Access environment variables stored in Google Secret Manager from Google Cloud Build - McMap

About

Access environment variables stored in Google Secret Manager from Google Cloud Build

Asked 3/2, 2020 at 6:32 Answered 3/2, 2020 at 9:45

continuous-integration google-cloud-build secret-key google-cloud-kms google-secret-manager

F

1

5

How can I access the variables I define in Google Secret Manager from my Google Cloud Build Pipeline ?

Filth answered 3/2, 2020 at 6:32 Comment(5)

I wouldn't recommend using Google Secret Manager now, because it's in pre-release state which mean that it will for sure change in the future. As for accessing environment variables stored in Google Secret Manager is concerned, there is still no way to actually retrieve it from Cloud Build. Nonetheless, here you will find how to manage encrypted resources within Cloud Build. I hope it helps. – Preliminaries 3/2, 2020 at 8:31

I not agree with @ChristopherRodriguezConde. Google Beta product are often very close to the production version. Alpha version are subject to change (or to be cancelled), you can be confident in Beta version, in term of stability and availability. – Supinate 3/2, 2020 at 8:36

Anyway, can you describe your use case for doing this? Why do you need to have your secret in plain text during your Cloud Build pipeline? – Supinate 3/2, 2020 at 8:37

@guillaumeblaquiere I have a lot of environment variables and I need a more intuitive way of storing them for the different environments. I'd rather not use KMS since it brings about a lot of complexity for a rather simple task. I just want variables in the build, as I would have them in circleci, travisci, bitbucket-pipelines... e.t.c – Filth 3/2, 2020 at 8:55

Does this answer your question? How to specify secretEnv to cloudbuild.yaml via gcloud cli args or environment variables – Isolt 6/3, 2020 at 17:26

S

6

You can access to secret from Cloud Build by using the standard Cloud Builder gcloud

But, there is 2 issues:

If you want to use the secret value in another Cloud Build step, you have to store your secret in a file, the only way to reuse a previous value from one step to another one
The current Cloud Builder gcloud isn't up to date (today, 03 feb 2020). You have to add a gcloud component update for using the correct version. I opened an issue for this.

steps:
    - name: gcr.io/cloud-builders/gcloud
      entrypoint: "bash"
      args:
          - "-c"
          - |
              gcloud components update
              # Store the secret is a temporary file
              gcloud beta secrets versions access --secret=MySecretName latest > my-secret-file.txt
    - name: AnotherCloudBuildStepImage
      entrypoint: "bash"
      args:
          - "-c"
          - |
              # For getting the secret and pass it to a command/script
              ./my-script.sh $(cat my-secret-file.txt)

Think to grant the role Secret Manager Secret Accessor roles/secretmanager.secretAccessor to the Cloud Build default service account <PROJECT_ID>@cloudbuild.gserviceaccount.com

EDIT

You can access to the secret from anywhere, either with the gcloud CLI installed (and initialized with a service account authorized to access secrets) or via API call

curl -H "Authorization: Bearer $(gcloud auth print-access-token)" \
https://secretmanager.googleapis.com/v1beta1/projects/PROJECT_ID/secrets/MySecretName/versions/latest:access

Note: You recieve the secret in the data field, in base64 encoded format. Don't forget to decode it before using it!

You have to generate an access token on a service account with the correct role granted. Here I use again gcloud, because it's easier. But according with your platform, use the most appropriate method. A python script can also do the job.

EDIT 2

A new way to get secrets exists now in Cloud Build. Less boiler plate, safer. Have a look and use this way now.

Supinate answered 3/2, 2020 at 9:45 Comment(7)

Are there any intentions to have this done directly by Cloud Build or MUST I piece together a script to handle getting the variables? It seems like something Google should have automated. – Filth 3/2, 2020 at 9:55

Cloud Build because it was your question title, but you can do it from where you want. Either with Gcloud command like in my example, or directly with the API call. Look at my edit – Supinate 3/2, 2020 at 10:13

While I can’t comment on specifics, we are working on deeper integrations with other GCP products. This will be easier in the future, but for now you can use gcloud or the API – Isolt 3/2, 2020 at 13:10

Looking forward to that future. – Filth 4/2, 2020 at 8:30

I'm not quite sure if my issue is the same, but I'm following this guide, and on step 4 we create the secret. However on step 7 when running the migration it seems the secret is not being detected:

File "/usr/local/lib/python3.8/site-packages/environ/environ.py", line 273, in get_value value = self.ENVIRON[var] File "/usr/local/lib/python3.8/os.py", line 675, in __getitem__      raise KeyError(key) from None     KeyError: 'SECRET_KEY'

codelabs.developers.google.com/codelabs/cloud-run-wagtail#7 – Thomas 23/12, 2020 at 23:17

Can you suggest passing the secrets between steps with a different entry point? Example is here github.com/vivekkranjan/docker-dataflowrunner-python3/blob/… – Kimura 14/2, 2021 at 14:56

I edited my post. A new way exists now. @Isolt – Supinate 14/2, 2021 at 17:10

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.