Menu
I'm trying to create a Cloud Build trigger where secret environment variables are encrypted with cloud KMS and stored as a substitution variable in Cloud Build. This way my cloud build yaml is fairly generic and the same across all environments we're deploying to.
This cloud build yaml works fine:
steps:
- name: 'ubuntu'
entrypoint: 'bash'
args: ['-c', 'echo "$$APP_NAME HAS A VALUE $$HELLO_WORLD"']
env:
- 'APP_NAME=${_APP_NAME}'
secretEnv:
- 'HELLO_WORLD'
secrets:
- kmsKeyName: 'projects/my-first-cicd-project/locations/europe-west1/keyRings/keyring-dev/cryptoKeys/key-backend'
secretEnv:
HELLO_WORLD: xxxxxxxxxxx
The build steps produce this log line:
My App Name HAS A VALUE Hello there world!
Exactly as intended.
Now for the thing that doesn't work, or at least I can't get to work. Let's say I want to make the keyring name dynamic. I'd then replace "keyring-dev" in that yaml to ${_KMS_KEYRING_NAME}. This will produce an error like:
invalid build: failed to check access to "projects/my-first-cicd-project/locations/europe-west1/keyRings/${_KMS_KEYRING_NAME}/cryptoKeys/key-backend"
If I change the base64 string in the YAML (Starting with "CiQAH...") to a substitution variable like ${_KMS_VAR_HELLO_WORLD}, I'll get this error:
failed unmarshalling build config cloudbuild.yaml: illegal base64 data at input byte 0
FYI: the value of that base64 string does not exceed the maximum amount of characters of 255 for a variable value.
So my guess is, Cloud Build does not substitute anything in the secrets section of cloudbuild.yaml. Does anyone know a solution to this?
568
A build config file defines the fields that are needed for Cloud Build to perform your tasks. You'll need a build config file if you're starting builds using the gcloud command-line tool or build triggers. You can write the build config file using the YAML or the JSON syntax.
How do you configure Cloud Build to rebuild your image when a change is made to the source code? Add a Cloud Build trigger, and set it to fire on commit to associate repository. Add a Cloud Build function, and set it to fire on commit to associate repository.
Cloud Build is a service that executes your builds on Google Cloud. Cloud Build can import source code from a variety of repositories or cloud storage spaces, execute a build to your specifications, and produce artifacts such as Docker containers or Java archives.
Cloud Build provides built-in substitutions or you can define your own substitutions. Use substitutions in your build's steps and images to resolve their values at build time.
Substitutions are helpful for variables whose value isn't known until build time, or to re-use an existing build request with different variable values. Cloud Build provides built-in substitutions or you can define your own substitutions. Use substitutions in your build's steps and images to resolve their values at build time.
Open the Secret Manager page in the Google Cloud Console: Select the checkbox of the secret you wish to use in your build. If it is not already open, click Show info panel to open the panel. In the panel, under Permissions, click Add principal.
In order for cloudbuild to decrypt our value, it must be base64 encoded and denoted as a secret as follows (I am including the WHOLE cloudbuild for clarity): 'docker build -t gcr.io/$PROJECT_ID/appengine/ts-cloudbuild-secrets-example:latest -f Dockerfile --build-arg REDIS_PASS=$$REDIS_PW .'
This is a known limitation of the API.
196
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
