How do I use Google Secrets Manager to create a docker ARG in Google Cloud Build?
Asked Answered
F

2

2

I'm doing a build on GCB in which I need to install private dependencies, so am using Google Secrets Manager. My cloudbuild.yaml looks like this:

steps:
- name: gcr.io/cloud-builders/gcloud
  entrypoint: 'bash'
  args: [ '-c', "gcloud secrets versions access latest --secret=PERSONAL_ACCESS_TOKEN_GITHUB --format='get(payload.data)' | tr '_-' '/+' | base64 -d > decrypted-pat.txt" ]
- name: 'gcr.io/cloud-builders/docker'
  args:
    - build
    - '--build-arg'
    - PERSONAL_ACCESS_TOKEN_GITHUB=$(cat decrypted-pat.txt)
    - '-t'
    - 'gcr.io/$PROJECT_ID/$REPO_NAME:$TAG_NAME'
    - .
images: [ gcr.io/$PROJECT_ID/$REPO_NAME:$TAG_NAME ]

But, the $(cat decrypted-pat.txt) doesn't get evaluated. Inserting: RUN echo https://${PERSONAL_ACCESS_TOKEN_GITHUB}@github.com into my dockerfile simply echoes the literal: of course, https://$(cat decrypted-pat.txt)@github.com is not the command I'm looking for (and yes, if I get the thing to actually echo successfully, I'll rotate the token).

There's a note in the gcb / secrets docs

To use the secret in an environment variable, you need to prefix the variable name with an underscore "_" and escape the value using '('. For example: _VARIABLE_NAME=$(cat password.txt) && echo -n )_VARIABLE_NAME.

But this doesn't make a lot of sense to me for use in the build args.

How can I get the actual value of this secret into the container as a build arg?

Flagella answered 15/12, 2020 at 8:41 Comment(0)
U
5

As of 2021 February 10, you can access Secret Manager secrets directly from Cloud Build using the availableSecrets field:

steps:
- name: 'gcr.io/cloud-builders/docker'
  entrypoint: 'bash'
  args: ['-c', 'docker login --username=$$USERNAME --password=$$PASSWORD']
  secretEnv: ['USERNAME', 'PASSWORD']
availableSecrets:
  secretManager:
  - versionName: projects/PROJECT_ID/secrets/DOCKER_PASSWORD_SECRET_NAME/versions/DOCKER_PASSWORD_SECRET_VERSION
    env: 'PASSWORD'
  - versionName: projects/PROJECT_ID/secrets/DOCKER_USERNAME_SECRET_NAME/versions/DOCKER_USERNAME_SECRET_VERSION
    env: 'USERNAME'

Documentation

Uncharitable answered 10/2, 2021 at 15:2 Comment(2)
Thank goodness!! Although my junior dev will be very upset this wasn't here last month. Maybe I just won't tell him for a bit :)Flagella
Hello! Where to get the DOCKER_PASSWORD_SECRET_NAME and the rest of DOCKER fields? I cannot find them on the Secret Manager page. ThanksArnoldarnoldo
F
2

I figured out that I could circumvent the default entrypoint on the docker build step, then use a bash command straightforwardly to invoke docker.

steps:
- name: gcr.io/cloud-builders/gcloud
  entrypoint: 'bash'
  args: [ '-c', "gcloud secrets versions access latest --secret=PERSONAL_ACCESS_TOKEN_GITHUB --format='get(payload.data)' | tr '_-' '/+' | base64 -d > decrypted-pat.txt" ]

- name: 'gcr.io/cloud-builders/docker'
  entrypoint: 'bash'
  args:
    - "-c"
    - |
      # For getting the secret and pass it to a command/script
      docker build --build-arg PERSONAL_ACCESS_TOKEN_GITHUB=$(cat decrypted-pat.txt) -t gcr.io/$PROJECT_ID/$REPO_NAME:$TAG_NAME .

(fix inspired by this post)

Flagella answered 15/12, 2020 at 9:15 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.