1. You are deploying a containerized microservice to Cloud Run that exposes a REST API. The microservice reads configuration from environment variables. During deployment, you need to set an environment variable API_KEY to a value stored in Secret Manager. Which deployment method is most appropriate?
- A. Use gcloud run deploy with the --set-env-vars flag and pass the secret value directly as a string
- B. Use gcloud run deploy with the --set-secrets flag to reference the secret from Secret Manager, which Cloud Run automatically injects as an environment variable✓ Correct
- C. Create a custom Dockerfile that retrieves the secret from Secret Manager during container build time and embeds it in the image
- D. Deploy a Service Account key as an environment variable and use it to fetch the secret at runtime from within the application code
Explanation
Correct answer: (B) Cloud Run's --set-secrets flag (or secretRef in YAML) automatically injects secrets from Secret Manager as environment variables without embedding them in images or logs. Wrong answers: (A) Passing secret values directly in the command line exposes them in shell history and process listings; (C) Embedding secrets in container images at build time violates security best practices and makes rotation difficult; (D) Storing service account keys as environment variables is less secure than using Workload Identity or Secret Manager.