Google Cloud Function: Expose Secret as Environment Variable?

Question

I have set up a few Google Cloud Functions that access various APIs in their implementation. Naturally, these APIs require tokens or username/passwords to work. I have created these secrets in Google Cloud Secret Manager and can successfully access them via the Cloud Function using the Google Cloud Console UI.

My question is not about implementation but what the difference is between reference methods:

1. Mounting Secret as a volume?
2. Exposing Secret as environment variable?

All my functions use the second option. Is this a bad practice and/or does this create a security leak? I did a search and couldn't find anything definitive and Google's documentation doesn't mention anything about the differences. The word "expose" has me worried, thinking that my Secrets would be accessible by others. I would love a pros/cons of each that I and future users could reference.

Thank you!

Answer 1

Using Secret Manager is a good practice.

The primary difference between mounting a secret as a volume versus as an environment variable is the access method and when the secret is read from Secret Manager.

Mounting a secret as a volume reads the secret each time the volume/file is read. If you are referencing the latest tag, updates to secrets will update the secret in Functions the next time you read the volume/file.

Exposing a secret as an environment variable reads the secret at instance cold start. That means if you update the secret, the Function instance will continue to use the last value even if you specify latest. Only on instance cold start is the new secret read from Secret Manager. If you have multiple function instances running, some might use the previous value and some might use the current value. That depends on when each Function instance was started.

Mounting a secret as a volume can be more expensive because the secret might be read more often.