Niko Draca
Niko Draca

Reputation: 33

GCP Cloud Function not mounting latest secret from Secret Manager

My Cloud Function is referencing an older version of a secret that is mounted, despite using the :latest suffix

I have a Cloud Function deployed that mounts a secret when I deploy, explicitly referencing the latest version of the secret:

--set-secrets=DATABASE_URL=projects/MY_PROJECT/secrets/DATABASE_URL:latest

I see this is set up correctly in my Cloud Function console but when running the function it is referencing a past version of the secret. I am logging the secret to test with process.env.DATABASE_URL (it is a Node runtime).

If I redeploy the function this is fixed. I'm confused because the docs specify that mounting the secrets and adding the :latest suffix will use the most recent version when the function runs.

Upvotes: 3

Views: 1491

Answers (1)

Adam
Adam

Reputation: 44959

The secret is resolved when this instance of the Cloud Function starts. If the function stays active without going to sleep it will keep the old version of the secret mounted asn an environment variable. If you mount the secret as a volume and read the file it will automatically update.

Credit: John Hanley's comment

Upvotes: 3

Related Questions