fix: reduce Secret Manager costs by resolving secrets at deploy time#86
Open
rozen03 wants to merge 1 commit into
Open
fix: reduce Secret Manager costs by resolving secrets at deploy time#86rozen03 wants to merge 1 commit into
rozen03 wants to merge 1 commit into
Conversation
Resolves an issue where Cloud Run cold starts incur excessive Secret Manager API costs by resolving secrets continuously. This delegates fetching the secrets to GitHub Actions using `google-github-actions/get-secretmanager-secrets` and passes them securely to `gcloud run` as environment variables instead of using `--set-secrets`.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR fixes the excessive Google Cloud Secret Manager costs caused by
Cloud Runretrieving secrets on every cold start.Currently, the workflow uses
--set-secrets, which binds the Cloud Run instance to the Secret Manager directly, resulting in an API call for every mapped secret whenever a new instance is spun up. Given that the bot receives periodic traffic, these cold starts trigger 7 reads per interaction and 4 reads for the cron job, exceeding the GCP free tier.Changes:
google-github-actions/get-secretmanager-secrets@v2during deployment to resolve the secrets in the CI/CD pipeline.--set-env-varsand the^@^alternative delimiter (for safe escaping).--clear-secretsto drop the old secret mappings.This change completely eliminates Secret Manager access by Cloud Run at runtime (0 reads per cold start) while keeping the same variables securely available in the environment.