This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

GCP Cloud Run - Unable to hide seret value from the GCP's revision history tab when passing secret u

Posted on 07-28-2022 06:49 AM
yprk
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM
I deployed a GCP CloudRun service using a Terraform resource google_cloud_run_service.

The image is using grafana/synthetic-monitoring-agent and a secret(PROBE_API_TOKEN) needs to be passed as an argument. The secret is stored in GCP's secret manager and is passed and called as 

 

 

data.google_secret_manager_secret_version.probe_api_token.secret_data

 

 

The args attribute from the Terraform resource(google_cloud_run_service) is set as below

args = ["--api-server-address", var.probe_api_server_url, "--api-token", "${data.google_secret_manager_secret_version.probe_api_token.secret_data}", "--verbose", "true", "--debug"]

The above method works as the correct secret value (PROBE_API_TOKEN) is passed. However, from the GCP console, I'm able to see the secret in clear text from the revision history tab.

In order to hide the secret, I've tried using secret_key_ref attribute from the Terraform resource(google_cloud_run_service) and tried referencing the secret from the environment variable - since the secret is set as an environment variable - but `CloudRun` does not seem to read the correct secret.

Here's the args attribute used for this approach. $$ is used instead of a single $ as the latter throws an error.

  args = ["--api-server-address", var.probe_api_server_url, "--api-token", "$${PROBE_API_TOKEN}", "--verbose", "true", "--debug"]

Is there a way to hide or encrypt the token from the GCP console's revision history tab?

Thank you!

Update:

Here are more commands I've tried. None of these seem to work

args = ["--api-server-address", var.probe_api_server_url, "--api-token $$PROBE_API_TOKEN"]
args = ["--api-server-address", var.probe_api_server_url, "--api-token", "${PROBE_API_TOKEN}"]
args = ["--api-server-address", var.probe_api_server_url, "--api-token", "$$PROBE_API_TOKEN"]
args = ["--api-server-address ${var.probe_api_server_url} --api-token $$PROBE_API_TOKEN"]
args = ["--api-server-address", var.probe_api_server_url, "--api-token", "$(PROBE_API_TOKEN)", "--verbose", "true", "--debug"]
args = ["--api-server-address=${var.probe_api_server_url} --api-token=$$PROBE_API_TOKEN"]
args = ["--api-server-address=${var.probe_api_server_url}", "--api-token=$$PROBE_API_TOKEN"]
args = ["--api-server-address=${var.probe_api_server_url}", "--api-token=$(PROBE_API_TOKEN)"]
args = ["--api-server-address", var.probe_api_server_url, "--api-token", "$${PROBE_API_TOKEN}", "--verbose", "true", "--debug"]
args = ["--api-server-address", var.probe_api_server_url, "--api-token", "$PROE_API_TOKEN", "--verbose", "true", "--debug"]
args = ["--api-server-address", var.probe_api_server_url, "--api-token", "$PROE_API_TOKEN", "--verbose", "true", "--debug"]
args = ["--api-server-address", var.probe_api_server_url, "--api-token", "$PROBE_API_TOKEN", "--verbose", "true", "--debug"]
 
Solved Solved
0 1 447
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
cristianrm
Staff
Reply posted on --/--/---- --:-- AM

I found that your question is being solved at this link:

View solution in original post

Jump to Solution
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
cristianrm
Staff
Reply posted on --/--/---- --:-- AM

I found that your question is being solved at this link:

Jump to Solution
0 Likes
Top Solution Authors
View all