2

I am currently running a SaaS through Google's Cloud Run platform. The customers each have their own API credentials that require secure storage, and retrieval during use of my program.

I would like to use Google's Secret Manager as a method of storing these API credentials, however my problem is that the creation and retrieval of new secrets does not seem to scale. I am currently adding the credentials as environment variables (linked to Secret Manager secrets) during deployment of a new Cloud Run revision, however I do not want to have to do this every time new credentials are created. If the customers increase into the hundreds, this is not a practical solution.

I also have the problem of dynamically retrieving the environment variables. Since the customer ID number is not known at build time, it is not possible to dynamically retrieve variables such as process.env['API_USER_(customerID)'].

Is there a way to add and retrieve secrets without creating new Cloud Run revisions each time? Or am I simply using the wrong tool for my use case?

arano879n
  • 55
  • 3
  • Secret Manager is a great service. There are additional secure methods to store secrets. An often overlooked method is Cloud Storage. Then there is the traditional database. Secrets can be fetched at container start, or via an HTTP trigger that you write. – John Hanley May 31 '22 at 02:09
  • Thank you for your help. Do you have a link to documentation on HTTP triggers for retrieving secrets? – arano879n May 31 '22 at 02:13
  • 1
    ***HTTP trigger that you write***. Create an endpoint, call it and reload your secrets from wherever you store them. – John Hanley May 31 '22 at 02:50

1 Answers1

1

You can read and write into secret manager without defining the values as volume or env var in Cloud Run.

It's an API call to perform to the service to get the secret. There are libraries for that. The main problem that I see here, is the cost that can imply so many secrets.

You can also ask yourself if it's a correct design. You could also imagine keeping the API credentials encrypted somewhere (for instance in Firestore along the other Customer data) and use Cloud KMS to store the encryption key. Or Secret Manager to keep that encryption key.

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76