Reputation: 1739
How to pass the env secret variable in google app engine and gitlab CI
I am using gitlab and deploying it to google app engine for my nodejs application.
Google Service access is added as variable in gitlab settings
SERVICE_ACCOUNT_KEY:
{
"type": "service_account",
"project_id": "node-us",
"private_key_id": "",
"private_key": "",
"client_email": "[email protected]",
"client_id": "",
"auth_uri": "",
"token_uri": "",
"auth_provider_x509_cert_url": "",
"client_x509_cert_url": ""
}
.gitlab-ci.yml
image: node:latest
cache:
paths:
- node_modules/
before_script:
- echo "deb http://packages.cloud.google.com/apt cloud-sdk-jessie main" | tee /etc/apt/sources.list.d/google-cloud-sdk.list
- curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
- apt-get update
- apt-get -qq -y install google-cloud-sdk
deploy_production:
stage: deploy
environment: Production
only:
- master
script:
- echo $SERVICE_ACCOUNT_KEY > /tmp/$CI_PIPELINE_ID.json
- gcloud auth activate-service-account --key-file /tmp/$CI_PIPELINE_ID.json
- gcloud --quiet --project node-us app deploy app.yaml
after_script:
- rm /tmp/$CI_PIPELINE_ID.json
my root folder has app.yaml file and .env file
As of now I was testing the flow which worked fine and deployed successfully to google app engine. (it does not contain any secret keys)
However I want the my env variables (containing secret keys) need to be ignored in .gitignore also not to be part of app.yaml file.
How can I pass my env secret keys?
Upvotes: 0
Views: 1806
Answers (2)
Reputation: 2368
If you need to send your env file to your hosted website in Google Cloud (Engine/Run) you can simply add this line in your .gitlab-ci.yml file, after the deploy script:
- echo $ENV > .env
Then, in your Gitlab config, you add the ENV variable with your .env data.
This worked for me.
This is my example Gitlab YML file that I use to deploy a NodeJS server into Google Cloud Run:
variables:
SERVICE_NAME: 'server'
image: google/cloud-sdk:latest
before_script:
- apt-get --assume-yes install npm
- npm install
- npm run build
deploy:
stage: deploy
only:
- main
script:
- echo $GCP_SERVICE_ACCOUNT > gcloud-service-key.json
- echo $ENV > .env
- gcloud auth activate-service-account --key-file gcloud-service-key.json
- gcloud auth configure-docker
- gcloud config set project $GCP_PROJECT_ID
- gcloud config set run/region europe-west3
- gcloud run deploy $SERVICE_NAME --source . --allow-unauthenticated
Upvotes: 1
Reputation: 75970
Don't pass it!
Use Secret Manager to pass your secret. So, in your repository, use the secret manager URI to reference the secret, with the secret version. Like this, no secret in your code or in the app.yaml/.env files.
If you need to update the secret, do it manually. Some tasks are hard, or expensive, to automate.
Note: The article that you mention has been released 6 months before Secret Manager release (early this year 2020)
Upvotes: 1
Related Questions
- How do I add a .env file in gitlab ci during deployment stage?
- Use GOOGLE_APPLICATION_CREDENTIALS env var with GitHub Actions secret
- Passing Gitlab CI variables to Google Cloud Secret Manager
- How to secure env variables in gcp app engine app.yaml deployment file?
- How Can I pass secret manager secret using cloudbuild to app engine environment variable in app.yaml
- How to set up env variables in gitlab-ci.yaml?
- Using Google Cloud Secret as environment variables in Google Cloud Build
- How to set environment variables/app secrets in Google App Engine
- Injecting secrets from CI with GCP AppEngine's app.yml
- How to use secret .env vars without exposing them to repository