Configure secrets for jobs

Your job might need to have dependencies requiring API keys, passwords, certificates, or other sensitive information. For Cloud Run, Google recommends that you store this type of sensitive information in a secret created in Secret Manager .

You can make a secret available to your containers in either of two ways:

Mount each secret as a volume, which makes the secret available to the container as files. Reading a volume always fetches the secret value from Secret Manager, so it can be used with the latest version. This method also works well with secret rotation.
Pass a secret using environment variables . Environment variables are resolved at instance startup time, so if you use this method, Google recommends that you pin the secret to a particular version rather than using latest .

For more information, refer to the Secret Manager best practices document.

How secrets are checked at deployment and runtime

During job creation, all secrets used, whether as environment variable or mounted as a volume, are checked to ensure the service account used to run the container has access to them. If any check fails, the job creation fails.

During runtime, when instances start up:

If the secret is an environment variable, the value of the secret is retrieved prior to starting the instance, so if secret retrieval fails, the instance does not start.
If the secret is mounted as a volume, no check is performed during instance startup. However, during runtime, if a secret is inaccessible, attempts to read the mounted volume will fail.

Volume ownership differs by execution environment and deployment type

When you mount a secret volume using the second generation execution environment, which is the case for jobs, the volume is owned by root.

Before you begin

Enable the Secret Manager API.

Enable the API

Use an existing secret or, create a secret in Secret Manager, as described in Create a secret .

Required roles

To get the permissions that you need to configure secrets, ask your administrator to grant you the following IAM roles:

Cloud Run Admin ( roles/run.admin ) on the Cloud Run job
Service Account User ( roles/iam.serviceAccountUser ) on the service identity

To allow Cloud Run to access the secret, the service identity must have the following role:

Secret Manager Secret Accessor ( roles/secretmanager.secretAccessor )

For instructions on how to add the service identity principal to the Secret Manager Secret Accessor role, see Manage access to secrets .

For a list of IAM roles and permissions that are associated with Cloud Run, see Cloud Run IAM roles and Cloud Run IAM permissions . If your Cloud Run job interfaces with Google Cloud APIs, such as Cloud Client Libraries, see the service identity configuration guide . For more information about granting roles, see deployment permissions and manage access .

Make a secret accessible to Cloud Run

You can make a secret accessible to your job using the Google Cloud console, the Google Cloud CLI, or YAML:

Console

In the Google Cloud console, go to the Cloud Run jobs page:

Go to Cloud Run
Select Jobsfrom the menu, and click Deploy containerto fill out the initial job settings page. If you are configuring an existing job, select the job, then click Edit.
Click Container(s), Volumes, Connections, Securityto expand the job properties page.
Click the Variables & Secretstab.
- In the Variables & Secrets tab:
  - To expose the secret as an environment variable:
    1. Click the Container(s)tab.
    2. In the Variables and Secretstab, click Reference a secret.
    3. In the Name 1field, enter the name of the environment variable.
    4. From the Secretlist, select the secret you want to use.
    5. From the Version 1list, select the version of the secret to reference.
    6. Click Done.
    7. Click Createor Deploy.
  - To mount secret as a volume:
    1. Click the Volumestab and select Add volume.
    2. In the Volume typelist, select Secret.
    3. In the Volume namefield, enter a name or accept the default name.
    4. From the Secretlist, select the secret you want to use.
    5. In the Path 1field, enter the name of the file to mount.
    6. In the Version 1list, select the version of the secret to reference. By default, the latest version is selected. You can select a specific version if you want.
    7. Click Done.
    8. Navigate to the Container(s)tab to mount your secret to the container.
    9. In the Volume mountstab, and click Mount volume.
    10. From the Name 1list, select your volume name.
    11. In the Mount path 1field, enter the mount path for this secret. This is the directory where all versions of your secret are placed.
    12. Click Done.
    13. Click Createor Deploy.
Click Createor Update.

gcloud

To specify the secret in an environment variable when creating a new job:
```
gcloud  
run  
 jobs 
  
create  
 JOB_NAME 
  
 \ 
--image  
 IMAGE_URL 
  
 \ 
--set-secrets  
  ENV_VAR_NAME 
 
 = 
 SECRET_NAME 
: VERSION 
```
Replace the following:
- JOB_NAME : the name of your job.
- ENV_VAR_NAME : the name of the environment variable to use for the secret.
- SECRET_NAME : the secret name in the same project—for example, mysecret .
- VERSION : the secret version. Use latest for latest version, or a number—for example, 2 .
- IMAGE_URL : a reference to the container image —for example, us-docker.pkg.dev/cloudrun/container/job:latest .
You can specify several environment variable/secret pairs, using a comma delimited list.

To specify the secret in an environment variable when updating a job:

gcloud  
run  
 jobs 
  
update  
 JOB_NAME 
  
 \ 
--set-secrets  
  ENV_VAR_NAME 
 
 = 
 SECRET_NAME 
: VERSION

To mount the secret as a volume when creating a job:
```
gcloud  
run  
 jobs 
  
create  
 JOB_NAME 
  
 \ 
--image  
 IMAGE_URL 
  
 \ 
--set-secrets = 
  PATH 
 
 = 
 SECRET_NAME 
: VERSION 
```
Replace the following:
- JOB_NAME : the name of your job.
- IMAGE_URL : a reference to the container image —for example, us-docker.pkg.dev/cloudrun/container/job:latest .
- PATH : the mount path of the volume and filename of the secret. It must start with a leading slash—for example, /etc/secrets/dbconfig/password , where /etc/secrets/dbconfig/ is the mount path of the volume, and password is the filename of the secret.
- SECRET_NAME : the secret name in the same project—for example, mysecret .
- VERSION : the secret version. Use latest for latest version, or a number—for example, 2 .

To update a secret in an existing job:

gcloud  
run  
 jobs 
  
update  
 JOB_NAME 
  
 \ 
--update-secrets = 
  PATH 
 
 = 
 SECRET_NAME 
: VERSION

YAML

Due to constraints around API compatibility, the secret locations must be stored in an annotation.

If you are creating a new job, skip this step. If you are updating an existing job, download its YAML configuration :

gcloud  
run  
 jobs 
  
describe  
 JOB_NAME 
  
--format  
 export 
  
>  
job.yaml

For secrets exposed as environment variables:

 apiVersion 
 : 
  
 run.googleapis.com/v1 
 kind 
 : 
  
 Job 
 metadata 
 : 
  
 name 
 : 
  
  JOB 
 
 spec 
 : 
  
 template 
 : 
  
 spec 
 : 
  
 template 
 : 
  
 spec 
 : 
  
 containers 
 : 
  
 - 
  
 env 
 : 
  
 - 
  
 name 
 : 
  
  SECRET_NAME 
 
  
 valueFrom 
 : 
  
 secretKeyRef 
 : 
  
 key 
 : 
  
  VERSION 
 
  
 name 
 : 
  
  SECRET_LOOKUP_NAME 
 
  
 image 
 : 
  
  IMAGE_URL

Replace the following:

JOB : the name of your job.
IMAGE_URL : a reference to the container image —for example, us-docker.pkg.dev/cloudrun/container/job:latest .
SECRET_NAME : the secret name—for example, mysecret .
VERSION : the secret version. Use latest for latest version, or a number—for example, 2 .
SECRET_LOOKUP_NAME : any name that has a valid secret name syntax—for example, my-secret . It can be the same as SECRET_NAME .

For secrets mounted as file paths:
```
 apiVersion 
 : 
  
 run.googleapis.com/v1 
 kind 
 : 
  
 Job 
 metadata 
 : 
  
 name 
 : 
  
  JOB_NAME 
 
 spec 
 : 
  
 template 
 : 
  
 spec 
 : 
  
 template 
 : 
  
 spec 
 : 
  
 containers 
 : 
  
 - 
  
 image 
 : 
  
  IMAGE_URL 
 
  
 volumeMounts 
 : 
  
 - 
  
 mountPath 
 : 
  
  MOUNT_PATH 
 
  
 name 
 : 
  
  VOLUME_NAME 
 
  
 volumes 
 : 
  
 - 
  
 name 
 : 
  
  VOLUME_NAME 
 
  
 secret 
 : 
  
 items 
 : 
  
 - 
  
 key 
 : 
  
  VERSION 
 
  
 path 
 : 
  
  FILENAME 
 
  
 secretName 
 : 
  
  SECRET_LOOKUP_NAME 
 
```
Replace the following:
- JOB_NAME : the name of your job.
- IMAGE_URL : a reference to the container image —for example, us-docker.pkg.dev/cloudrun/container/job:latest .
- PATH : the mount path of the volume and filename of the secret. It must start with a leading slash—for example, /etc/secrets/dbconfig/password , where /etc/secrets/dbconfig/ is the mount path of the volume, and password is the filename of the secret.
- PROJECT_NUMBER : the project number for the project the secret was created in.
- SECRET_NAME : the secret name—for example, mysecret .
- VERSION : the secret version. Use latest for latest version, or a number—for example, 2 .
- SECRET_LOOKUP_NAME : any name that has a valid secret name syntax—for example, my-secret . It can be the same as SECRET_NAME .
- VOLUME_NAME : any name—for example, my-volume . It can be the same as SECRET_NAME .

Terraform

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands .

Add the following to a google_cloud_run_v2_job resource in your Terraform configuration:

For secrets exposed as environment variables:

  resource 
  
 "google_cloud_run_v2_job" 
  
 "default" 
  
 { 
  
 name 
  
 = 
  
 " JOB_NAME 
" 
  
 location 
  
 = 
  
 " REGION 
" 
  
 template 
  
 { 
  
 template 
  
 { 
  
 containers 
  
 { 
  
 image 
  
 = 
  
 " IMAGE_URL 
" 
  
 env 
  
 { 
  
 name 
  
 = 
  
 " SECRET_NAME 
" 
  
 value_source 
  
 { 
  
 secret_key_ref 
  
 { 
  
 secret 
  
 = 
  
 " SECRET_NAME 
" 
  
 version 
  
 = 
  
 " VERSION 
" 
  
 } 
  
 } 
  
 } 
  
 } 
  
 } 
  
 } 
 }

Replace the following:

JOB_NAME : the name of your Cloud Run job.
REGION : the Google Cloud region. For example, europe-west1 .
IMAGE_URL : a reference to the container image —for example, us-docker.pkg.dev/cloudrun/container/job:latest .
SECRET_NAME : the secret name—for example, mysecret .
VERSION : the secret version. Use latest for latest version, or a number—for example, 2 .

For secrets mounted as file paths:

  resource 
  
 "google_cloud_run_v2_job" 
  
 "default" 
  
 { 
  
 name 
  
 = 
  
 " JOB_NAME 
" 
  
 location 
  
 = 
  
 " REGION 
" 
  
 template 
  
 { 
  
 template 
  
 { 
  
 containers 
  
 { 
  
 image 
  
 = 
  
 " IMAGE_URL 
" 
  
 volume_mounts 
  
 { 
  
 name 
  
 = 
  
 " VOLUME_NAME 
" 
  
 mount_path 
  
 = 
  
 " MOUNT_PATH 
" 
  
 } 
  
 } 
  
 volumes 
  
 { 
  
 name 
  
 = 
  
 " VOLUME_NAME 
" 
  
 secret 
  
 { 
  
 secret 
  
 = 
  
 " SECRET_NAME 
" 
  
 } 
  
 } 
  
 } 
  
 } 
 }

Replace the following:

JOB_NAME : the name of your Cloud Run job.
REGION : the Google Cloud region. For example, europe-west1 .
IMAGE_URL : a reference to the container image —for example, us-docker.pkg.dev/cloudrun/container/job:latest .
VOLUME_NAME : any name—for example, my-volume . It can be the same as SECRET_NAME .
MOUNT_PATH : the mount path of the volume and filename of the secret. It must start with a leading slash—for example, /etc/secrets/dbconfig/password , where /etc/secrets/dbconfig/ is the mount path of the volume, and password is the filename of the secret.
SECRET_NAME : the secret name—for example, mysecret .

Referencing secrets from other projects

You can reference a secret from another project, if your project's service account has been allowed to access the secret .

Console

In the Google Cloud console, go to the Cloud Run jobs page:

Go to Cloud Run
Select Jobsfrom the menu, and click Deploy containerto fill out the initial job settings page. If you are configuring an existing job, select the job, then click Edit.
Click Container(s), Volumes, Connections, Securityto expand the job properties page.
Click the Variables & Secretstab.
- In the Variables & Secrets tab:
  - To expose the secret as an environment variable:
    1. Click the Container(s)tab.
    2. In the Variables and Secretstab, click Reference a secret.
    3. In the Name 1field, enter the name of the environment variable.
    4. From the Secretlist, click Enter secret manually.
    5. Enter the secret's resource ID in the following format:
      
      projects/ PROJECT_NUMBER /secrets/ SECRET_NAME
      
      Replace the following:
      
      PROJECT_NUMBER with your Google Cloud project number. For detailed instructions on how to find your project number, see Creating and managing projects .
      
      SECRET_NAME : The name of the secret in Secret Manager.
    6. From the Version 1list, select the version of the secret to reference.
    7. Click Done.
    8. Click Createor Deploy.
  - To mount secret as a volume:
    1. Click the Volumestab and select Add volume.
    2. In the Volume typelist, select Secret.
    3. In the Volume namefield, enter a name or accept the default name.
    4. From the Secretlist, click Enter secret manually.
    5. Enter the secret's resource ID in the following format:
      
      projects/ PROJECT_NUMBER /secrets/ SECRET_NAME
      
      Replace the following:
      
      PROJECT_NUMBER with your Google Cloud project number. For detailed instructions on how to find your project number, see Creating and managing projects .
      
      SECRET_NAME : The name of the secret in Secret Manager.
    6. In the Path 1field, enter the name of the file to mount.
    7. In the Version 1list, select the version of the secret to reference. By default, the latest version is selected. You can select a specific version if you want.
    8. Click Done.
    9. Navigate to the Container(s)tab to mount your secret to the container.
    10. In the Volume mountstab, and click Mount volume.
    11. From the Name 1list, select your volume name.
    12. In the Mount path 1field, enter the mount path for this secret. This is the directory where all versions of your secret are placed.
    13. Click Done.
    14. Click Createor Deploy.
Click Createor Update.

gcloud

To mount a secret as a volume when updating a job:
```
gcloud  
run  
 jobs 
  
update  
 JOB_NAME 
  
 \ 
--image  
 IMAGE_URL 
  
 \ 
--update-secrets = 
  PATH 
 
 = 
projects/ PROJECT_NUMBER 
/secrets/ SECRET_NAME 
: VERSION 
```
- JOB_NAME : the name of your job.
- IMAGE_URL : a reference to the container image —for example, us-docker.pkg.dev/cloudrun/container/job:latest .
- PATH : the mount path of the volume and filename of the secret. It must start with a leading slash—for example, /etc/secrets/dbconfig/password , where /etc/secrets/dbconfig/ is the mount path of the volume, and password is the filename of the secret.
- PROJECT_NUMBER : the project number for the project the secret was created in.
- SECRET_NAME : the secret name—for example, mysecret .
- VERSION : the secret version. Use latest for latest version, or a number—for example, 2 .

YAML

If you are creating a new job, skip this step. If you are updating an existing job, download its YAML configuration :

gcloud  
run  
 jobs 
  
describe  
 JOB_NAME 
  
--format  
 export 
  
>  
job.yaml

Due to constraints around API compatibility, the secret locations must be stored in an annotation.

For secrets exposed as environment variables:

 apiVersion 
 : 
  
 run.googleapis.com/v1 
 kind 
 : 
  
 Job 
 metadata 
 : 
  
 name 
 : 
  
  JOB 
 
 spec 
 : 
  
 template 
 : 
  
 metadata 
 : 
  
 annotations 
 : 
  
 run.googleapis.com/secrets 
 : 
  
  SECRET_LOOKUP_NAME 
 
:projects/ PROJECT_NUMBER 
/secrets/ SECRET_NAME 
  
 spec 
 : 
  
 template 
 : 
  
 spec 
 : 
  
 containers 
 : 
  
 - 
  
 env 
 : 
  
 - 
  
 name 
 : 
  
  SECRET_NAME 
 
  
 valueFrom 
 : 
  
 secretKeyRef 
 : 
  
 key 
 : 
  
  VERSION 
 
  
 name 
 : 
  
  SECRET_LOOKUP_NAME 
 
  
 image 
 : 
  
  IMAGE_URL

Replace the following:

JOB : the name of your job.
IMAGE_URL : a reference to the container image —for example, us-docker.pkg.dev/cloudrun/container/job:latest .
SECRET_NAME : the secret name—for example, mysecret .
VERSION : the secret version. Use latest for latest version, or a number—for example, 2 .
PROJECT_NUMBER : the project number for the project the secret was created in.
SECRET_LOOKUP_NAME : any name that has a valid secret name syntax—for example, my-secret . It can be the same as SECRET_NAME .

For secrets mounted as file paths:

 apiVersion 
 : 
  
 run.googleapis.com/v1 
 kind 
 : 
  
 Job 
 metadata 
 : 
  
 name 
 : 
  
  JOB_NAME 
 
 spec 
 : 
  
 template 
 : 
  
 metadata 
 : 
  
 annotations 
 : 
  
 run.googleapis.com/secrets 
 : 
  
  SECRET_LOOKUP_NAME 
 
:projects/ PROJECT_NUMBER 
/secrets/ SECRET_NAME 
  
 spec 
 : 
  
 template 
 : 
  
 spec 
 : 
  
 containers 
 : 
  
 - 
  
 image 
 : 
  
  IMAGE_URL 
 
  
 volumeMounts 
 : 
  
 - 
  
 mountPath 
 : 
  
  MOUNT_PATH 
 
  
 name 
 : 
  
  VOLUME_NAME 
 
  
 volumes 
 : 
  
 - 
  
 name 
 : 
  
  VOLUME_NAME 
 
  
 secret 
 : 
  
 items 
 : 
  
 - 
  
 key 
 : 
  
  VERSION 
 
  
 path 
 : 
  
  FILENAME 
 
  
 secretName 
 : 
  
  SECRET_LOOKUP_NAME

Replace the following:

JOB_NAME : the name of your job.
IMAGE_URL : a reference to the container image —for example, us-docker.pkg.dev/cloudrun/container/job:latest .
PATH : the mount path of the volume and filename of the secret. It must start with a leading slash—for example, /etc/secrets/dbconfig/password , where /etc/secrets/dbconfig/ is the mount path of the volume, and password is the filename of the secret.
PROJECT_NUMBER : the project number for the project the secret was created in.
SECRET_NAME : the secret name—for example, mysecret .
VERSION : the secret version. Use latest for latest version, or a number—for example, 2 .
SECRET_LOOKUP_NAME : any name that has a valid secret name syntax—for example, my-secret , it can be the same as SECRET_NAME .
VOLUME_NAME : any name—for example, my-volume , it can be the same as SECRET_NAME .

Terraform

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands .

Add the following to a google_cloud_run_v2_job resource in your Terraform configuration:

For secrets exposed as environment variables:

  resource 
  
 "google_cloud_run_v2_job" 
  
 "default" 
  
 { 
  
 name 
  
 = 
  
 " JOB_NAME 
" 
  
 location 
  
 = 
  
 " REGION 
" 
  
 template 
  
 { 
  
 template 
  
 { 
  
 containers 
  
 { 
  
 image 
  
 = 
  
 " IMAGE_URL 
" 
  
 env 
  
 { 
  
 name 
  
 = 
  
 " SECRET_NAME 
" 
  
 value_source 
  
 { 
  
 secret_key_ref 
  
 { 
  
 secret 
  
 = 
  
 "projects/ PROJECT_ID 
/secrets/ SECRET_NAME 
" 
  
 version 
  
 = 
  
 " VERSION 
" 
  
 } 
  
 } 
  
 } 
  
 } 
  
 } 
  
 } 
 }

Replace the following:

JOB_NAME : the name of your Cloud Run job.
REGION : the Google Cloud region. For example, europe-west1 .
IMAGE_URL : a reference to the container image —for example, us-docker.pkg.dev/cloudrun/container/job:latest .
SECRET_NAME : the secret name—for example, mysecret .
PROJECT_ID : the project ID the secret was created in.
VERSION : the secret version. Use latest for latest version, or a number—for example, 2 .

For secrets mounted as file paths:

  resource 
  
 "google_cloud_run_v2_job" 
  
 "default" 
  
 { 
  
 name 
  
 = 
  
 " JOB_NAME 
" 
  
 location 
  
 = 
  
 " REGION 
" 
  
 template 
  
 { 
  
 template 
  
 { 
  
 containers 
  
 { 
  
 image 
  
 = 
  
 " IMAGE_URL 
" 
  
 volume_mounts 
  
 { 
  
 name 
  
 = 
  
 " VOLUME_NAME 
" 
  
 mount_path 
  
 = 
  
 " MOUNT_PATH 
" 
  
 } 
  
 } 
  
 volumes 
  
 { 
  
 name 
  
 = 
  
 " VOLUME_NAME 
" 
  
 secret 
  
 { 
  
 secret 
  
 = 
  
 "projects/ PROJECT_ID 
/secrets/ SECRET_NAME 
" 
  
 } 
  
 } 
  
 } 
  
 } 
 }

Replace the following:

JOB_NAME : the name of your Cloud Run job.
REGION : the Google Cloud region—for example, europe-west1 .
IMAGE_URL : a reference to the container image —for example, us-docker.pkg.dev/cloudrun/container/job:latest .
VOLUME_NAME : any name—for example, my-volume , it can be the same as SECRET_NAME .
MOUNT_PATH : the mount path of the volume and filename of the secret. It must start with a leading slash—for example, /etc/secrets/dbconfig/password , where /etc/secrets/dbconfig/ is the mount path of the volume, and password is the filename of the secret.
PROJECT_ID : the project ID the secret was created in.
SECRET_NAME : the secret name—for example, mysecret .

View secrets settings

To view the current secrets settings for your Cloud Run job:

Console

In the Google Cloud console, go to the Cloud Run jobs page:

Go to Cloud Run jobs
Click the job you are interested in to open the Job detailspage.
Click View and Edit job configuration.
Locate the secrets setting in the configuration details.

gcloud

Use the following command:

gcloud  
run  
 jobs 
  
describe  
 JOB_NAME

Locate the secrets setting in the returned configuration.

Disallowed paths and limitations

Cloud Run does not allow you to mount secrets at /dev , /proc and /sys , or on their subdirectories.

If you are mounting secrets on /tmp and you are using first generation execution environment , refer to the known issue on mounting secrets on /tmp .

Cloud Run does not allow you to mount multiple secrets at the same path because two volume mounts cannot be mounted at the same location.

Overriding a directory

If the secret is mounted as a volume in Cloud Run, and the last directory in the volume mount path already exists, then any files or folders in the existing directory become inaccessible.

For example, if a secret called my-secret is mounted to path /etc/app_data , all the contents inside the app_data directory will be overwritten, and the only visible file is /etc/app_data/my-secret .

To avoid overwriting files in an existing directory, create a new directory for mounting the secret, for example, /etc/app_data/secrets , so that the mount path for the secret is /etc/app_data/secrets/my-secret .

Configure secrets for jobs Stay organized with collections Save and categorize content based on your preferences.

How secrets are checked at deployment and runtime

Volume ownership differs by execution environment and deployment type

Before you begin

Required roles

Make a secret accessible to Cloud Run

Console

gcloud

YAML

Terraform

Referencing secrets from other projects

Console

gcloud

YAML

Terraform

View secrets settings

Console

gcloud

Disallowed paths and limitations

Overriding a directory

Configure secrets for jobs