Search code examples
google-cloud-platformgoogle-compute-enginegcp-secrets-manager

Inserting secrets into GCP VM instance from secrets manager

Using github actions I'm building a container and pushing it to an existing VM instance. I would like to include secrets as environmental variables after authenticating the secret manager so the container can utilize them during runtime. The following command updates the container to the VM but it does not accept any secrets as parameters.

 - name: Deploy to google compute instance
    run: |-
      gcloud compute instances update-container ${{ env.GCE_INSTANCE }} \
        --zone "$GCE_INSTANCE_ZONE" \
        --container-image ${{ env.REGION}}-docker.pkg.dev/${{ secrets.PROJECT_ID}}/${{ env.ARTIFACT_REPO}}/${{ env.DOCKER_IMAGE }} \

In the past, I have deployed a docker container to google run and included secrets as environmental variables successfully with the following command. Is there a way to mimic this behavior from google run with a VM instance?

 - name: deploy
    id: 'deploy'
    uses: 'google-github-actions/deploy-cloudrun@v0'
    with:
      service: ${{ env.IMAGE_NAME}}
      image: ${{ env.REGION}}-docker.pkg.dev/${{ secrets.PROJECT_ID}}/${{ env.ARTIFACT_REPO}}/${{ env.DOCKER_IMAGE }}
      region: ${{ env.REGION }}
      secrets: |-
        SQL_SERVER_CA=SQL_SERVER_CA:latest, SQL_CLIENT_CERT=SQL_CLIENT_CERT:latest
Solution

  • Following the advice of @JohnHanley 's comment, I was able to access secrets within my container that is running on a VM instance. Using --container-env flag on the "gcloud compute instances update-container" worked. The service account token for accessing secret manager is stored in github action secrets and it is base64 encoded. It is passed into the container with the --container-env flag along with two other variables. Once the container has started the service account token is decoded and used to retrieve the rest of the many secrets stored in google secrets manager. This likely is not the best way but it required the least amount of rework to get working.

    - name: Deploy to google compute instance
    run: |-
        gcloud compute instances update-container ${{ env.GCE_INSTANCE }} \
        --zone ${{ env.ZONE}} \
        --container-image ${{ env.REGION}}-docker.pkg.dev/${{ secrets.PROJECT_ID}}/${{ env.ARTIFACT_REPO}}/${{ env.DOCKER_IMAGE }} \
        --container-env GCP_SECRET_ACCESSOR_SERVICE_TOKEN=${{ secrets.GCP_SECRET_ACCESSOR_SERVICE_TOKEN}} \
        --container-env PROJECT_ID=${{ secrets.PROJECT_ID}} \
        --container-env RUNNING_LOCATION=cloudbt