Secrets.toml error when deploying to Google Cloud Run


My streamlit app containerized with Docker (following the streamlit tutorial here) runs fine locally but has the following error when deployed to Google Cloud Run:

FileNotFoundError: No secrets files found. Valid paths for a secrets.toml file are: /home/app/.streamlit/secrets.toml, /home/app/.streamlit/secrets.toml

Steps to reproduce

Deploy any streamlit app with a secrets.toml file to Google Cloud Run.

Expected behavior:

/.streamlit/secrets.toml is deployed with the Docker image since I placed the code:

COPY . /home/app

within the Dockerfile, which should copy all the content of the app (including /.streamlit/secrets.toml) on the Docker image.

Actual behavior:

Google Cloud Run can’t access the credentials saved under /.streamlit/secrets.toml.

Debug info

  • Streamlit version: 1.22.0
  • Python version: 3.9.13
  • Using Conda? PipEnv? PyEnv? Pex? No to all

Additional information

If anyone can advise another way my Google Cloud Run service can access the credentials, I’m thankful. I’m new to this kind of deployment.

You must make sure that the secrets file (‘secrets.toml’) is present in the Docker image and available to your application before deploying a Streamlit app to Google Cloud Run. The Docker image created by Cloud Run by default does not automatically contain all of the files from your local directory.

You can take the following actions to fix the problem and make the “secrets.toml” file accessible in the deployed Cloud Run service:

  1. Change your Dockerfile such that the “secrets.toml” file is explicitly copied into the Docker image. Make sure the file is included in the ‘COPY’ command and that it is in the proper location:
COPY secrets.toml /home/app/.streamlit/secrets.toml
  1. ‘secrets.toml’ should be placed in the same directory as your Dockerfile.

  2. Using the modified Dockerfile, create a fresh Docker image. Run the following command after making sure you are in the same directory as your Dockerfile and the’secrets.toml’ file:

docker build -t your-image-name .

By using this command, a fresh Docker image will be created with the’secrets.toml’ file included.

  1. Upload the freshly created Docker image to a container registry that Google Cloud Run can access, such as Google Container Registry (GCR), Docker Hub, or a different private registry.

  2. Use the revised Docker image from the container registry to deploy the Cloud Run service. During deployment, be careful to give the right image path.

The’secrets.toml’ file will be present in the Docker image and available to your Streamlit app running on Google Cloud Run after completing these instructions.

This doesn’t seem like good practice though. What if the image is built with GitHub Actions? We can’t store the secrets.toml file in the repository so how would we be able to copy the file during the build process?

Hi there @digitalghost-dev ,

If you are building the image via GitHub to then deploying on GCP, my suggestion is to use GCP Secrets Manager instead of Streamlit’s secrets.toml file.

Alternatively, you can use the gcloud CLI to send a local directory with a Dockerfile directly to Google for building, without going through GitHub. The image will be stored in GCP Artifact Registry.

Hope this helps!

Yes, after some playing around, I was able to deploy to Secrets Manager and then when deploying the image, attach the secret.

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.