Join Log in
Score:0
mbigras avatar Server

Can you parse JSON keys out of a Google Secrets Manager secret?

in flag
mbigras

Consider the following gcloud command where you inject a Google Secrets Manager secret into your SERVICE Google Cloud Run service—ripped off the Use secrets Cloud Run docs page:

gcloud run services update SERVICE \
    --set-secrets="ENV_VAR_NAME=SECRET_NAME:VERSION"

Observation: Notice how you can set your ENV_VAR_NAME environment variable to the value of the SECRET_NAME:VERSION secret; but Question: Can you parse JSON keys out of a Google Secrets Manager secret?

For example, consider the mysecret secret set to {"PASSWORD":"mylastname","TOKEN":"t0k3n"} like the following shell session illustrates:

$ gcloud secrets create mysecret --data-file=- <<<'{"PASSWORD":"mylastname","TOKEN":"t0k3n"}'
Created version [1] of the secret [mysecret].

Then you parse out that PASSWORD secret key with the venerable jqlang/jq utility like so:

$ gcloud secrets versions access 1 --secret=mysecret \
    | jq --raw-output .PASSWORD
mylastname

But I think it would be cool to explicitly inject that PASSWORD secret key into my Cloud Run service, without doing any of JSON parsing outside of gcloud—since then, I can support one-to-many Secrets Manager secret to application secrets ratio.

I'm imagining something like the following:

gcloud run services update SERVICE \
    --set-secrets="ENV_VAR_NAME=SECRET_NAME:VERSION:SECRET_KEY"

For my earlier example, each of those parameters maps to the following:

  1. ENV_VAR_NAME to PASSWORD.
  2. SECRET_NAME to mysecret.
  3. VERSION to 1.
  4. ⭐️ SECRET_KEY to PASSWORD. Note: This is the area of interest for my question.

Even better would be if there is some default JSON parsing happens.

Can you parse JSON keys out of a Google Secrets Manager secret?

This is what I tried so far:

  1. I read the output of the gcloud run services update --help command—didn't see anything.
  2. I took a cursory look at the https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets.versions/access page—didn't see anything.
  3. I smashed the excellent BurntSushi/ripgrep utility into my ~/google-cloud-sdk directory like rg set-secrets ~/google-cloud-sdk to see if I could find any easter eggs hinting at that JSON parsing capability—again I didn't find anything.

Guess: Looks like you can't do this sort of JSON parsing thing with that --set-secrets gcloud option; but I'm hoping that I'm wrong.

147
1 + 0
Score:0
Dion V avatar Server
st flag
Dion V

I found a previous post with the same concern however they were trying it on AWS. As per hoangdv, they need to set secret as data.SecretString to have it as a normal string. After that, the JSON string must be cast to a JSON object so the information will be accessible by attribute name.

var secret = {"username":"***","password":"***","engine":"mysql","host":"***.***.us-east-1.rds.amazonaws.com","port":3306,"dbname":"***","dbInstanceIdentifier":"***"}<br> ;

const secretObj = JSON.parse(secret);

console.log(secretObj.host)

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.