0
0
GcpHow-ToBeginner · 4 min read

How to Use Secrets in Google Cloud Functions Securely

To use secrets in a Google Cloud Function, store your secret in Secret Manager and grant your function access to it. Then, in your function code, use the Secret Manager client library to fetch the secret securely at runtime.
📐

Syntax

Use the Secret Manager client library to access secrets inside your Cloud Function. The main steps are:

  • Import the Secret Manager client.
  • Create a client instance.
  • Access the secret version using its resource name.
  • Decode the secret payload.
python
from google.cloud import secretmanager

def access_secret(secret_name, project_id):
    client = secretmanager.SecretManagerServiceClient()
    name = f"projects/{project_id}/secrets/{secret_name}/versions/latest"
    response = client.access_secret_version(request={"name": name})
    secret_value = response.payload.data.decode("UTF-8")
    return secret_value
💻

Example

This example shows a simple Cloud Function in Python that reads a secret named my-secret from Secret Manager and prints it.

python
from google.cloud import secretmanager

def hello_secret(request):
    project_id = "your-gcp-project-id"
    secret_name = "my-secret"

    client = secretmanager.SecretManagerServiceClient()
    name = f"projects/{project_id}/secrets/{secret_name}/versions/latest"
    response = client.access_secret_version(request={"name": name})
    secret_value = response.payload.data.decode("UTF-8")

    return f"The secret value is: {secret_value}"
Output
The secret value is: your_secret_data_here
⚠️

Common Pitfalls

  • Missing permissions: The Cloud Function's service account must have the Secret Manager Secret Accessor role to read secrets.
  • Hardcoding secrets: Never hardcode secrets in your code; always use Secret Manager.
  • Incorrect secret resource name: Use the full resource path projects/{project}/secrets/{secret}/versions/latest.
  • Not decoding payload: The secret data is bytes and must be decoded to a string.
python
## Wrong way: hardcoding secret

def hello_wrong(request):
    secret_value = "hardcoded_secret"
    return f"Secret: {secret_value}"

## Right way: use Secret Manager

from google.cloud import secretmanager

def hello_right(request):
    client = secretmanager.SecretManagerServiceClient()
    name = "projects/your-project/secrets/my-secret/versions/latest"
    response = client.access_secret_version(request={"name": name})
    secret_value = response.payload.data.decode("UTF-8")
    return f"Secret: {secret_value}"
📊

Quick Reference

Remember these key points when using secrets in Cloud Functions:

  • Store secrets in Secret Manager.
  • Grant your function's service account Secret Manager Secret Accessor role.
  • Use the Secret Manager client library to fetch secrets at runtime.
  • Always decode the secret payload from bytes to string.

Key Takeaways

Always store secrets securely in Secret Manager, not in code.
Grant your Cloud Function's service account permission to access secrets.
Use the Secret Manager client library to fetch secrets at runtime.
Decode secret payloads from bytes to strings before use.
Avoid hardcoding or exposing secrets in logs or error messages.

Related by keyword

Cloud Run vs Cloud Functions: Key Differences and When to Use EachCloud RunHow to Use Cloud Run with Cloud SQL on Google CloudCloud RunHow to Connect Cloud Function to Cloud SQL in GCPCloud SQLWhat is Google Cloud Platform: Overview and Use CasesGetting StartedHow to Set Concurrency in Cloud Run for Google CloudCloud Run

Up next

Storage Classes in GCP: What They Are and When to Use ThemWhat is Cloud Storage in GCP: Overview and UsageCloud Run vs App Engine: Key Differences and When to Use EachCloud Run vs GKE: Key Differences and When to Use Each

More in Cloud Functions

Cloud Functions Gen1 vs Gen2: Key Differences and When to Use EachCloud Functions vs AWS Lambda: Key Differences and When to Use EachCloud Functions vs Cloud Run: Key Differences and When to Use EachHow to Create a Cloud Function on Google Cloud Platform