SHART.CLOUD | DESKTOP | LABROULETTE | GCP-CLOUD-RUN-SECRET-EGRESS.YAML
01 - Labroulette - Run Cloud Run with Secrets and No Surprise Egress
| shart.cloud / labroulette / gcp-cloud-run-secret-egress |
GCP **O ~80 min $1-4 reviewed 6/30/2026

Run Cloud Run with Secrets and No Surprise Egress

Deploy a Cloud Run service that reads secrets from Secret Manager, uses a dedicated service account, and sends outbound traffic through a controlled VPC path with explicit egress settings.

#serverless#security#networking
Lab SnackFax, a fax-to-snack API that moved to Cloud Run, shoved credentials in environment variables, and then discovered the service could talk to the whole internet like a caffeinated exfiltration intern. all labs
02 - Actions
score -- - -- votes
-- completed
State loading
03 - Scenario

SnackFax, a fax-to-snack API that moved to Cloud Run, shoved credentials in environment variables, and then discovered the service could talk to the whole internet like a caffeinated exfiltration intern.

Deploy a Cloud Run service that reads secrets from Secret Manager, uses a dedicated service account, and sends outbound traffic through a controlled VPC path with explicit egress settings.

Constraints

  • Cloud Run reads secrets from Secret Manager at runtime, not plain environment variables
  • Cloud Run runs as a dedicated service account with minimal IAM grants
  • Outbound traffic uses a VPC connector with explicit egress behavior
  • Ingress is locked to the intended audience, not public by accident
Scenario GCP - intermediate
05 - Steps
  1. STEP_01

    Create the runtime identity

    Create a service account for the Cloud Run service and use it as the only runtime identity. This account is the blast radius boundary for anything the container does after startup.

    Terraform docs

  2. STEP_02

    Store the API key as a managed secret

    Create a Secret Manager secret and seed a harmless lab token, then grant the runtime service account access to that one secret only. Document that real secret values should be injected through your delivery system, not committed into Terraform.

    Terraform docs

  3. STEP_03

    Add a VPC connector

    Create a Serverless VPC Access connector in a subnet reserved for Cloud Run egress. Wire the service to it and choose whether all traffic or only private ranges use the connector.

    Hint: The egress setting is the point of the lab. Write down why you chose private-ranges-only or all-traffic for this workload.

    Terraform docs

  4. STEP_04

    Deploy Cloud Run with locked-down ingress

    Deploy the Cloud Run v2 service with the runtime service account, secret reference, VPC connector, and ingress setting. Avoid "all" ingress unless the scenario truly needs a public endpoint.

    Terraform docs

  5. STEP_05

    Grant invocation deliberately

    Bind the Cloud Run invoker role only to the test caller identity. Confirm an unauthenticated request fails and an authorized request succeeds.

    Terraform docs

Steps 5 tasks
06 - Deliverables
  • Terraform for the service account, secret, VPC connector, Cloud Run service, and IAM bindings
  • Evidence that unauthenticated invocation is denied
  • A short egress decision note explaining the chosen VPC connector behavior
Deliverables 3 required
07 - Rubric
Cloud Run reads the value from Secret Manager instead of a plain environment variable 25%
Cloud Run uses a dedicated service account with narrow IAM grants 25%
VPC connector and egress setting are configured and explained 30%
Invocation is restricted and denial is demonstrated 20%
Rubric self-assessed