FAQ

How do I handle Google Cloud native functions (e.g., Secret Manager) that the emulator doesn't support?

The emulator does not support googleapis.* connectors such as googleapis.secretmanager.v1.projects.secrets.versions.access. These require real GCP service backends.

The recommended workaround is to use environment variables with conditional execution: inject the value via sys.get_env at the emulator level, and only call the GCP-native function in production when the env var is not set.

Pattern

1. Read the value from an env var with a default in init:

- init:
    assign:
      - projectId: '${sys.get_env("PROJECT_ID")}'
      - mySecret: '${sys.get_env("MY_SECRET", "")}'

sys.get_env(name, default) accepts a second argument -- if the env var isn't set, it returns the default (empty string here) instead of raising an error.

2. Wrap the GCP-native call in a switch so it only runs when the env var is empty:

- maybe_get_secret:
    switch:
      - condition: ${mySecret == ""}
        steps:
          - fetch_secret:
              call: googleapis.secretmanager.v1.projects.secrets.versions.access
              args:
                name: '${"projects/" + projectId + "/secrets/MY_SECRET/versions/latest"}'
              result: secretResult
          - extract_secret:
              assign:
                - mySecret: ${text.decode(base64.decode(secretResult.payload.data))}

If mySecret is already populated from the env var, the switch falls through and execution continues with the existing value. If it's empty (i.e., running in production without the env var), it fetches from Secret Manager.

How it works in each environment

This pattern works for any googleapis.* connector call -- not just Secret Manager. The key idea is: provide the value via an environment variable when running locally, and let the workflow fetch it from GCP when the env var is absent.

See also

• Limitations -- full list of unsupported features
• CLI & Configuration -- environment variable reference