Reputation: 31
Using secrets on pub/sub onMessagePublished event with GCP cloud functions
Is it possible to use secrets dependency array(cloud functions v2) on an onMessagePublished? It doesn't look like it has a parameter to accept that and I am getting errors if I try to include it as the handler.
exports.processMessage = onMessagePublished( messageTopic, { secrets: [ApiKey, Secret, sqlUsername, sqlPassword, sqlServerName] }, async (event) => {}
Basically I want to use secrets in an onMessagePublished event. And in V2 functions they have to be on a dependency array
Upvotes: 3
Views: 484
Answers (2)
Reputation: 1
in gen2 you can pass the secret in a similar way:
export const myCallback = onMessagePublished(
{
topic: "my-topic",
secrets: [mySecret],
},
() => {
// your code goes here
});
Upvotes: 0
Reputation: 51
For me the following workaround worked:
For the firebase pub / sub functions, I configured the secret through the console instead of adding it as a parameter in the function: onMessagePublished. The configuration is persisted, even when the function gets redeployed.
I followed this documentation to make the secret accessible to the function, here is an excerpt:
To make a secret accessible to a function:
Go to the Cloud Functions page in the Google Cloud console: Go to the Cloud Functions page
Click the name of the function you want to be able to access a secret.
Click Edit.
Click Runtime, build and connections settings to expand the advanced configuration options.
Click Security to open the security tab.
Click Reference a secret to set a secret for the function.
Select the secret to make accessible. If you need to, create a secret.
To reference a secret in the same project as your function:
a. Select the secret from the dropdown list.
To reference a secret from another project:
a. Verify that your project's service account has been granted access to the secret.
b. Select Don't see your secret? Enter secret resource ID.
c. Enter the secret's resource ID in the following format:
projects/PROJECT_ID/secrets/SECRET_NAMEReplace the following:
PROJECT_ID: The ID of the project where the secret resides.
SECRET_NAME: The name of the secret in Secret Manager.
Select the reference method for the secret. You can mount the secret as a volume or expose the secret as an environment variable.
To mount the secret as a volume:
a. Select Mounted as volume.
b. In the Mount path field, enter the path to use for your secret.
Do not reuse an existing mount path. Each mount path must be unique.
c. From the Version dropdown, select the version of the secret to reference.
To expose the secret as an environment variable:
a. Select Exposed as environment variable.
b. In the Name field, enter the name of the environment variable.
c. From the Version dropdown, select the version of the secret to reference.
Click Done.
Click Next.
Click Deploy.
Your function's code can now reference the secret.
I exposed the secret as an environment variable and access it in the pub / sub function using the following:
process.env.SECRET_NAME
Upvotes: 1
Related Questions
- Enabling CORS in Cloud Functions for Firebase
- How to use Secret Manager with 2nd gen Cloud Firestore Triggers?
- Google Cloud function accessing a secret from Secrets Manger
- Using Google Cloud Secret Manager with Cloud Functions for Firebase vs Cloud Run
- User specific firebase functions secrets
- Google Cloud Functions to only Ack Pub/Sub on success (Problem resolved by GCP)
- When do GCP cloud functions acknowledge pub/sub messages?
- not able to use GCP secret-manager with GCP cloud functions(nodeJS)