I am trying to build me a gcloud script to deploy my cloud run service. This service has access to a hosted MongoDB and therefore I have to provide the password credentials via environment variable.
I'd like to pass this password via a secret manager. I do it via the GCP Console like so:
So the secret name is mongodb-password and the value mypassword. Now I follow the gcloud run documentation (https://cloud.google.com/sdk/gcloud/reference/run/deploy) to figure out how I can add the secret to the run service deployment.
In the section for setting a secret the following is explained:
Specify secrets to mount or provide as environment variables. Keys starting with a forward slash '/' are mount paths. All other keys correspond to environment variables. The values associated with each of these should be in the form SECRET_NAME:KEY_IN_SECRET; you may omit the key within the secret to specify a mount of all keys within the secret. For example: '--update-secrets=/my/path=mysecret,ENV=othersecret:key.json' will create a volume with secret 'mysecret' and mount that volume at '/my/path'. Because no secret key was specified, all keys in 'mysecret' will be included. An environment variable named ENV will also be created whose value is the value of 'key.json' in 'othersecret'. At most one of these may be specified
This is somewhat confusing me. I have no idea what is meant by the KEY_IN_SECRET.
The secret name is obviously mongodb-password but I don't know how I can now refer to the value of the secret.
I tried to figure out if there is a convention on how to define the secret values. Maybe something like key=value. But nothing states I have to do it like that.
So now I wonder what I should do for the --set-secrets=[KEY=VALUE,…] flag for the gcloud run deploy command.
From the information given I only can do it like this:
--set-secrets=[mongodb-password=*]
which I know is wrong but I want to explain what confuses me at the moment
