Google Cloud Function: Expose Secret as Environment Variable?
I have set up a few Google Cloud Functions that access various APIs in their implementation. Naturally, these APIs require tokens or username/passwords to work. I have created these secrets in Google Cloud Secret Manager and can successfully access them via the Cloud Function using the Google Cloud Console UI.
My question is not about implementation but what the difference is between reference methods:
- Mounting Secret as a volume?
- Exposing Secret as environment variable?
All my functions use the second option. Is this a bad practice and/or does this create a security leak? I did a search and couldn't find anything definitive and Google's documentation doesn't mention anything about the differences. The word "expose" has me worried, thinking that my Secrets would be accessible by others. I would love a pros/cons of each that I and future users could reference.
Thank you!
Using Secret Manager is a good practice.
The primary difference between mounting a secret as a volume versus as an environment variable is the access method and when the secret is read from Secret Manager.
Mounting a secret as a volume reads the secret each time the volume/file is read. If you are referencing the latest tag, updates to secrets will update the secret in Functions the next time you read the volume/file.
Exposing a secret as an environment variable reads the secret at instance cold start. That means if you update the secret, the Function instance will continue to use the last value even if you specify latest. Only on instance cold start is the new secret read from Secret Manager. If you have multiple function instances running, some might use the previous value and some might use the current value. That depends on when each Function instance was started.
Mounting a secret as a volume can be more expensive because the secret might be read more often.
- Trigger Firebase Cloud Function on linkWithCredential()
- Event triggered when changing a user Firebase Authentication
- http function can't update document
- Unable to use a Callable Cloud Function in Flutter
- Flutter firebase connect to emulator from real device
- updating firestore document multiple times from event trigger function overwrites or stops updating after few triggers
- Firebase deploy failed even without changing the function from onCallable to onRequest
- Firebase Admin SDK cant upload to storage bucket folder
- Accessing Firestore via Cloud Function
- Problem with executing asynchronous Cloud Function
- do you need to create a separate collection/document for reading an aggregated document with firebase cloud function
- httpsCallable is not a function when calling a Firebase function
- Firebase Functions: Could not create or update Cloud Run service, Container Healthcheck failed
- Change time format in GCP Logs Explorer
- Secure Google Cloud Functions http trigger with auth
- How to increase timeout when calling a Firebase Cloud Function?
- How to set the timezone in a Cloud Storage trigger? (Cloud Functions 2nd gen for Firebase)
- Firebase CLI console: Cannot find module @google-cloud/tasks
- How to throw an error on a Firebase callable cloud function?
- How to handle listeners in Cloud Function | Discord.js
- Can't deploy Cloud Functions because of "Unhandled error cleaning up build images"
- How to make Firebase Cloud Function wait for a stream to close before terminating
- Serving generated image from firebase
- Google Cloud Function - Can't Find Cloud Function Run role
- Firebase Analytics log custom events from server
- Whilst deploying a GCP function, the service account keeps reverting back to its default resulting in an error
- Generating Cloud Storage Signed URL from Google Cloud Function without using explicit key file
- Google Cloud Function using moviepy slows down and times out
- Firebase cloud function deploy error (javascript/nodejs)
- How to fix wrong node version in `firebase deploy --only functions`