Retrieve secrets in Cloud Code scripts
Learn how to retrieve and use secrets within Cloud Code script implementations.
Read time 2 minutesLast updated 17 hours ago
You can retrieve secrets stored in Secret Manager from a Cloud Code script.
Prerequisites
To follow this sample, you need a Cloud Code script set up in your project, and a secret stored in Secret Manager.- Follow the steps in the Getting Started guide to create a Cloud Code script.
- Create a secret in Secret Manager, and allow Cloud Code access. For more information, refer to the Store secrets guide.
Warning
Cloud Code caches secrets internally for up to 5 minutes. Changes to a secret (such as updates or deletions) might take a few minutes to be reflected when retrieving secrets in Cloud Code scripts.
Retrieve a secret
To retrieve a secret in a Cloud Code script, you can use the Secret Manager Javascript SDK for Cloud Code. The following example demonstrates how to retrieve a secret in a Cloud Code script.Use the Secret Manager SDK
Secret Manager integration in Cloud Code is available as one of the function parameters. It does not need to be imported separately.Javascript
module.exports = async ({ params, context, logger, secretManager }) => { const secret_example = await secretManager.getSecret("SECRET_EXAMPLE"); // The secret value can be accessed via secret_example.value // Be wary of how this secret value is utilised within your code and avoid logging the secret value or passing it as a response/ exception ...};
Retrieve the secret
To retrieve the secret, use the SecretManager SDK.Javascript
Although the secrets are stored at different levels in the hierarchy, you do not need to specify the level when retrieving the secret. In Cloud Code integration, the client will retrieve the value at the lowest level in the hierarchy where it exists. For instance, if you do not have a set value at the environment level for the secret you are retrieving, the client will retrieve the value from the project level, and lastly, the organization level. For more information on the secret hierarchy, refer to Secret hierarchy....secret = await secretManager.getSecret("AUTH_STRING");...
Use the secret
You can now use the secret value in your Cloud Code script. Simply pass down the secret value to the relevant service or API. For instance, if you use secrets to store service account credentials to authenticate an admin service in Cloud Code, you can pass the secret value to the service. The sample belows shows how you can pass down an authentication string to make a call to the Remote Config Admin API. It uses Basic authentication, composed of base64 encoded service account credentials.Note
Refer to Authenticate an API using service account credentials
to learn more about authenticating an API using service account credentials.
Javascript
const axios = require("axios-1.6");module.exports = async ({ params, context, logger, secretManager }) => { let secret; try { secret = await secretManager.getSecret("AUTH_STRING"); } catch (err) { logger.error("Failed to retrieve secret from the secret manager", { "error.message": err.message }); throw err; } const config = { headers: { "Content-Type": "application/json", Authorization: "Basic " + secret.value, }, }; try { const configGetUrl = `https://services.api.unity.com/remote-config/v1/projects/${context.projectId}/configs`; var res = await axios.get(configGetUrl, config); return res.data; } catch (err) { logger.error("Failed to retrieve RemoteConfig settings", { "error.message": err.message }); throw err; }};