Menu
How can I access the variables I define in Google Secret Manager from my Google Cloud Build Pipeline ?
784
To set, update, or remove environment variables of an existing service, use the gcloud run services update command. You can use any of the following flags, as needed: --set-env-vars. --update-env-vars.
Secret Manager is a Google Cloud service that securely stores API keys, passwords, and other sensitive data. To include sensitive information in your builds, you can store the information in Secret Manager and then configure your build to access the information from Secret Manager. Enable the Cloud Build and Secret Manager APIs.
// snippet is showing how to access the secret material. To run this code, first learn about using PHP on Google Cloud and install the Secret Manager PHP SDK. On Compute Engine or GKE, you must authenticate with the cloud-platform scope . // Import the Secret Manager client library.
(+) Moving away from storing secrets on plain text on environment variables is also a correct step in order to secure our applications. (+) Having the possibility to implement this in a way where it does not interfere with the local environment is one of the selling points.
Consuming (or retrieving) secrets from Google Secret Manager in GKE can be achieved in various ways, either by directly calling the API, using some Kubernetes native tools or 3rd party Open Source software. This article lists 5 optionsto integrate GKE and GSM, for each option I listed the pros and cons and a link to a code sample.
You can access to secret from Cloud Build by using the standard Cloud Builder gcloud
But, there is 2 issues:
steps:
- name: gcr.io/cloud-builders/gcloud
entrypoint: "bash"
args:
- "-c"
- |
gcloud components update
# Store the secret is a temporary file
gcloud beta secrets versions access --secret=MySecretName latest > my-secret-file.txt
- name: AnotherCloudBuildStepImage
entrypoint: "bash"
args:
- "-c"
- |
# For getting the secret and pass it to a command/script
./my-script.sh $(cat my-secret-file.txt)
Think to grant the role Secret Manager Secret Accessor roles/secretmanager.secretAccessor to the Cloud Build default service account <PROJECT_ID>@cloudbuild.gserviceaccount.com
EDIT
You can access to the secret from anywhere, either with the gcloud CLI installed (and initialized with a service account authorized to access secrets) or via API call
curl -H "Authorization: Bearer $(gcloud auth print-access-token)" \
https://secretmanager.googleapis.com/v1beta1/projects/PROJECT_ID/secrets/MySecretName/versions/latest:access
Note: You recieve the secret in the data field, in base64 encoded format. Don't forget to decode it before using it!
You have to generate an access token on a service account with the correct role granted. Here I use again gcloud, because it's easier. But according with your platform, use the most appropriate method. A python script can also do the job.
EDIT 2
A new way to get secrets exists now in Cloud Build. Less boiler plate, safer. Have a look and use this way now.
169
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
