functions-framework-nodejs icon indicating copy to clipboard operation
functions-framework-nodejs copied to clipboard
verified publisher icon GoogleCloudPlatform

using gcloud functions deploy --set-secrets=/workspace will trigger an error

Open techieshark opened this issue 7 months ago • 2 comments

Expected

It is possible to deploy a secret file into /workspace within a cloud function environment.

Observed

After function is deployed, the step that tests it fails, and it prints this error:

ERROR: (gcloud.functions.deploy) OperationError: code=3, message=Function failed on loading user code. This is likely due to a bug in the user code. Error message: Provided code location '/workspace' is not a loadable module.

I've googled "Error message: Provided code location '/workspace' is not a loadable module." but not much luck yet finding where this comes from.

Steps to reproduce

Assuming you have a gen 1 function e.g. named my-existing-gen1-cloud-function (I'm not sure if this works on Gen 2; I haven't yet tried it):

gcloud functions deploy my-existing-gen1-cloud-function --entry-point=webhook --set-secrets=/workspace/.env-file=Secrets-Env-File:latest

Note there is a warning printed: "Ensure that the runtime service account...has access to the secrets." (which I've done)

Logs

For Cloud Build Logs, visit: https://console.cloud.google.com/cloud-build/builds;region=us-central1/(redacted)?project=(redacted)
Deploying function (may take a while - up to 2 minutes)...⠏   
Deploying function (may take a while - up to 2 minutes)...failed.                 
                                                                                     
ERROR: (gcloud.functions.deploy) OperationError: code=3, message=Function failed on loading user code. This is likely due to a bug in the user code. Error message: Provided code location '/workspace' is not a loadable module.

Did you specify the correct location for the module defining your function?

Could not load the function, shutting down.. Please visit https://cloud.google.com/functions/docs/troubleshooting for in-depth troubleshooting documentation.

Workarounds

It seems possible to deploy the secret file to another directory, such as /tmp or /etc.

techieshark avatar Jun 17 '25 14:06 techieshark

Yeah sorry this is not documented at all, but your function code is generally loaded into the /workspace folder. So if you set that same folder to mount your secrets, strange things will happen. So I think this is somewhat "as intended", but we can do a better job at surfacing this as documention, maybe in https://cloud.google.com/docs/buildpacks/overview

jama22 avatar Jun 25 '25 20:06 jama22

Mounting a secret to /workspace will effectively clear the /workspace directory (the only file in there will be the secret)

kym6464 avatar Dec 05 '25 07:12 kym6464