Using build secrets in gen2 Cloud Functions

dcallaghan · 10-08-2023 08:22 PM

We are trying to deploy gen2 Cloud Functions which require secrets at build time because we use packages from a private registry. We are currently having to define the secret as an environment variable, which means that it is visible in Cloud Build.

Is there a way to use build secrets with Cloud Functions or, if this functionality doesn't currently exists, a workaround we can use as to not leak secrets in Cloud Build?

Thanks,
Dan

christianpaula

Hi @dcallaghan,

Welcome to Google Cloud Community!

There is currently no way to directly use build secrets with Cloud Functions. However, there are a few workarounds that you can use to avoid leaking secrets in Cloud Build:

Use a secret manager such as Secret Manager or HashiCorp Vault to inject secrets into your Cloud Function at build time.
Use a secret encryption tool such as GPG or OpenSSL to encrypt your secrets and store them in your Cloud Build configuration file. Then, in your Cloud Build configuration file, specify a step to decrypt the secrets before deploying your Cloud Function.

Which solution you opt for will rely on your individual requirements and preferences.

Thanks

Moshik

Hey @christianpaula

How can I add my secret from Secret Manager to run during the build?
I'm running cloud function deploy and there is no such option.

jldupont

@Moshik A pattern using Cloud Build is described here.

adamd

how will this be used in cloud function deploy though?
I dont want to pass it to cloud function deploy as build parameters, as those + env vars show up in the UI parameters, and I want it to be hidden.

I even tried downloading my node_modules and zipping them, and then running cloud deploy from that zip WITH the private packages already in it, but cloud function deploy still seems to try to authenticate to my private repository.