Figure out GCP secrets integration with Cloud Run
gilcrest opened this issue · 3 comments
Instead of setting secrets (encryption key, db username/password) through environment variables in GCP. Figure out how to integrate with GCP's Secrets Manager and Cloud Run. I believe it's pretty straightforward, actually, and should get to this soon as it's important.
Its super simple, just ensure that the default service account has secret accessor privs --role="roles/secretmanager.secretAccessor"
If cloudrun is like app engine then the SA is injected at runtime and always available, you can detect if its in a GCP env by looking for process.env.GCLOUD_PROJECT
.
using gcloud and you can specify a different service acc if you need to like the below:
gcloud secrets versions access latest --secret="my-secret" \ --impersonate-service-account="PROJECTID@XXXXXX.iam.gserviceaccount.com" \ --project="xxxxxx" > ./secret.key
My Go is a bit rusty, looking for something like this to kick start me in the right direction, but i gotta make use of a Mongo instance, is it much work to migrate from postgres to mongodb ?
Thanks! Unfortunately I've never used Mongo, so so can't really comment...