Retrieving environment variables in Google Cloud stored in secret manager

Question

I am unable to retrieve an environment variable accessed in code in my bitbucket deployed application. When my application starts, I want to fetch db uri, like this: const uri = process.env.MONGODB_CONNECTION_URI;

Whenever I build and push the artifact from local, my environment variables are successfully passed from .env-files I have stored locally on my machine. Obviously I do not want to commit this file.

When I use Bitbucket Pipelines for deploying my application to GCP. I am able to successfully push a new artifact to GCP. But on application startup, it is unable to retrieve my db-uri.

This article is pretty close to describing what I want to achieve, but I don't see how this addresses the fact that the property value is an actual secret that I cannot commit to my repo, and need to access at application startup from somewhere .

This question describes how to access variables from secret manager in the Cloud Pipeline, not in the application itself.

I use the predefined google-app-engine-deploy-pipe . Relevant parts of my bitbucket-pipelines.yml looks like this:

branches:
    develop:
      - step:
          name: Deploy
          deployment: test
          script:
            - pipe: atlassian/google-app-engine-deploy:1.0.0
              variables:
                  KEY_FILE: $GCP_SECRET
                  PROJECT: 'test-project'
                  DEPLOYABLES: 'test.yaml'
                  PROMOTE: 'false'
                  STOP_PREVIOUS_VERSION: 'false'

The GCP_SECRET is the base-64-encoded GCP service account, fetched from secret inside Bitbucket, working nicely.

Inside test.yml , I have the following:

runtime: nodejs
env: flex
instance_class: B1
manual_scaling:
  instances: 1
env_variables:
  NODE_ENV: "test"
  MONGODB_CONNECTION_URI: $MONGODB_CONNECTION_URI

So my issue is the MONGODB_CONNECTION_URI . I have tried adding a new secret in GCP Secret Manager where I have an entry MONGODB_CONNECTION_URI with actual connection string, but my application is unable to find this property at startup.

Where am I going wrong? Is there something fundamental in how to pass secrets that I have misunderstood?

Can I define and pass a variable inside Bitbucket deployment pipeline? Or is the correct way to access the environment variable directly from Google Cloud Platform?

Answer 1

I would suggest you refer to this documentation link in order to create and access a secret manager.

This documentation link provides resources for using Secret Manager with various Google Cloud services.

For instance, Access Secret Manager secrets and expose them as environment variables or via the filesystem from Cloud Functions. See using Secret Manager secrets with Cloud Functions for detailed information.

Ensure for Adding a secret version requires the Secret Manager Admin role ( roles/secretmanager.admin ) on the secret, project, folder, or organization. Roles can't be granted on a secret version.

Refer to this discussion on a similar question.

Answer 2

I was able to resolve this by the help of this guide

I find the solution to be a little bit hacky, but at least it works nicely for me now. Basically, I:

• Create a shell script inside my repository, defining the names of the variables I would like to populate.
• Run the script inside bitbucket pipelines, populating with my secret bitbucket deployment variables.
• The result of this script is an env.-file with the passed secret values, and is correctly passed along to my application.