Reputation: 5502
How do I use Google Secrets Manager to create a docker ARG in Google Cloud Build?
I'm doing a build on GCB in which I need to install private dependencies, so am using Google Secrets Manager. My cloudbuild.yaml looks like this:
steps:
- name: gcr.io/cloud-builders/gcloud
entrypoint: 'bash'
args: [ '-c', "gcloud secrets versions access latest --secret=PERSONAL_ACCESS_TOKEN_GITHUB --format='get(payload.data)' | tr '_-' '/+' | base64 -d > decrypted-pat.txt" ]
- name: 'gcr.io/cloud-builders/docker'
args:
- build
- '--build-arg'
- PERSONAL_ACCESS_TOKEN_GITHUB=$(cat decrypted-pat.txt)
- '-t'
- 'gcr.io/$PROJECT_ID/$REPO_NAME:$TAG_NAME'
- .
images: [ gcr.io/$PROJECT_ID/$REPO_NAME:$TAG_NAME ]
But, the $(cat decrypted-pat.txt) doesn't get evaluated. Inserting: RUN echo https://${PERSONAL_ACCESS_TOKEN_GITHUB}@github.com into my dockerfile simply echoes the literal: of course,
https://$(cat decrypted-pat.txt)@github.com is not the command I'm looking for (and yes, if I get the thing to actually echo successfully, I'll rotate the token).
There's a note in the gcb / secrets docs
To use the secret in an environment variable, you need to prefix the variable name with an underscore "_" and escape the value using '('. For example: _VARIABLE_NAME=$(cat password.txt) && echo -n )_VARIABLE_NAME.
But this doesn't make a lot of sense to me for use in the build args.
How can I get the actual value of this secret into the container as a build arg?
Upvotes: 2
Views: 4075
Answers (2)
Reputation: 26997
As of 2021 February 10, you can access Secret Manager secrets directly from Cloud Build using the availableSecrets field:
steps:
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args: ['-c', 'docker login --username=$$USERNAME --password=$$PASSWORD']
secretEnv: ['USERNAME', 'PASSWORD']
availableSecrets:
secretManager:
- versionName: projects/PROJECT_ID/secrets/DOCKER_PASSWORD_SECRET_NAME/versions/DOCKER_PASSWORD_SECRET_VERSION
env: 'PASSWORD'
- versionName: projects/PROJECT_ID/secrets/DOCKER_USERNAME_SECRET_NAME/versions/DOCKER_USERNAME_SECRET_VERSION
env: 'USERNAME'
Upvotes: 5
Reputation: 5502
I figured out that I could circumvent the default entrypoint on the docker build step, then use a bash command straightforwardly to invoke docker.
steps:
- name: gcr.io/cloud-builders/gcloud
entrypoint: 'bash'
args: [ '-c', "gcloud secrets versions access latest --secret=PERSONAL_ACCESS_TOKEN_GITHUB --format='get(payload.data)' | tr '_-' '/+' | base64 -d > decrypted-pat.txt" ]
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args:
- "-c"
- |
# For getting the secret and pass it to a command/script
docker build --build-arg PERSONAL_ACCESS_TOKEN_GITHUB=$(cat decrypted-pat.txt) -t gcr.io/$PROJECT_ID/$REPO_NAME:$TAG_NAME .
(fix inspired by this post)
Upvotes: 2
Related Questions
- cloud build pass secret env to dockerfile
- Google Cloud Platform: secret as build env variable
- How to deploy Cloud Functions with secrets from Secret Manager using Cloud Build?
- Using GCP secrets as part of cloud build
- Google cloudbuild secrets not substituted
- Google Cloud Build Docker build-arg from file
- Load env variables from Google's Secret Manager into Docker container that runs on Google Cloud Run, but not deployed via Cloud Build?
- How to specify secretEnv to cloudbuild.yaml via gcloud cli args or environment variables
- How to create a Secret using Google Cloud Secret Manager with gcloud command line tool?
- GCP Cloud build pass secret to docker arg