gitwtfhub

wtf is serverless-vault-with-cloud-run?

kelseyhightower/serverless-vault-with-cloud-run — explained in plain English

Analysis updated 2026-07-17 · repo last pushed 2022-04-28

408ShellAudience · ops devopsComplexity · 4/5DormantSetup · hard

TL;DR

A step-by-step guide to running HashiCorp Vault on Google Cloud Run, so teams get secure secrets storage without managing servers or Kubernetes clusters.

Mindmap

mindmap
  root((repo))
    What it does
      Runs Vault on Cloud Run
      Auto unseal with KMS
      Persists data in GCS
    Tech stack
      Shell
      Google Cloud Run
      HashiCorp Vault
    Use cases
      Store API keys
      Centralize secrets
      Reduce ops burden
    Audience
      Startup founders
      Engineering leads

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Follow the guide's CLI commands to deploy Vault on Cloud Run without managing VMs or Kubernetes.

REASON 2

Store database credentials and API tokens centrally so applications can fetch them securely.

REASON 3

Use Google Secret Manager and KMS to hold Vault's config and auto-unseal it on startup.

REASON 4

Rely on Google Cloud's automatic audit logs to see who accessed which secrets.

What's in the stack?

ShellGoogle Cloud RunHashiCorp Vault

How it stacks up

kelseyhightower/serverless-vault-with-cloud-runpyenv/pyenv-updatekelseyhightower/nomad-on-kubernetes
Stars408383354
LanguageShellShellShell
Last pushed2022-04-282026-01-102018-06-26
MaintenanceDormantQuietDormant
Setup difficultyhardeasyhard
Complexity4/51/54/5
Audienceops devopsdeveloperops devops

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · hard Time to first run · 1h+

Ties you to Google Cloud and limits you to a single running Vault instance to avoid data conflicts, no multi-instance high availability.

No license information is given in the explanation.

Wtf does this do

This repo provides a step-by-step guide for running HashiCorp's Vault on Google Cloud Run. Vault is a tool that lets you securely store passwords, API keys, and other sensitive data, often called "secrets", so your applications can access them safely. Running it on Cloud Run means Google handles the underlying servers for you, reducing the operational headache of maintaining your own infrastructure. The tutorial walks you through setting up everything you need in Google Cloud. At a high level, it uses Google Cloud Storage to persist Vault's encrypted data and Google's Key Management Service to automatically unlock (or "unseal") Vault when it starts up. The guide also uses Google's Secret Manager to hold the Vault configuration file itself. You run a series of Google Cloud CLI commands to create a dedicated service account, set up the necessary permissions, deploy the Vault container, and then initialize it. Once it's live, you can manage secrets through a web UI or the Vault command-line tool. This is useful for teams that want the security of Vault without the burden of running and scaling their own servers or Kubernetes clusters. A startup founder or engineering lead could follow this guide to give their apps a reliable, centralized place to store database credentials and tokens. Cloud Run also lets you scale down to a single instance to keep costs low and latency minimal, or even scale to zero when nobody's using it, though the tutorial opts for keeping one instance warm. Google Cloud automatically captures audit logs too, so you get visibility into who accessed what. What's notable is the tradeoff this approach makes. Traditional Vault deployments often require you to manage virtual machines or Kubernetes clusters, which can be complex and time-consuming. By leaning on Google's managed services for storage, encryption, and compute, this setup offloads most of that operational weight to the cloud provider. The constraint is that it ties you to Google Cloud specifically, and it limits you to a single running instance of Vault at a time to avoid data conflicts, which is fine for many use cases but may not suit teams needing multi-instance high availability.

Yoink these prompts

Prompt 1
Walk me through deploying HashiCorp Vault on Google Cloud Run using this guide's setup steps.
Prompt 2
Explain how Google Cloud KMS is used here to automatically unseal Vault when it starts up.
Prompt 3
What are the tradeoffs of running a single Cloud Run Vault instance versus a traditional multi-instance Vault cluster on Kubernetes?

Frequently asked questions

wtf is serverless-vault-with-cloud-run?

A step-by-step guide to running HashiCorp Vault on Google Cloud Run, so teams get secure secrets storage without managing servers or Kubernetes clusters.

What language is serverless-vault-with-cloud-run written in?

Mainly Shell. The stack also includes Shell, Google Cloud Run, HashiCorp Vault.

Is serverless-vault-with-cloud-run actively maintained?

Dormant — no commits in 2+ years (last push 2022-04-28).

What license does serverless-vault-with-cloud-run use?

No license information is given in the explanation.

How hard is serverless-vault-with-cloud-run to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is serverless-vault-with-cloud-run for?

Mainly ops devops.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.