I created a backend in Go, which uses the Secrets Manager, and deployed it to Cloud Run. The problem is the Secret Manager api needs a Service Account credential json file to point to and that works on my local machine because I just specify the file path in a GOOGLE_APPLICATION_CREDENTIALS environment variable, but I don't have the same convenience in a Cloud Run environment. How will my backend on Cloud Run specify its GOOGLE_APPLICATION_CREDENTIALS environment variable so to speak?
1
votes
What do you want to achieve? Why do you need this environment variable? How do you use it?
– guillaume blaquiere
For Cloud Run, manage permissions via the service account assigned to Cloud Run. cloud.google.com/run/docs/configuring/service-accounts
– John Hanley
2 Answers
2
votes
According to the official documentation
Setting Up Authentication for Server to Server Production Applications
If the environment variable isn't set, ADC uses the default service account that Compute Engine, Google Kubernetes Engine, Cloud Run, App Engine, and Cloud Functions provide, for applications that run on those services.
Therefore to access the Secret Manager from Cloud Run, Application Default Credentials (ADC) will use the default service account of Cloud Run.
EDIT
By default cloud run uses compure engine service account [email protected] which has the EDITOR role. You have 2 choices, either use default service account or deploy cloud run with a non default service account that you created with the Secret Manager Admin role.
0
votes
In addition to @marian.vladoi's great answer, in a nutshell, to access a GCP API (in your case Secret Manager API), you need to do two things:
Deploy your Cloud Run application with a specific Service Account using the
--service-accountoption (or UI equivalent).Give this Service Account permissions to do something (in this case, to access a secret).
Inside a Cloud Run container (or a GKE app, Cloud Run app, Cloud Functions app etc.) you don't need to specify a key with GOOGLE_APPLICATION_CREDENTIALS. The necessary credentials are automatically obtained while you're running on Google Cloud in any GCP client library.
