How to avoid plain text environment variables in a Google Cloud Function and instead pass them secretly?
The recommended way to manage secrets in Cloud Function is mounting the secrets from Secret Manager. This documentation explains very well how to set it up: https://cloud.google.com/functions/docs/configuring/secrets
In a nutshell:
- Create your secrets under Secret Manager;
- Edit your Cloud Function -> Advanced Options -> Security;
- Map the secrets you would like to be available during runtime;
- Grant the role
roles/secretmanager.secretAccessor
to the service account binded to the Cloud Function; - Once done, you can use the secrets as environment variable (like you are used to and mentioned in your description);