Challenge 6: Keeping secrets safe

Previous Challenge Next Challenge

Introduction

In the previous challenge we’ve passed the password using an environment variable. The implication is that everyone with Viewer permissions to the Google Cloud project can read that password, which is not desirable. A better option is to use Secret Manager.

Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud.

Description

Add the database password to the Secret Manager, and configure Cloud Run to refer to that secret for the database password.

Note
The Compute Engine default service account has been assigned the right roles to access Secret Manager. If you choose any other service account for your Cloud Run app, you’ll have to make sure that it has the right permissions.

Success Criteria

  • Verify that the database password is in Secret Manager
  • Verify that the environment variable containing the password is not in plain text
  • Verify that the /sql endpoint is still returning OK
  • No code change is needed for this challenge

Learning Resources

Tips

  • You can’t have an environment variable in plain text and as a secret with the same name, so you might need to delete the plain text version

Previous Challenge Next Challenge