cached response when using app-engine or cloudfunction

[irivera007]

Hi,

We are trying to implement a rotation mechanism for the secrets already encrypted, so we leverage the "update" functionality, however when deployed in app-engine or cloudfunction the response with the decrypted secret is still the same (old secret) as if it doesn't read the recent "updated" file. We have tried setting no-cache in GCS and also setting default_expiration: "1s" in the app.yaml (app-engine case)

Any idea why this happens? any advice on how to solve this?

Thank you in advance, and great tool btw

[sethvargo]

Hi @irivera007

The secret is only read once at startup and then injected into the app. It's not possible to replace a running processes environment, and berglas doesn't run as a service inside your app. To pick up the new secret, you should redeploy the application. This is in line with codification best practices too - secrets are code and should be "deployed" as such. This is why we support and advocate for pinning to a specific version too 😄

[irivera007]

Hi Seth

Thank you so much for the detail explanation and it makes perfect sense. After some testing we can still achieve our goal by re-deploying the app when a new secrets rotation happens, amazingly there is no disruption on the calls to either the app or the cloud-function due to google's way of handling the traffic that goes into versions

Again thank you so much!