Reputation: 81
Using GCP secrets as part of cloud build
I'm trying to pass in confidential info into a bash script that is part of our cloud build process
I've followed the CloudBuild docs to try set it all up.
After many many different tires copied the docker example as a test even that is not working.
Here is what I have at the moment
*gcloud secrets list*
NAME CREATED REPLICATION_POLICY LOCATIONS
SECRET1 2021-08-18T04:37:47 automatic -
SECRET2 2021-08-18T04:38:11 automatic -
*gcloud secrets versions access latest --secret="SECRET1"*
Secret2Value
*gcloud secrets versions access latest --secret="SECRET2"*
Secret2Value
**cloudbuild.yaml**
steps:
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args: ['-c', 'docker login --username=$$USERNAME --password=$$PASSWORD']
secretEnv: ['USERNAME', 'PASSWORD']
availableSecrets:
secretManager:
- versionName: projects/$PROJECT_ID/secrets/SECRET1/versions/1
env: 'PASSWORD'
- versionName: projects/$PROJECT_ID/secrets/SECRET2/versions/latest
env: 'USERNAME'
My understanding was that it would substituite the value of SECRET1 and SECRET2 into the USERNAME and PASSWORD envs but I'm getting $USERNAME and $PASSWORD
Arguments
bash -c docker login --username=$USERNAME --password=$PASSWORD
Feels like I've missed something simple yet fundamental
== Update ==
Here is the full build log
FETCHSOURCE
hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint:
hint: git config --global init.defaultBranch <name>
hint:
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint:
hint: git branch -m <name>
Initialized empty Git repository in /workspace/.git/
From https://source.developers.google.com/p/amiti-plex-can- dev/r/bitbucket_noldortech_amiti-payments
* branch a72363459d9ff5bed31411e960cc3e021febc322 -> FETCH_HEAD
HEAD is now at a723634 Secrets test 1
BUILD
Already have image (with digest): gcr.io/cloud-builders/docker
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get "https://registry-1.docker.io/v2/": unauthorized: incorrect username or password
ERROR
ERROR: build step 0 "gcr.io/cloud-builders/docker" failed: step exited with non-zero status: 1
== Update 2==
After testing the echo commands below, I switched over to using a script, which is what I actually need.
**Yaml File:**
steps:
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args: ['-c', 'echo Username=$$USERNAME && echo Password=$$PASSWORD']
secretEnv: ['USERNAME', 'PASSWORD']
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args: ['cloudbuilds/script.sh', '$$USERNAME', '$$PASSWORD']
secretEnv: ['USERNAME', 'PASSWORD']
availableSecrets:
secretManager:
- versionName: projects/$PROJECT_ID/secrets/SECRET1/versions/1
env: 'PASSWORD'
- versionName: projects/$PROJECT_ID/secrets/SECRET2/versions/latest
env: 'USERNAME'
**Script:**
#/bin/bash
secretVar1="$1"
secretVar2="$2"
printf "\n\nVARIABLES\nSecret1: $secretVar1\nSecret2: $secretVar2\n\n"
**Build Log:**
BUILD
Starting Step #0
Step #0: Already have image (with digest): gcr.io/cloud-builders/docker
Step #0: Username=Secret2Value
Step #0: Password=Secret1Value
Finished Step #0
Starting Step #1
Step #1: Already have image (with digest): gcr.io/cloud-builders/docker
Step #1:
Step #1:
Step #1: VARIABLES
Step #1: Secret1: $USERNAME
Step #1: Secret2: $PASSWORD
Step #1:
Finished Step #1
PUSH
DONE
Upvotes: 1
Views: 1455
Answers (2)
Reputation: 81
Finally got the correct yaml syntax to execute my script as I need
steps:
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args: ['-c', ". ./cloudbuilds/script.sh $$SOMEVAR1 $$SOMEVAR2"]
secretEnv: ['SOMEVAR1', 'SOMEVAR2']
availableSecrets:
secretManager:
- versionName: projects/$PROJECT_ID/secrets/SECRET1/versions/1
env: 'SOMEVAR2'
- versionName: projects/$PROJECT_ID/secrets/SECRET2/versions/latest
env: 'SOMEVAR1'
BUILD
Already have image (with digest): gcr.io/cloud-builders/docker
VARIABLES
Secret1: Secret2Value
Secret2: Secret1Value
PUSH
DONE
Upvotes: 1
Reputation: 88
USERNAME & PASSWORD are environment variables, for them to be expanded on the command line, you need to run the command via the shell. (Note that doing so is considered bad practice from a security perspective.)
This is why only the first step works in your second update.
Upvotes: 0
Related Questions
- Access GCP Secret during Cloud Build build step
- Google Cloud Platform: secret as build env variable
- How to deploy Cloud Functions with secrets from Secret Manager using Cloud Build?
- GCP 2nd generation Cloud Functions: How can I use Secrets?
- Using NPM token from Google Secret Manager during Cloud Build process
- Google cloudbuild secrets not substituted
- Access google cloud secret inside cloud build yaml
- Storing Secrets as cloud build environment variables
- Using Google Cloud Secret as environment variables in Google Cloud Build
- GCP Cloud build pass secret to docker arg