kelseyhightower/serverless-vault-with-cloud-run — explained in plain English
Analysis updated 2026-07-17 · repo last pushed 2022-04-28
Follow the guide's CLI commands to deploy Vault on Cloud Run without managing VMs or Kubernetes.
Store database credentials and API tokens centrally so applications can fetch them securely.
Use Google Secret Manager and KMS to hold Vault's config and auto-unseal it on startup.
Rely on Google Cloud's automatic audit logs to see who accessed which secrets.
| kelseyhightower/serverless-vault-with-cloud-run | pyenv/pyenv-update | kelseyhightower/nomad-on-kubernetes | |
|---|---|---|---|
| Stars | 408 | 383 | 354 |
| Language | Shell | Shell | Shell |
| Last pushed | 2022-04-28 | 2026-01-10 | 2018-06-26 |
| Maintenance | Dormant | Quiet | Dormant |
| Setup difficulty | hard | easy | hard |
| Complexity | 4/5 | 1/5 | 4/5 |
| Audience | ops devops | developer | ops devops |
Figures from each repo's GitHub metadata at analysis time.
Ties you to Google Cloud and limits you to a single running Vault instance to avoid data conflicts, no multi-instance high availability.
This repo provides a step-by-step guide for running HashiCorp's Vault on Google Cloud Run. Vault is a tool that lets you securely store passwords, API keys, and other sensitive data, often called "secrets", so your applications can access them safely. Running it on Cloud Run means Google handles the underlying servers for you, reducing the operational headache of maintaining your own infrastructure. The tutorial walks you through setting up everything you need in Google Cloud. At a high level, it uses Google Cloud Storage to persist Vault's encrypted data and Google's Key Management Service to automatically unlock (or "unseal") Vault when it starts up. The guide also uses Google's Secret Manager to hold the Vault configuration file itself. You run a series of Google Cloud CLI commands to create a dedicated service account, set up the necessary permissions, deploy the Vault container, and then initialize it. Once it's live, you can manage secrets through a web UI or the Vault command-line tool. This is useful for teams that want the security of Vault without the burden of running and scaling their own servers or Kubernetes clusters. A startup founder or engineering lead could follow this guide to give their apps a reliable, centralized place to store database credentials and tokens. Cloud Run also lets you scale down to a single instance to keep costs low and latency minimal, or even scale to zero when nobody's using it, though the tutorial opts for keeping one instance warm. Google Cloud automatically captures audit logs too, so you get visibility into who accessed what. What's notable is the tradeoff this approach makes. Traditional Vault deployments often require you to manage virtual machines or Kubernetes clusters, which can be complex and time-consuming. By leaning on Google's managed services for storage, encryption, and compute, this setup offloads most of that operational weight to the cloud provider. The constraint is that it ties you to Google Cloud specifically, and it limits you to a single running instance of Vault at a time to avoid data conflicts, which is fine for many use cases but may not suit teams needing multi-instance high availability.
A step-by-step guide to running HashiCorp Vault on Google Cloud Run, so teams get secure secrets storage without managing servers or Kubernetes clusters.
Mainly Shell. The stack also includes Shell, Google Cloud Run, HashiCorp Vault.
Dormant — no commits in 2+ years (last push 2022-04-28).
No license information is given in the explanation.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
double-check against the repo, no cap.