Skip to content

Add runtime option to associate secrets to functions #1018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Feb 10, 2022
Merged

Add runtime option to associate secrets to functions #1018

merged 19 commits into from
Feb 10, 2022

Conversation

taeold
Copy link
Contributor

@taeold taeold commented Jan 5, 2022

Google Cloud Functions (GCF) now have support for loading secrets stored in Secret Manager to securely access application secrets (e.g. Third party API keys) on function executions. See the [documentations(https://cloud.google.com/functions/docs/configuring/secrets) for more details.

We propose extending the function runtime option to associate secrets. Then, the secrets can be access as an environment once deployed to GCF:

import * as functions from "firebase-functions";

const helloSecret = functions
  .runWith({ 
    // Loads secret
    //   projects/{PROJECT}/secrets/MY_SECRET/versions/{current latest secret version}
    secrets: ['MY_SECRET']
  })
  .https
  .onRequest((res, req) => {
    req.send(`Shhhhh. Our secret: ${process.env.MY_SECRET}`);
  });

const helloSecretVersion = functions
  .runWith({ 
    // Loads secret
    //   projects/{PROJECT}/secrets/MY_SECRET/versions/3
    secrets: ['MY_SECRET@3']
  })
  .https
  .onRequest((res, req) => {
    req.send(`Shhhhh. Our secret: ${process.env.MY_SECRET}`);
  });


// Optionally provide the full resource name.
const helloSecretFullName = functions
  .runWith({ 
    secrets: [
      'projects/my-project/secrets/MY_SECRET', // as secret resource name
      'projects/my-project/secrets/ANOTHER_SECRET/versions/3', // or secret version resource name
    ] 
  })
  .onRequest((res, req) => {
    // Environment variable name is still the secret id.
    req.send(`Shhhhh. Our secret: ${process.env.MY_SECRET}`);
  });

@taeold taeold requested review from inlined and colerogers January 5, 2022 18:51
inlined
inlined requested changes Jan 5, 2022
View reviewed changes
@taeold taeold requested a review from inlined January 13, 2022 01:16
colerogers
colerogers requested changes Jan 20, 2022
View reviewed changes
@taeold taeold requested a review from colerogers January 21, 2022 05:31
inlined
inlined reviewed Feb 7, 2022
View reviewed changes
src/cloud-functions.ts Outdated
options,
'secretEnvironmentVariables',
'secrets',
(secrets) => secrets.map((secret) => ({ secret }))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is where the fully qualified names/versions gets weird because we agreed elsewhere that we'd be setting key and not secret so that we could bind later. I guess we can, in this case, bind both and not bind secret in the params case?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah that's good point.

I've been thinking the opposite - that v1 Functions SDK will receive secret and the CLI will bind the env key using the secret name. With params context, having the option to later bind the secret makes sense.

Being restrictive here - to set both key and secret to the secret input is good and letting params be the one that only binds the secret makes more sense to me.

@taeold taeold requested a review from inlined February 9, 2022 19:35
@taeold taeold merged commit 2c897ea into master Feb 10, 2022
@taeold taeold deleted the dl-cf3-secrets branch February 10, 2022 23:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@inlined inlined inlined approved these changes

@colerogers colerogers colerogers approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@taeold @inlined @colerogers