My streamlit app containerized with Docker (following the streamlit tutorial here) runs fine locally but has the following error when deployed to Google Cloud Run:
FileNotFoundError: No secrets files found. Valid paths for a secrets.toml file are: /home/app/.streamlit/secrets.toml, /home/app/.streamlit/secrets.toml
Steps to reproduce
Deploy any streamlit app with a secrets.toml file to Google Cloud Run.
Expected behavior:
/.streamlit/secrets.toml is deployed with the Docker image since I placed the code:
COPY . /home/app
within the Dockerfile, which should copy all the content of the app (including /.streamlit/secrets.toml) on the Docker image.
Actual behavior:
Google Cloud Run canât access the credentials saved under /.streamlit/secrets.toml.
Debug info
Streamlit version: 1.22.0
Python version: 3.9.13
Using Conda? PipEnv? PyEnv? Pex? No to all
Additional information
If anyone can advise another way my Google Cloud Run service can access the credentials, Iâm thankful. Iâm new to this kind of deployment.
You must make sure that the secrets file (âsecrets.tomlâ) is present in the Docker image and available to your application before deploying a Streamlit app to Google Cloud Run. The Docker image created by Cloud Run by default does not automatically contain all of the files from your local directory.
You can take the following actions to fix the problem and make the âsecrets.tomlâ file accessible in the deployed Cloud Run service:
Change your Dockerfile such that the âsecrets.tomlâ file is explicitly copied into the Docker image. Make sure the file is included in the âCOPYâ command and that it is in the proper location:
âsecrets.tomlâ should be placed in the same directory as your Dockerfile.
Using the modified Dockerfile, create a fresh Docker image. Run the following command after making sure you are in the same directory as your Dockerfile and theâsecrets.tomlâ file:
docker build -t your-image-name .
By using this command, a fresh Docker image will be created with theâsecrets.tomlâ file included.
Upload the freshly created Docker image to a container registry that Google Cloud Run can access, such as Google Container Registry (GCR), Docker Hub, or a different private registry.
Use the revised Docker image from the container registry to deploy the Cloud Run service. During deployment, be careful to give the right image path.
Theâsecrets.tomlâ file will be present in the Docker image and available to your Streamlit app running on Google Cloud Run after completing these instructions.
This doesnât seem like good practice though. What if the image is built with GitHub Actions? We canât store the secrets.toml file in the repository so how would we be able to copy the file during the build process?
If you are building the image via GitHub to then deploying on GCP, my suggestion is to use GCP Secrets Manager instead of Streamlitâs secrets.toml file.
Alternatively, you can use the gcloud CLI to send a local directory with a Dockerfile directly to Google for building, without going through GitHub. The image will be stored in GCP Artifact Registry.