0

GCP prices access operations to secrets at $0.03 per 10,000 (see here).

When using secrets with Google Cloud Functions, are they accessed each time a function is run? Or only when the Cloud Function is deployed?

If the former is true, then this poses a much greater cost than the costs for running the Cloud Function itsself.

ax1mx2
  • 654
  • 1
  • 11
  • 23

2 Answers2

2

The secret are accessed when a Cloud Functions instance is created. One instance is created at the first call (start from 0), or when the traffic increase and more instances must be added in the cluster. After a while of unused, the instance are offloaded (usually after 10 minutes).

When the instances are started, they are able to serve traffic (see function runtime). As long as they are used, there is no new secret access

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • wouldn't it depend on if the function is set up to access the secret as an attached volume or an environment variable as described here: https://cloud.google.com/functions/docs/configuring/secrets It seems to me that when you create a function through firebase with `.runWith({ secrets: ['YOUR_SECRET'] })` it's exposed through an env var. And then would I be correct in thinking that it's only accessed when the function is built? – Jamie Curnow Jul 06 '23 at 15:56
  • Not built, but run. The secret is read at runtime, not at build time. – guillaume blaquiere Jul 06 '23 at 16:00
  • the firestore docs here: https://firebase.google.com/docs/functions/config-env?gen=1st#managing_secrets_2 State: >"Whenever you set a new value for a secret, you must redeploy all functions that reference that secret for them to pick up the latest value." That suggests to me that the secret is only accessed on build? Otherwise this step would not be required? – Jamie Curnow Jul 06 '23 at 16:03
  • I got the point, but I think it's unclear. In fact, the secret are loaded as env var. Because of that, the secret is loaded when the instance start. As long as the instance run, it won't read again the secret. If you update the secret, you need to redeploy your function to force all the active instance to restart, and therefore to reload the secret value. You can find clue in my articles:https://medium.com/google-cloud/cloud-run-hot-reload-your-secret-manager-secrets-ff2c502df666 – guillaume blaquiere Jul 06 '23 at 19:22
0

According to this documentation, you can access secrets as files attached as volumes or as env vars populated during deployment. Seems to me that the former is the costlier option since every file read is a request to the secrets manager.

OzzieFZI
  • 76
  • 4