This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Using GCP secrets as part of cloud build

Posted on 08-17-2021 10:43 PM
Lizzardd
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I'm trying to pass in confidential info into a bash script that is part of our cloud build process I've followed the CloudBuild docs to try set it all up.
After many many different tires copied the docker example as a test even that is not working.
Here is what I have at the moment

 

 

$ gcloud secrets list
NAME     CREATED              REPLICATION_POLICY  LOCATIONS
SECRET1  2021-08-18T04:37:47  automatic           -
SECRET2  2021-08-18T04:38:11  automatic           -

$ gcloud secrets versions access latest --secret="SECRET1"
Secret1Value
$ gcloud secrets versions access latest --secret="SECRET2"
Secret2Value
$ cat cloudbuild.yaml
steps:
- name: 'gcr.io/cloud-builders/docker'
  entrypoint: 'bash'
  args: ['-c', 'docker login --username=$$USERNAME --password=$$PASSWORD']
  secretEnv: ['USERNAME', 'PASSWORD']
availableSecrets:
  secretManager:
  - versionName: projects/$PROJECT_ID/secrets/SECRET1/versions/1
    env: 'PASSWORD'
  - versionName: projects/$PROJECT_ID/secrets/SECRET2/versions/latest
    env: 'USERNAME'

 

 

 

Lizzardd_3-1629265315045.png

My understanding was that it would substitute the value of SECRET1 and SECRET2 into the USERNAME and PASSWORD envs but all I'm getting is $USERNAME and $PASSWORD

 

 

Arguments
 bash -c docker login --username=$USERNAME --password=$PASSWORD

 

 

Feels like I've missed something simple yet fundamental

 

 == UPDATE 1 ==
Here is my new yaml file

steps:
- name: 'gcr.io/cloud-builders/docker'
  entrypoint: 'bash'
  args: ['-c', 'echo Username=$$USERNAME && echo Password=$$PASSWORD']
  secretEnv: ['USERNAME', 'PASSWORD']
- name: 'gcr.io/cloud-builders/docker'
  entrypoint: 'bash'
  args: ['cloudbuilds/script.sh', '$$USERNAME', '$$PASSWORD']
  secretEnv: ['USERNAME', 'PASSWORD']
availableSecrets:
  secretManager:
  - versionName: projects/$PROJECT_ID/secrets/SECRET1/versions/1
    env: 'PASSWORD'
  - versionName: projects/$PROJECT_ID/secrets/SECRET2/versions/latest
    env: 'USERNAME'

This is the very simple bash script

#/bin/bash
secretVar1="$1"
secretVar2="$2"
printf "\n\nVARIABLES\nSecret1: $secretVar1\nSecret2: $secretVar2\n\n"

And this is the build log

BUILD
Starting Step #0
Step #0: Already have image (with digest): gcr.io/cloud-builders/docker
Step #0: Username=Secret2Value
Step #0: Password=Secret1Value
Finished Step #0
Starting Step #1
Step #1: Already have image (with digest): gcr.io/cloud-builders/docker
Step #1: 
Step #1: 
Step #1: VARIABLES
Step #1: Secret1: $USERNAME
Step #1: Secret2: $PASSWORD
Step #1: 
Finished Step #1
PUSH
DONE

So the first command echos the values correctly, yet the bash script is not passed in the secret values.

Solved Solved
0 11 19K
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Lizzardd
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Finally got the yaml syntax correct to execute the script as I need it

 

steps:
- name: 'gcr.io/cloud-builders/docker'
  entrypoint: 'bash'
  args: ['-c', ". ./cloudbuilds/script.sh $$SOMEVAR1 $$SOMEVAR2"]
  secretEnv: ['SOMEVAR1', 'SOMEVAR2']
availableSecrets:
  secretManager:
  - versionName: projects/$PROJECT_ID/secrets/SECRET1/versions/1
    env: 'SOMEVAR2'
  - versionName: projects/$PROJECT_ID/secrets/SECRET2/versions/latest
    env: 'SOMEVAR1'
 
BUILD
Already have image (with digest): gcr.io/cloud-builders/docker
VARIABLES
Secret1: Secret2Value
Secret2: Secret1Value
PUSH
DONE

View solution in original post

Jump to Solution
11 REPLIES 11
Top Solution Authors
View all