google-cloud-functionsgoogle-secret-manager

recommended between native integration (as mounted volume or environment variable) and Secret Manager client library for Google cloud function?


I am new to cloud functions in implementing the secrets. I would like to know which one would be the recommended method in accessing the secrets in google cloud function in terms of secure, easy access, performance etc...

I am aware of 3 methods available with secret manager.

  1. Secrets with mounted volume
  2. Secrets with environment variables
  3. Secret manager client library

Solution

  • As @John Henley suggested in this Stackoverflow Link,

    The primary difference between mounting a secret as a volume versus as an environment variable is the access method and when the secret is read from Secret Manager.

    Mounting a secret as a volume reads the secret each time the volume/file is read. If you are referencing the latest tag, updates to secrets will update the secret in Functions the next time you read the volume/file.

    Exposing a secret as an environment variable reads the secret at instance cold start. That means if you update the secret, the Function instance will continue to use the last value even if you specify latest. Only on instance cold start is the new secret read from Secret Manager. If you have multiple function instances running, some might use the previous value and some might use the current value. That depends on when each Function instance was started.

    Mounting a secret as a volume can be more expensive because the secret might be read more often.

    And to know which one would be the recommended method in accessing the secrets in google cloud function, Please have a look at this Documentation which is clearly explained.

    Please have a look at this section in the Documentation to get an overview of choosing the three methods available.