Secret in Cloud Build to Cloud run step

Question

I'm trying to setup CICD for my app using Cloud Build and Cloud Run. My cloudbuild.yaml looks like this:

 steps:
 # Build the container image
 - name: 'gcr.io/cloud-builders/docker'
   args: ['build', '-t', 'gcr.io/project/dsapp-staging:$COMMIT_SHA', '.']
   timeout: '1200s'
 # Push the container image to Container Registry
 - name: 'gcr.io/cloud-builders/docker'
   args: ['push', 'gcr.io/project/dsapp-staging:$COMMIT_SHA']
   timeout: '1200s'
 # Deploy container image to Cloud Run
 - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
   entrypoint: gcloud
   args:
   - 'run'
   - 'deploy'
   - 'dsapp-staging'
   - '--image'
   - 'gcr.io/project/dsapp-staging:$COMMIT_SHA'
   - '--region'
   - 'europe-west1'
   - "--set-env-vars=FIREBASE_AUTH=$$FIREBASE_AUTH"
   timeout: '1200s'
   secretEnv: ['FIREBASE_AUTH']
 timeout: '1200s'

 availableSecrets:
  secretManager:
  - versionName: projects/projectid/secrets/FIREBASE_AUTH/versions/1
    env: 'FIREBASE_AUTH'

 images:
 - 'gcr.io/project/dsapp-staging:$COMMIT_SHA'

My problem is with the 'FIREBASE_AUTH' secret variable I get an error saying the substitution i not available. How can I pass my env var taken from secrets to my gcloud command ?

score 2 · Answer 1 · answered Dec 21 '21 at 13:19

You can't use a secret like that in Cloud Build. I don't know the technical reason, but I can give you the workaround: you must use a shell mode in your step. Let's write it like that

 - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
   entrypoint: bash
   args:
   - '-c'
   - "gcloud run deploy dsapp-staging --image gcr.io/project/dsapp-taging:$COMMIT_SHA --region europe-west1 --set-env-vars=FIREBASE_AUTH=$$FIREBASE_AUTH"
   timeout: '1200s'
   secretEnv: ['FIREBASE_AUTH']

And now it works!

score 0 · Answer 2 · answered Jun 20 '23 at 17:39

You don't have to use availableSecrets you can use --set-secrets for this and assign secret directly, here is my working sample

   # Deploy container image to Cloud Run
  - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
    entrypoint: gcloud
    args: 
     - run
     - deploy
     - node-api-service
     - --allow-unauthenticated
     - --set-secrets=DB_USER=projects/$PROJECT_NUMBER/secrets/DB_USER/versions/latest,DB_PASSWORD=projects/$PROJECT_NUMBER/secrets/DB_PASSWORD/versions/latest,DB_DATABASE=projects/$PROJECT_NUMBER/secrets/DB_DATABASE/versions/latest,DB_HOST=projects/$PROJECT_NUMBER/secrets/DB_HOST/versions/latest,DB_PORT=projects/$PROJECT_NUMBER/secrets/DB_PORT/versions/latest
     - --image=gcr.io/$_PROJECT_ID/node-api:$COMMIT_SHA
     - --vpc-connector=sqlconnect
     - --port=8080
     - --region=us-central1

This link helped me to fix the issue, note that I changed project_id to project_number

DB_USER=projects/$PROJECT_NUMBER/secrets/DB_USER/versions/latest

Secret in Cloud Build to Cloud run step

2 Answers2