudrun there is ServiceTemplateSpecVolumeArgs which contains secrets, but i can't find any examples of usage for this.

by env variables you mean

Pulumi.<stack>.yaml

variables + secrets, or shell env vars? I store all my secrets with

pulumi config set --secret dbPassword S3cr37

https://www.pulumi.com/docs/concepts/secrets/

secret inside the env variables to the cloud run service. like:

Envs: cloudrun.ServiceTemplateSpecContainerEnvArray{
	&cloudrun.ServiceTemplateSpecContainerEnvArgs{
	Name:  pulumi.String("foo"),
	Value: pulumi.String("bar"),
},

so why wouldn't this work?

Envs: cloudrun.ServiceTemplateSpecContainerEnvArray{
	&cloudrun.ServiceTemplateSpecContainerEnvArgs{
	Name: config.requireSecret("foo"), 
	Value: config.requireSecret("bar"), 
},

in conjunction with the first link Though you might need:

pulumi.interpolate`${config.requireSecret("foo")}

So i figured it out, seems like cloudrunv2 has support for secret references, so it will be:

&cloudrunv2.ServiceTemplateContainerEnvArgs{
	Name: pulumi.String("foo"),
	ValueSource: &cloudrunv2.ServiceTemplateContainerEnvValueSourceArgs{
		SecretKeyRef: &cloudrunv2.ServiceTemplateContainerEnvValueSourceSecretKeyRefArgs{
			Secret:  pulumi.String("my_super_secret"),
			Version: pulumi.String("latest"),
		},
	},
},