Closed hfhbd closed 5 months ago
What is the value of ${{ secrets.CK_KEY }}
? It's usually better to store the references as variables instead of secrets, so they show in the log output.
What is the value of ${{ secrets.CK_KEY }}?
It is a base64 encoded X509 private key,
That's not how the secrets integration works. Secrets are stored in Google Secret Manager and then referenced by id (e.g. projects/my-project/secrets/my-secret).
Well, it did work in the past and you mention it in the guide too:
Pass a secret using environment variables. Environment variables are resolved at instance startup time, so if you use this method, Google recommends that you pin the secret to a particular version rather than using latest.
BTW is there any action to write/update secrets from GitHub actions to keep the secrets in GitHub secrets store and not duplicate them in GCP too? There is https://github.com/google-github-actions/get-secretmanager-secrets to get a secret.
Sorry @hfhbd - we're talking about different things:
To use the native Cloud Run secrets integration, the secrets must be stored in Google Secret Manager; you cannot pass a raw secret material. When launching the Cloud Run service, you specify the identifier of a secret in Secret Manager (e.g. projects/my-project/secrets/my-secret). You can omit the project if the secret is in the same project as the Cloud Run service. It has never been possible to pass the raw contents of a secret.
GitHub secrets are not at all related to Secret Manager secrets. You should not have secrets in two places, because that creates secret sprawl. As far as I know, there's nothing to synchronize secrets between GitHub and Secret Manager, because that is not a good security practice and violates the principle of least privilege.
Is there a reason that these secrets need to be stored in GitHub at all?
Say I keep them in the Google Secret Manager. How can I have this GitHub Action use all of my secrets in the deployment? Because the secrets:
field requires me to specify all the secrets, but if I keep my secrets in Google Secret Manager and I add a new secret, I now have to update my GitHub Actions workflow's secrets:
field to include the new secret too.
Say I keep them in the Google Secret Manager. How can I have this GitHub Action use all of my secrets in the deployment?
You cannot - there is no option to automatically mount "all" secrets in Google Secret Manager into a Cloud Run service, and such an option would pose substantial security risk. This GitHub Action behaves the same as the gcloud
CLI and the Cloud Run API, which require users to explicitly specify the secrets to mount into the container.
Because the
secrets:
field requires me to specify all the secrets, but if I keep my secrets in Google Secret Manager and I add a new secret, I now have to update my GitHub Actions workflow'ssecrets:
field to include the new secret too.
You could build this yourself with a combination of gcloud secrets list
and some string concatenation, but given the security risks of automatically mounting all secrets, this is not something we'd offer as a first-party option.
TL;DR
--update-secrets ^05^keyID=***:latest05privateKey=***:latest
=>'***' is not a valid secret name.
Expected behavior
No response
Observed behavior
No response
Action YAML
Log output
Additional information
No response