0

Consider the following gcloud command where you inject a Google Secrets Manager secret into your SERVICE Google Cloud Run service—ripped off the Use secrets Cloud Run docs page:

gcloud run services update SERVICE \
    --set-secrets="ENV_VAR_NAME=SECRET_NAME:VERSION"

Observation: Notice how you can set your ENV_VAR_NAME environment variable to the value of the SECRET_NAME:VERSION secret; but Question: Can you parse JSON keys out of a Google Secrets Manager secret?

For example, consider the mysecret secret set to {"PASSWORD":"mylastname","TOKEN":"t0k3n"} like the following shell session illustrates:

$ gcloud secrets create mysecret --data-file=- <<<'{"PASSWORD":"mylastname","TOKEN":"t0k3n"}'
Created version [1] of the secret [mysecret].

Then you parse out that PASSWORD secret key with the venerable jqlang/jq utility like so:

$ gcloud secrets versions access 1 --secret=mysecret \
    | jq --raw-output .PASSWORD
mylastname

But I think it would be cool to explicitly inject that PASSWORD secret key into my Cloud Run service, without doing any of JSON parsing outside of gcloud—since then, I can support one-to-many Secrets Manager secret to application secrets ratio.

I'm imagining something like the following:

gcloud run services update SERVICE \
    --set-secrets="ENV_VAR_NAME=SECRET_NAME:VERSION:SECRET_KEY"

For my earlier example, each of those parameters maps to the following:

  1. ENV_VAR_NAME to PASSWORD.
  2. SECRET_NAME to mysecret.
  3. VERSION to 1.
  4. ⭐️ SECRET_KEY to PASSWORD. Note: This is the area of interest for my question.

Even better would be if there is some default JSON parsing happens.

Can you parse JSON keys out of a Google Secrets Manager secret?

This is what I tried so far:

  1. I read the output of the gcloud run services update --help command—didn't see anything.
  2. I took a cursory look at the https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets.versions/access page—didn't see anything.
  3. I smashed the excellent BurntSushi/ripgrep utility into my ~/google-cloud-sdk directory like rg set-secrets ~/google-cloud-sdk to see if I could find any easter eggs hinting at that JSON parsing capability—again I didn't find anything.

Guess: Looks like you can't do this sort of JSON parsing thing with that --set-secrets gcloud option; but I'm hoping that I'm wrong.

mbigras
  • 289
  • 1
  • 3
  • 11

1 Answers1

0

I found a previous post with the same concern however they were trying it on AWS. As per hoangdv, they need to set secret as data.SecretString to have it as a normal string. After that, the JSON string must be cast to a JSON object so the information will be accessible by attribute name.

var secret = {"username":"***","password":"***","engine":"mysql","host":"***.***.us-east-1.rds.amazonaws.com","port":3306,"dbname":"***","dbInstanceIdentifier":"***"}<br> ;

const secretObj = JSON.parse(secret);

console.log(secretObj.host)

Dion V
  • 121
  • 2