I'm having a hard time passing secrets in gcp secret manager to cloud build docker build stage. Am i passing these correctly?

Question

steps:

• name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:slim' entrypoint: 'bash' args:

  • '-c'
  • | echo "Fetching secrets from Secret Manager..." echo -n $(gcloud secrets versions access latest --secret=URL_A) > /workspace/URL_A echo -n $(gcloud secrets versions access latest --secret=URL_B) > /workspace/URL_B id: Fetch Secrets

• name: gcr.io/cloud-builders/docker args:

  • build
  • '--no-cache'
  • '-t'
  • '$_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA'
  • '--build-arg'
  • "URL_A=$(cat /workspace/URL_A)"
  • '--build-arg'
  • "URL_B=$(cat /workspace/URL_B)"
  • .
  • '-f'
  • Dockerfile id: Build

Answer 1

You can do much simpler. Keep in mind that you can use SECRET_ENV in Cloud Build only in "script" context (entrypoint bash)

See my working exemple

steps:
- name: 'gcr.io/cloud-builders/docker'
  secretEnv: ['SECRET']
  entrypoint: 'bash'
  args:
    - -c
    - |
      echo $$SECRET
      docker build --build-arg SECRET="$$SECRET" -f Dockerfile -t gcr.io/<your project id>/test-secret . 

availableSecrets:
  secretManager:
    - versionName: projects/<YOUR PROJECT ID or NUMBER>/secrets/<YOUR SECRET NAME>/versions/latest
      env: 'SECRET'

And the dockerfile

FROM debian:buster-slim

ARG SECRET

RUN echo "The secret is $SECRET"

---

Side question: Must URLs be stored in secret manager?