0

I'm having an issue with using custom substitutions in my cloudbuild.yaml.

substitutions:
  _CUSTOM_SUBSTITUTION: this-is-a-path
availableSecrets:
  secretManager:
  - versionName: projects/$_CUSTOM_SUBSTITUTION/secrets/client_id/versions/1
    env: CLIENT_ID
  - versionName: projects/$_CUSTOM_SUBSTITUTION/secrets/client_secret/versions/1
    env: CLIENT_SECRET

From what I can tell from trial and error, using something like $PROJECT_ID in the place of $_CUSTOM_SUBSTITUTION will run the build, but if I use a custom substitution like above, the trigger does not run a build at all when a commit is pushed.

I've also tested with various other base substitutions, like $BRANCH_NAME to the same effect. I'm getting the feeling that it's just not possible to do this in cloudbuild at the moment?

kckaiwei
  • 416
  • 7
  • 18
  • Can you share your trigger configuration? – guillaume blaquiere Feb 22 '22 at 20:21
  • I'm using "Push to a Branch" as the invoking event trigger. It's set to use a Cloud Build configuration file (this cloudbuild.yaml), which is being read from my repo. Other than that, I'm not using an substitution variables from the GCP UI, only via the substitution line in the cloudbuild.yaml. I've had successful builds prior to this, it was only the introduction of this availableSecrets section that they started not being triggered – kckaiwei Feb 22 '22 at 20:26
  • Can you share your [logs](https://cloud.google.com/build/docs/securing-builds/store-manage-build-logs#viewing_build_logs) related to Cloud Build? I have not tested it yet, but something worth trying is to use the syntax `${_CUSTOM_SUBSTITUTION}` *with the curly braces,* as the [documentation](https://cloud.google.com/build/docs/configuring-builds/substitute-variable-values#using_user-defined_substitutions) shows that this allows custom substitutions to work when **not** surrounded by spaces. – ErnestoC Feb 23 '22 at 16:07

1 Answers1

1

It ended up being a combination of need curly braces ${_CUSTOM_SUBSTITUTION} and some syntax fixing in the cloudbuild.yaml. I didn't have enough experience with cloudbuild to find that.

The offending part was something this:

AUTH_TOKEN=$$(cat /workspace/token.txt). Originally I had just 1 $ there, which was also working code pulled from another project.

For anyone running into this in the future, using gloud builds submit can let you run it directly for troubleshooting.

kckaiwei
  • 416
  • 7
  • 18