feat(run): Update sample to use Secret Manager Integration (GoogleCloudPlatform#6251)

averikitsch · web-flow · commit 7f1fb1b26d1a · 2021-07-01T20:36:07.000Z
## Description Fixes #<ISSUE-NUMBER> Note: It's a good idea to open an issue first for discussion. ## Checklist - [ ] I have followed [Sample Guidelines from AUTHORING_GUIDE.MD](https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/AUTHORING_GUIDE.md) - [ ] README is updated to include [all relevant information](https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/AUTHORING_GUIDE.md#readme-file) - [ ] **Tests** pass: `nox -s py-3.6` (see [Test Environment Setup](https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/AUTHORING_GUIDE.md#test-environment-setup)) - [ ] **Lint** pass: `nox -s lint` (see [Test Environment Setup](https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/AUTHORING_GUIDE.md#test-environment-setup)) - [ ] These samples need a new **API enabled** in testing projects to pass (let us know which ones) - [ ] These samples need a new/updated **env vars** in testing projects set to pass (let us know which ones) - [ ] Please **merge** this PR for me once it is approved. - [ ] This sample adds a new sample directory, and I updated the [CODEOWNERS file](https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/.github/CODEOWNERS) with the codeowners for this sample
diff --git a/run/idp-sql/README.md b/run/idp-sql/README.md
@@ -12,7 +12,6 @@ For more details on how to work with this sample read the [Google Cloud Run Pyth
 ## Dependencies
 
 * **flask**: web server framework
-* **google-cloud-secret-manager**: Google Secret Manager client library
 * **firebase-admin**: verifying JWT token
 * **sqlalchemy + pg8000**: postgresql interface
 * **Firebase JavaScript SDK**: client-side library for authentication flow
@@ -22,7 +21,7 @@ For more details on how to work with this sample read the [Google Cloud Run Pyth
 Cloud Run services can be [configured with Environment Variables](https://cloud.google.com/run/docs/configuring/environment-variables).
 Required variables for this sample include:
 
-* `CLOUD_SQL_CREDENTIALS_SECRET`: the resource ID of the secret, in format: `projects/PROJECT_ID/secrets/SECRET_ID/versions/VERSION`. See [postgres-secrets.json](postgres-secrets.json) for secret content.
+* `CLOUD_SQL_CREDENTIALS_SECRET`: the resource ID of the secret, in format: `projects/PROJECT_ID/secrets/SECRET_ID/versions/VERSION` when deployed to Cloud Run. At runtime, Cloud Run will inject the secret value as an environment variable, for more info see [Using secrets](https://cloud.google.com/run/docs/configuring/secrets#command-line). See [postgres-secrets.json](postgres-secrets.json) for secret content.
 
 OR
 
diff --git a/run/idp-sql/credentials.py b/run/idp-sql/credentials.py
@@ -16,19 +16,14 @@
 import os
 from typing import Dict
 
-from google.cloud import secretmanager
-
 from middleware import logger
 
 
 # [START cloudrun_user_auth_secrets]
 def get_cred_config() -> Dict[str, str]:
-    if "CLOUD_SQL_CREDENTIALS_SECRET" in os.environ:
-        name = os.environ["CLOUD_SQL_CREDENTIALS_SECRET"]
-        client = secretmanager.SecretManagerServiceClient()
-        response = client.access_secret_version(request={"name": name})
-        logger.info("Credentials pulled from CLOUD_SQL_CREDENTIALS_SECRET")
-        return json.loads(response.payload.data.decode("UTF-8"))
+    secret = os.environ.get("CLOUD_SQL_CREDENTIALS_SECRET")
+    if secret:
+        return json.loads(secret)
     # [END cloudrun_user_auth_secrets]
     else:
         logger.info(
diff --git a/run/idp-sql/postcreate.sh b/run/idp-sql/postcreate.sh
@@ -20,9 +20,9 @@ export SERVICE_ACCOUNT="idp-sql-identity"
 
 # Update Cloud Run service to include Cloud SQL instance, Secret Manager secret,
 # and service account
-gcloud run services update ${K_SERVICE} \
+gcloud beta run services update ${K_SERVICE} \
     --platform managed \
     --region ${GOOGLE_CLOUD_REGION} \
     --service-account ${SERVICE_ACCOUNT}@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com \
     --add-cloudsql-instances ${GOOGLE_CLOUD_PROJECT}:${GOOGLE_CLOUD_REGION}:${CLOUD_SQL_INSTANCE_NAME} \
-    --update-env-vars CLOUD_SQL_CREDENTIALS_SECRET=projects/${GOOGLE_CLOUD_PROJECT}/secrets/${SECRET_NAME}/versions/latest
+    --update-secrets CLOUD_SQL_CREDENTIALS_SECRET=${SECRET_NAME}:latest
diff --git a/run/idp-sql/requirements.txt b/run/idp-sql/requirements.txt
@@ -3,5 +3,4 @@ SQLAlchemy==1.4.11
 pg8000==1.19.5
 gunicorn==20.1.0
 firebase-admin==5.0.1
-google-cloud-secret-manager==2.5.0
 structlog==21.1.0
diff --git a/run/idp-sql/test/e2e_test_setup.yaml b/run/idp-sql/test/e2e_test_setup.yaml
@@ -63,14 +63,15 @@ steps:
   args:
   - '-c'
   - |
-    ./test/retry.sh "gcloud run deploy ${_SERVICE} \
+    ./test/retry.sh "gcloud beta run deploy ${_SERVICE} \
       --project $PROJECT_ID \
       --image gcr.io/${PROJECT_ID}/${_SERVICE}:${_VERSION} \
       --allow-unauthenticated \
       --region ${_REGION} \
       --platform ${_PLATFORM} \
       --add-cloudsql-instances ${_CLOUD_SQL_CONNECTION_NAME} \
-      --update-env-vars CLOUD_SQL_CREDENTIALS_SECRET=projects/${PROJECT_ID}/secrets/${_SERVICE}-secrets/versions/latest,TRAMPOLINE_CI=kokoro"
+      --update-secrets CLOUD_SQL_CREDENTIALS_SECRET=${_SERVICE}-secrets:latest \
+      --update-env-vars TRAMPOLINE_CI=kokoro"
 
 images:
 - gcr.io/${PROJECT_ID}/${_SERVICE}:${_VERSION}
