DEV Community: Developer KDRA Inc The latest articles on DEV Community by Developer KDRA Inc (@kdra-dev). https://dev.to/kdra-dev https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3990011%2F0170e9d2-c4e7-4c02-88df-7f944fb74ad7.png DEV Community: Developer KDRA Inc https://dev.to/kdra-dev en Deploy FastAPI to Cloud Run in Under 30 Minutes — With Terraform, WIF, and Secret Manager Developer KDRA Inc Thu, 18 Jun 2026 02:55:06 +0000 https://dev.to/kdra-dev/deploy-fastapi-to-cloud-run-in-under-30-minutes-with-terraform-wif-and-secret-manager-5h6i https://dev.to/kdra-dev/deploy-fastapi-to-cloud-run-in-under-30-minutes-with-terraform-wif-and-secret-manager-5h6i <p>Every Python API project on GCP starts the same way. Not with your business logic. With Terraform.</p> <p>Two or three days of infrastructure setup before you write a single line of the thing you actually wanted to build. Cloud Run configuration, IAM roles, Artifact Registry, GitHub Actions pipeline, Workload Identity Federation, Secret Manager integration.</p> <p>We got tired of it. So we built it once, properly, and turned it into a starter template.</p> <p>This article walks through what's in the <strong>FastAPI + Cloud Run Starter</strong> and, more importantly, <em>why</em> each piece is there.</p> <h2> The architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GitHub Actions (CI/CD) ↓ Workload Identity Federation (no service account keys) Google Artifact Registry ↓ Docker image Cloud Run (FastAPI application) ↓ reads secrets at runtime Secret Manager </code></pre> </div> <p>The entire infrastructure is managed with Terraform. The application never knows where it's running.</p> <h2> Workload Identity Federation — stop using service account keys </h2> <p>Most tutorials tell you to create a service account key JSON and paste it into GitHub Secrets. Don't.</p> <p>Service account keys are long-lived credentials. They don't expire. They can be leaked. Managing rotation is painful. And GCP's security guidance explicitly recommends against them for CI/CD.</p> <p>Workload Identity Federation (WIF) lets GitHub Actions authenticate to GCP using a short-lived OIDC token. The trust relationship is configured in Terraform:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_iam_workload_identity_pool"</span> <span class="s2">"github"</span> <span class="p">{</span> <span class="nx">workload_identity_pool_id</span> <span class="p">=</span> <span class="s2">"github-pool"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"GitHub Actions Pool"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_iam_workload_identity_pool_provider"</span> <span class="s2">"github"</span> <span class="p">{</span> <span class="nx">workload_identity_pool_id</span> <span class="p">=</span> <span class="nx">google_iam_workload_identity_pool</span><span class="p">.</span><span class="nx">github</span><span class="p">.</span><span class="nx">workload_identity_pool_id</span> <span class="nx">workload_identity_pool_provider_id</span> <span class="p">=</span> <span class="s2">"github-provider"</span> <span class="nx">oidc</span> <span class="p">{</span> <span class="nx">issuer_uri</span> <span class="p">=</span> <span class="s2">"https://token.actions.githubusercontent.com"</span> <span class="p">}</span> <span class="nx">attribute_mapping</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"google.subject"</span> <span class="p">=</span> <span class="s2">"assertion.sub"</span> <span class="s2">"attribute.repository"</span> <span class="p">=</span> <span class="s2">"assertion.repository"</span> <span class="p">}</span> <span class="nx">attribute_condition</span> <span class="p">=</span> <span class="s2">"assertion.repository == 'your-org/your-repo'"</span> <span class="p">}</span> </code></pre> </div> <p>In GitHub Actions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Authenticate to GCP</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">google-github-actions/auth@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">workload_identity_provider</span><span class="pi">:</span> <span class="s">${{ vars.WIF_PROVIDER }}</span> <span class="na">service_account</span><span class="pi">:</span> <span class="s">${{ vars.DEPLOY_SA }}</span> </code></pre> </div> <p>No key file. No secret to rotate. The token lasts for the duration of the workflow run.</p> <h2> Secret Manager → Cloud Run → Pydantic </h2> <p>The pattern for secrets: they live in Secret Manager. Cloud Run mounts them as environment variables. Pydantic's <code>BaseSettings</code> reads environment variables. Your application code never touches the Secret Manager SDK.</p> <p>Cloud Run secret binding in <code>gcloud run deploy</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nt">--set-secrets</span> <span class="s2">"DATABASE_URL=my-db-url:latest,API_KEY=my-api-key:latest"</span> </code></pre> </div> <p>Pydantic settings:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">pydantic_settings</span> <span class="kn">import</span> <span class="n">BaseSettings</span><span class="p">,</span> <span class="n">SettingsConfigDict</span> <span class="k">class</span> <span class="nc">Settings</span><span class="p">(</span><span class="n">BaseSettings</span><span class="p">):</span> <span class="n">model_config</span> <span class="o">=</span> <span class="nc">SettingsConfigDict</span><span class="p">(</span><span class="n">env_file</span><span class="o">=</span><span class="sh">"</span><span class="s">.env</span><span class="sh">"</span><span class="p">,</span> <span class="n">extra</span><span class="o">=</span><span class="sh">"</span><span class="s">ignore</span><span class="sh">"</span><span class="p">)</span> <span class="n">database_url</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">""</span> <span class="n">api_key</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">""</span> <span class="n">settings</span> <span class="o">=</span> <span class="nc">Settings</span><span class="p">()</span> </code></pre> </div> <p>For local development, create a <code>.env</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">DATABASE_URL</span><span class="p">=</span><span class="s">postgresql://localhost:5432/mydb</span> <span class="py">API_KEY</span><span class="p">=</span><span class="s">local-dev-key</span> </code></pre> </div> <p>Same settings model. Different source. Local and production behave identically.</p> <h2> IAM scoping — the mistake most tutorials make </h2> <p>Your Cloud Run service account needs <code>roles/secretmanager.secretAccessor</code>. But on <em>what</em>?</p> <p>Most examples grant it at the project level. That's overpermissioned — your service account can read every secret in the project.</p> <p>The correct approach is to grant it per secret:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"google_secret_manager_secret_iam_member"</span> <span class="s2">"db_url_access"</span> <span class="p">{</span> <span class="nx">secret_id</span> <span class="p">=</span> <span class="nx">google_secret_manager_secret</span><span class="p">.</span><span class="nx">db_url</span><span class="p">.</span><span class="nx">id</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/secretmanager.secretAccessor"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:${google_service_account.cloud_run.email}"</span> <span class="p">}</span> </code></pre> </div> <p>More Terraform to write, but the right security posture.</p> <h2> The CI/CD pipeline </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-python@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">python-version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3.12"</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pip install -e ".[dev]"</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">ruff check .</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pytest</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">test</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.ref == 'refs/heads/main'</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Authenticate to GCP</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">google-github-actions/auth@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">workload_identity_provider</span><span class="pi">:</span> <span class="s">${{ vars.WIF_PROVIDER }}</span> <span class="na">service_account</span><span class="pi">:</span> <span class="s">${{ vars.DEPLOY_SA }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and push</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">IMAGE="${{ env.REGISTRY }}/my-service:${{ github.sha }}"</span> <span class="s">docker build -t "$IMAGE" .</span> <span class="s">docker push "$IMAGE"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">gcloud run deploy my-service \</span> <span class="s">--image "$IMAGE" \</span> <span class="s">--region us-central1 \</span> <span class="s">--set-secrets "API_KEY=my-api-key:latest" \</span> <span class="s">--allow-unauthenticated</span> </code></pre> </div> <p>Tests run on every push. Deployment runs only on <code>main</code>. Image is tagged with the git SHA — full traceability.</p> <h2> What the starter gives you </h2> <p>All of the above, working together, from the first commit:</p> <ul> <li>FastAPI scaffold with health endpoint, structured logging, rate limiting</li> <li>Terraform modules for Cloud Run, Artifact Registry, IAM, Secret Manager</li> <li>GitHub Actions workflow with WIF authentication</li> <li>Correct IAM scoping (per-secret, not project-level)</li> <li>Pydantic settings that work identically locally and in production</li> <li>Dockerfile that follows best practices</li> </ul> <p>One-time purchase. Private repo collaborator access.</p> <p>→ <a href="https://store.kdrainc.com/l/fastapi-cloudrun-starter" rel="noopener noreferrer">FastAPI + Cloud Run Starter on Gumroad</a></p> <p><em>KDRA Inc. builds software products with AI agents and hyperautomation. This starter is something we built for ourselves and packaged for others.</em></p> python fastapi googlecloud devops