3

I would like to use the Secret Manager to store a credential to our artifactory, within a cloud build step. I have it working using a build similar to:

steps:
- name: 'busybox:glibc'
  entrypoint: 'sh'
  args: ['-c', 'env']
  secretEnv: ['SECRET_VALUE']
availableSecrets:
  secretManager:
  - versionName: "projects/PROJECT_ID/secrets/TEST-SECRET/versions/1"
    env: 'SECRET_VALUE'

All great, no problems - I then try and slightly improve it to:

steps:
- name: 'busybox:glibc'
  entrypoint: 'sh'
  args: ['-c', 'env']
  secretEnv: ['SECRET_VALUE']
availableSecrets:
  secretManager:
  - versionName: "projects/$PROJECT_ID/secrets/TEST-SECRET/versions/1"
    env: 'SECRET_VALUE'

But then it throws the error: ERROR: (gcloud.builds.submit) INVALID_ARGUMENT: failed to get secret name from secret version "projects/$PROJECT_ID/secrets/TEST-SECRET/versions/1"

I have been able to add a TRIGGER level env var (SECRET_MANAGER_PROJECT_ID), and that works fine. The only issue that as that is a trigger env, it is not available on rebuild, which breaks a lot of things.

Does anyone know how to get the PROJECT_ID of a Secret Manager from within CloudBuild without using a Trigger Param?

Nibrass H
  • 2,403
  • 1
  • 8
  • 14
Stefano
  • 412
  • 2
  • 10
  • 1
    Have you tried `- versionName: projects/${PROJECT_ID}/secrets/TEST-SECRET/versions/1` (also I _think_ you can use `versions/lastest` instead of a specific version if that's at all useful) – Rich Mar 08 '21 at 10:10
  • yeah, I have tried that too: `ERROR: (gcloud.builds.submit) INVALID_ARGUMENT: failed to get secret name from secret version "projects/${PROJECT_ID}/secrets/TEST-SECRET/versions/1` feels like a very annoying edge case. – Stefano Mar 08 '21 at 10:12
  • Under "Cloud Build" settings have you enabled "Secret Manager Accessor"? (Or followed [these instructions](https://cloud.google.com/build/docs/securing-builds/use-secrets#grant_permissions)?) – Rich Mar 08 '21 at 10:22
  • 2
    This is not currently supported. – sethvargo Mar 08 '21 at 12:26
  • incase anyone is wondering, I do not have the rep required to approve or even see the recommended edit! – Stefano Mar 09 '21 at 11:02

3 Answers3

3

For now, it's not possible to set dynamic value in the secret field. I already provided this feedback directly to the Google Cloud PM, it has been take into account, but I don't have more info to share, especially for the availability.

EDIT 1

(January 22). Thanks to Seza443 comment, I tested again and now it works with automatically populated variable (PROJECT_ID and PROJECT_NUMBER), but also with customer defined substitution variables!

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
2

It appears that Cloud Build now allows for the use of substitution variables within the availableSecrets field of a build configuration.

From Google Cloud's documentation on using secrets:

After all the build steps, add an availableSecrets field to specify the secret version and environment variables to use for your secret. You can include substitution variables in the value of the secretVersion field. You can specify more than one secret in a build.

I was able to use the $PROJECT_ID variable in my own build configuration like so:

...
availableSecrets:
  secretManager:
    - versionName: projects/$PROJECT_ID/secrets/api-key/versions/latest
      env: API_KEY

Granted, there appears to be (at least at present) some discrepancy between the documentation quoted above and the recommended configuration file schema. In the documentation they refer to secretVersion, but that appears to have changed to versionName. In either case, it seems to work properly.

Tanner Stern
  • 128
  • 1
  • 8
0

Use the $PROJECT_NUMBER instead.

https://cloud.google.com/build/docs/configuring-builds/substitute-variable-values#using_default_substitutions

Substituting built in env vars in GCB

yurisich
  • 6,991
  • 7
  • 42
  • 63