从 Google Cloud Build 访问存储在 Google Secret Manager 中的环境变量
[英]Access environment variables stored in Google Secret Manager from Google Cloud Build
1 个解决方案
解决方案1
6 2020-02-03 09:45:06
You can access to secret from Cloud Build by using the standard Cloud Builder gcloud
您可以使用标准Cloud Builder gcloud从 Cloud Build 访问机密
But, there is 2 issues:但是,有两个问题:
- If you want to use the secret value in another Cloud Build step, you have to store your secret in a file, the only way to reuse a previous value from one step to another one如果您想在另一个 Cloud Build 步骤中使用秘密值,您必须将您的秘密存储在一个文件中,这是从一个步骤到另一个步骤重复使用先前值的唯一方法
- The current Cloud Builder gcloud isn't up to date (today, 03 feb 2020).当前的 Cloud Builder gcloud 不是最新的(今天,2020 年 2 月 3 日)。 You have to add a gcloud component update for using the correct version.您必须添加 gcloud 组件更新才能使用正确的版本。 I opened an issue for this.我为此开了一个问题。
steps:
- name: gcr.io/cloud-builders/gcloud
entrypoint: "bash"
args:
- "-c"
- |
gcloud components update
# Store the secret is a temporary file
gcloud beta secrets versions access --secret=MySecretName latest > my-secret-file.txt
- name: AnotherCloudBuildStepImage
entrypoint: "bash"
args:
- "-c"
- |
# For getting the secret and pass it to a command/script
./my-script.sh $(cat my-secret-file.txt)
Think to grant the role Secret Manager Secret Accessor roles/secretmanager.secretAccessor to the Cloud Build default service account <PROJECT_ID>@cloudbuild.gserviceaccount.com考虑将角色 Secret Manager Secret Accessor roles/secretmanager.secretAccessor授予 Cloud Build 默认服务帐户<PROJECT_ID>@cloudbuild.gserviceaccount.com
EDIT编辑
You can access to the secret from anywhere, either with the gcloud CLI installed (and initialized with a service account authorized to access secrets) or via API call您可以通过安装 gcloud CLI(并使用授权访问机密的服务帐户进行初始化)或通过 API 调用从任何地方访问机密
curl -H "Authorization: Bearer $(gcloud auth print-access-token)" \
https://secretmanager.googleapis.com/v1beta1/projects/PROJECT_ID/secrets/MySecretName/versions/latest:access
Note: You recieve the secret in the data field, in base64 encoded format.注意:您会在数据字段中收到 base64 编码格式的密钥。 Don't forget to decode it before using it!使用前别忘了解码!
You have to generate an access token on a service account with the correct role granted.您必须在授予正确角色的服务帐户上生成访问令牌。 Here I use again gcloud, because it's easier.这里我再次使用 gcloud,因为它更容易。 But according with your platform, use the most appropriate method.但是根据您的平台,使用最合适的方法。 A python script can also do the job. python 脚本也可以完成这项工作。
EDIT 2编辑 2
A new way to get secrets exists now in Cloud Build. Cloud Build 中现在提供了一种获取机密的新方法。 Less boiler plate, safer.更少的锅炉板,更安全。 Have a look and use this way now.现在看看并使用这种方式。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.