Reputation: 33
GCP Cloud Function not mounting latest secret from Secret Manager
My Cloud Function is referencing an older version of a secret that is mounted, despite using the :latest suffix
I have a Cloud Function deployed that mounts a secret when I deploy, explicitly referencing the latest version of the secret:
--set-secrets=DATABASE_URL=projects/MY_PROJECT/secrets/DATABASE_URL:latest
I see this is set up correctly in my Cloud Function console but when running the function it is referencing a past version of the secret. I am logging the secret to test with process.env.DATABASE_URL (it is a Node runtime).
If I redeploy the function this is fixed. I'm confused because the docs specify that mounting the secrets and adding the :latest suffix will use the most recent version when the function runs.
Upvotes: 3
Views: 1495
Answers (1)
Reputation: 44959
The secret is resolved when this instance of the Cloud Function starts. If the function stays active without going to sleep it will keep the old version of the secret mounted asn an environment variable. If you mount the secret as a volume and read the file it will automatically update.
Credit: John Hanley's comment
Upvotes: 3
Related Questions
- Google Secret Manager INVALID_ARGUMENT Error
- Can't access secret in GCP Secret Manager
- NodeJS GC function cannot be initialized
- Can't access secret stored in Secrets Manager from Google Cloud Function
- Not able to access gcp secret manager from standalone go application
- Problem with import gcp secrets with node
- google cloud secret manager nodejs getsecret problem
- How to access Secret Manager in Cloud Function node.js10?
- GCP - Can't use Google Secret Manager (@google-cloud/secret-manager) inside Cloud Run
- GCP Secret Manager throws: "path" argument must be of type string