Google Cloud Build non-shell secret substitution

Question

I am deploying a cloud function with secret env variables that I would like to add to the function. From the example it mentions that that "# Note: You need a shell to resolve environment variables with $$".

I am using the gcloud builder, which seems to not be a shell so my environment variables are just $USER and $PASS literally without substitution. I've tried $USER and ${USER} as well but it complains about not having valid substitutions.

How do I get my secrets from the google cloud build environment into my google cloud function environment?

The first step is to verify that my KMS stuff is working, which it appears to be.

  - name: 'ubuntu'
    args: ['printenv']
    secretEnv: ['USER','PASS']
  - name: "gcr.io/cloud-builders/gcloud"
    args:
      [
        "functions",
        "deploy",
        "fname",
        "--trigger-http",
        "--runtime=nodejs10",
        "--service-account=functions-secrets@northpoint-production.iam.gserviceaccount.com",
        "--set-env-vars=USER=$$USER,PASS=$$PASS",
        "--entry-point=fname",
        "--project=[project]",
      ]
    dir: "functions"
    secretEnv: ['USER','PASS']
secrets:
- kmsKeyName: projects/[project]/locations/global/keyRings/[ring]/cryptoKeys/[key]
  secretEnv:
    USER: CiQAML6I...
    PASS: CiQAML6IGO3wO...

Answer 1

You are missing the entrypoint: 'bash' part per the documentation you shared.

steps:
  - name: "gcr.io/cloud-builders/gcloud"
    entrypoint: "bash"
    args:
           [
    "-c",
    "gcloud functions deploy fname --trigger-http --runtime=nodejs10 --service-account=[account] --set-env-vars=USER=$$USER,PASS=$$PASS --entry-point=fname --project=[project]",
  ]
    dir: "functions"
    secretEnv: ["USER", "PASS"]
secrets:
  - kmsKeyName: projects/[project]/locations/global/keyRings/[ring]/cryptoKeys/[key]
    secretEnv:
      USER: CiQAML...
      PASS: CiQAML...