GCPcloud~7 mins

Environment variables and secrets in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes your app needs secret keys or settings that should not be visible to everyone. Environment variables and secrets help keep these safe and easy to use without hardcoding them in your code.

When you want to store API keys safely without putting them in your code files

When you need to change configuration settings without changing your app code

When you want to share secrets securely between your cloud services

When you want to keep passwords or tokens hidden from public view

When you want to update sensitive data without redeploying your app

Config File - cloudbuild.yaml

cloudbuild.yaml

steps:
- name: 'gcr.io/cloud-builders/gcloud'
  args: ['secrets', 'versions', 'access', 'latest', '--secret=my-secret']
  id: 'access-secret'
- name: 'gcr.io/cloud-builders/docker'
  args: ['build', '-t', 'gcr.io/my-project/my-app', '.']
  env:
  - 'MY_SECRET=$(access-secret)'
images:
- 'gcr.io/my-project/my-app'

This Cloud Build config file shows how to access a secret named my-secret from Google Secret Manager during a build. The secret value is retrieved and set as an environment variable MY_SECRET for the Docker build step. This keeps the secret safe and separate from the code.

Commands

This command creates a new secret named 'my-secret' in Google Secret Manager using the contents of the file 'secret.txt'. It stores your sensitive data securely.

Terminal

gcloud secrets create my-secret --replication-policy=automatic --data-file=secret.txt

Expected OutputExpected

Created secret [my-secret].

→

--replication-policy=automatic - Automatically replicates the secret across Google Cloud regions for availability.

→

--data-file=secret.txt - Specifies the file containing the secret data to store.

This command retrieves the latest version of the secret 'my-secret' so you can use it in your app or scripts.

Terminal

gcloud secrets versions access latest --secret=my-secret

Expected OutputExpected

my-super-secret-value

→

--secret=my-secret - Specifies which secret to access.

This deploys your app to Cloud Run and injects the secret 'my-secret' as an environment variable named 'API_KEY' inside the running container.

Terminal

gcloud run deploy my-app --image=gcr.io/my-project/my-app --set-secrets=API_KEY=my-secret:latest

Expected OutputExpected

Deploying container to Cloud Run service [my-app] in project [my-project] region [us-central1] Deploying...done. Service [my-app] revision [my-app-00001-abc] has been deployed and is serving 100 percent of traffic. URL: https://my-app-xyz.a.run.app

→

--set-secrets=API_KEY=my-secret:latest - Maps the secret to an environment variable inside the container.

This command shows the environment variables set for the deployed Cloud Run service, confirming the secret is injected.

Terminal

gcloud run services describe my-app --format='value(spec.template.spec.containers[0].env)'

Expected OutputExpected

[{name: API_KEY, valueFrom: {secretKeyRef: {name: my-secret, key: latest}}}]

→

--format='value(...)' - Formats the output to show only environment variables.

Key Concept

If you remember nothing else from this pattern, remember: keep secrets out of your code by storing them securely and injecting them as environment variables at runtime.

Common Mistakes

Hardcoding secrets directly in application code or config files.

This exposes sensitive data to anyone who can see the code, risking security breaches.

Store secrets in a secure service like Google Secret Manager and inject them as environment variables.

Not granting the app permission to access the secret in Secret Manager.

The app will fail to retrieve the secret and may crash or behave unexpectedly.

Assign the correct IAM role (Secret Manager Secret Accessor) to the app's service account.

Using environment variables for secrets but committing .env files with secrets to public repositories.

This leaks secrets publicly, defeating the purpose of secure storage.

Never commit files containing secrets; use secret management services instead.

Summary

Create secrets securely in Google Secret Manager using gcloud commands.

Access secrets when needed without exposing them in code.

Inject secrets as environment variables into cloud services like Cloud Run.

Verify environment variables are set correctly after deployment.