Inserting secrets into GCP VM instance from secrets manager

Question

Using github actions I'm building a container and pushing it to an existing VM instance. I would like to include secrets as environmental variables after authenticating the secret manager so the container can utilize them during runtime. The following command updates the container to the VM but it does not accept any secrets as parameters.

 - name: Deploy to google compute instance
    run: |-
      gcloud compute instances update-container ${{ env.GCE_INSTANCE }} \
        --zone "$GCE_INSTANCE_ZONE" \
        --container-image ${{ env.REGION}}-docker.pkg.dev/${{ secrets.PROJECT_ID}}/${{ env.ARTIFACT_REPO}}/${{ env.DOCKER_IMAGE }} \

In the past, I have deployed a docker container to google run and included secrets as environmental variables successfully with the following command. Is there a way to mimic this behavior from google run with a VM instance?

 - name: deploy
    id: 'deploy'
    uses: 'google-github-actions/deploy-cloudrun@v0'
    with:
      service: ${{ env.IMAGE_NAME}}
      image: ${{ env.REGION}}-docker.pkg.dev/${{ secrets.PROJECT_ID}}/${{ env.ARTIFACT_REPO}}/${{ env.DOCKER_IMAGE }}
      region: ${{ env.REGION }}
      secrets: |-
        SQL_SERVER_CA=SQL_SERVER_CA:latest, SQL_CLIENT_CERT=SQL_CLIENT_CERT:latest

Answer 1

Following the advice of @JohnHanley 's comment, I was able to access secrets within my container that is running on a VM instance. Using --container-env flag on the "gcloud compute instances update-container" worked. The service account token for accessing secret manager is stored in github action secrets and it is base64 encoded. It is passed into the container with the --container-env flag along with two other variables. Once the container has started the service account token is decoded and used to retrieve the rest of the many secrets stored in google secrets manager. This likely is not the best way but it required the least amount of rework to get working.

- name: Deploy to google compute instance
    run: |-
        gcloud compute instances update-container ${{ env.GCE_INSTANCE }} \
        --zone ${{ env.ZONE}} \
        --container-image ${{ env.REGION}}-docker.pkg.dev/${{ secrets.PROJECT_ID}}/${{ env.ARTIFACT_REPO}}/${{ env.DOCKER_IMAGE }} \
        --container-env GCP_SECRET_ACCESSOR_SERVICE_TOKEN=${{ secrets.GCP_SECRET_ACCESSOR_SERVICE_TOKEN}} \
        --container-env PROJECT_ID=${{ secrets.PROJECT_ID}} \
        --container-env RUNNING_LOCATION=cloudbt

Answer 2

You can use Cloud Build to inject the secrets. For that, you need to:

1.Enable the Cloud Build and Secret Manager APIs.

2.Set up the required IAM permissions.

3.Configure builds to access UTF-8 secrets from Secret Manager. As an example, the following build YAML shows how to login to Docker using the Docker username and password stored in Secret Manager:

steps:
- name: 'gcr.io/cloud-builders/docker'
  entrypoint: 'bash'
  args: ['-c', 'docker login --username=$$USERNAME --password=$$PASSWORD']
  secretEnv: ['USERNAME', 'PASSWORD']
availableSecrets:
  secretManager:
  - versionName: projects/PROJECT_ID/secrets/DOCKER_PASSWORD_SECRET_NAME/versions/DOCKER_PASSWORD_SECRET_VERSION
    env: 'PASSWORD'
  - versionName: projects/PROJECT_ID/secrets/DOCKER_USERNAME_SECRET_NAME/versions/DOCKER_USERNAME_SECRET_VERSION
    env: 'USERNAME'

Use this Official GCP's Documentation as a more detailed reference for that; it has Docker and GitHub examples.

Plus, there is another 3rd-party option useful for you: SecretHub. Here, you have the required steps that you need to follow using SecretHub.

Use this last thread Can I run a Cloud build on my own VM intances as another Cloud Build reference on GCP's VMs.

And finally, on this Official GCP’s Documentation you are going to find the information and steps to implement Caching in Cloud Build, to speed up your build as you need to do it.