Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to deploy Cloud Functions with secrets from Secret Manager using Cloud Build?

Tags:

google-cloud-platform

google-cloud-functions

google-cloud-build

I have a Cloud Function that I want deployed in my CD pipeline using Cloud Build. The function needs a couple of secrets stored in Secret Manager that I want to pull in as environment variables using the --set-secrets flag.

When I deploy manually with the CLI I have no issue:

gcloud beta functions deploy myfunction \
  --source src \
  --trigger-topic mytopic \
  --region europe-west1 \
  --runtime python39 \
  --set-secrets 'env_1=secret_1:latest','env_2=secret_2:latest'

However, when I try to deploy using Cloud Build with this configuration:

steps:
- name: 'gcr.io/cloud-builders/gcloud'
  args:
  - beta
  - functions
  - deploy
  - myfunction
  - --source=src
  - --trigger-topic=mytopic
  - --region=europe-west1
  - --runtime=python39
  - --set-secrets='env_1=secret_1:latest','env_2=secret_2:latest'

I get an error that the --set-secrets argument must match the pattern 'SECRET:VERSION' or 'projects/{PROJECT}/secrets/{SECRET}:{VERSION}' or 'projects/{PROJECT}/secrets/{SECRET}/versions/{VERSION}' where VERSION is a number or the label 'latest'. I don't understand why I get this error as I think my argument comforms to said pattern.

Is there something I am missing?

like image 673
Emil Bonne Kristiansen Avatar asked Sep 19 '25 22:09

Emil Bonne Kristiansen

2 Answers

First, follow Guillaume's suggestion to remove the quotation marks around each pair. Afterwards, it should look like this:

--set-secrets=env_1=secret_1:latest,env_2=secret_2:latest

Or alternatively, my suggestion is to enclose all your arguments as a list like the example below. I tested the config below and it worked on my end.

steps:
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
  args: ['gcloud', 'beta','functions', 'deploy', 'myfunction', '--region=europe-west1', '--source=src', '--trigger-topic=mytopic', '--runtime=python39', '--set-secrets=env_1=secret_1:latest,env_2=secret_2:latest']

Note: Do not put spaces in --set-secrets value if you have multiple secrets

To learn more, check out this documentation.

like image 80
Mabel A. Avatar answered Sep 22 '25 11:09

Mabel A.

Here is some documentation: https://cloud.google.com/build/docs/securing-builds/use-secrets

You need to use the secretEnv key as well as the availableSecrets declaration in your cloudbuild.yaml

like image 39
Cadet Avatar answered Sep 22 '25 10:09

Cadet
Sign in to Comment

Related questions

How to upload to Google Storage using JAVA library with WriteChannel and MD5 check
Using classes in firebase functions?
Error scaling up in HPA in GKE: apiserver was unable to write a JSON response: http2: stream closed
Google API Python | ValueError: Authorized user info was not in the expected format, missing fields client_secret, client_id, refresh_token
How can I use Google Natural Language API to enrich data in a Bigquery table?
How to update a Google Cloud Function's Runtime environment variables without redeploying it?
How do I know if the Google Colab notebook is using the recourses from the Google Compute Engine VM Instance?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!