I need to deploy a dotnet web app to Google Cloud Run and want to use the user secrets file to store credentials. Currently, they are in appsettings which is not secure. Has anyone done this using Google Secret Manager?
If there are existing examples or snippets they would be appreciated.
Thanks.
Google Cloud Run and Google Secret Manager work well together. The key is to grant privileges to the Cloud Run service account to access Secret Manager. This eliminates needing secrets in your application to access Secret Manager.
Is it best to store the key-value pairs, a json blob?
This depends on the amount of data being stored. Normally you create a secret with a name (secretId) and assign data to the secret (via API or the CLI gcloud). In your application, you read the secret by name (secretId).
I would like to pull the values at startup and not during build time.
The link that Seth Vargo (duplicated here) provided has examples in C# and many other languages. Your application reads secrets from Secret Manager at run-time.
Guillaume Blaquiere wrote an article showing how to use Secret Manager, Cloud Run and environment variables. Definitely worth reading.
Secret Manager: Improve Cloud Run security without changing the code