Using Secret Manager with Cloud Run at runtime not buildtime

[MarkEdmondson1234]

Something based on this? https://medium.com/google-cloud/secret-manager-improve-cloud-run-security-without-changing-the-code-634f60c541e6

Ideally don't want any secrets embedded at build time, only runtime.

[marton-balazs-kovacs]

Hi,

I am trying to do something similar by building and deploying a Dockerfile that runs a plumber API, in which I would like to push to a public git repository. I stored my ssh as a secret but I am not quite sure how to get it in my API. Do you have any recommendations? Thanks for your help!

[MarkEdmondson1234]

I'm not 100% what you are trying to do but you could download auth keys from google cloud storage using googleCloudStorageR when the plumber instance starts and Cloud Run would be authorised with the Cloud Run service email you grant bucket access too. That is similar to how it would work with Secrets Manager, but no R wrapper function exists yet aside one you make yourself with googleAuthR, and I guess you would want that.

I would prefer the secrets not being in the Docker at build time, but only at run time for security. It may be via the link above that you can do this via gcloud and changing the Dockerfile a bit.

[marton-balazs-kovacs]

Thank you for the response.

I want to combine basically the cr_buildstep_gitsetup the cr_buildstep_docker and the cr_buildstep_run to deploy a plumber API that pushes to a Github repo upon requests. I tried to combine them based on the detailed vignettes but I got lost. Sorry if I am misunderstanding something obvious.

[MarkEdmondson1234]

There is a demo of this in the recent update for parallel cloud run with authenticated calls, code in inst/docker/parallel_cloudrun/build.R

library(googleCloudRunner)

bs <- c(
  cr_buildstep_secret("mark-edmondson-gde-auth",
      decrypted = "inst/docker/parallel_cloudrun/plumber/auth.json"),
  cr_buildstep_docker("cloudrun_parallel",
                      dir = "inst/docker/parallel_cloudrun/plumber",
                      kaniko_cache = TRUE),
  cr_buildstep_run("parallel-cloudrun",
                   image = "gcr.io/$PROJECT_ID/cloudrun_parallel:$BUILD_ID",
                   allowUnauthenticated = FALSE,
                   env_vars = "BQ_AUTH_FILE=auth.json,BQ_DEFAULT_PROJECT_ID=$PROJECT_ID")
)

by <- cr_build_yaml(bs)
cr_build_write(by, file = "inst/docker/parallel_cloudrun/cloudbuild.yml")

repo <- cr_buildtrigger_repo("MarkEdmondson1234/googleCloudRunner")
cr_buildtrigger("inst/docker/parallel_cloudrun/cloudbuild.yml",
                "parallel-cloudrun",
                trigger = repo,
                includedFiles = "inst/docker/parallel_cloudrun/**")

# get the Cloud Run URL
cr <- cr_run_get("parallel-cloudrun")

This still includes the auth file within the Cloud Run docker container which is what the original issue is trying to avoid, but it works.

[MarkEdmondson1234]

@marton-balazs-kovacs the above is included in this new use case https://code.markedmondson.me/googleCloudRunner/articles/usecases.html#run-private-r-micro-services-on-cloud-run-1

[marton-balazs-kovacs]

That is amazing! Thank you. I will give it a try!