[英]How do I use Google Secrets Manager to create a docker ARG in Google Cloud Build?
I'm doing a build on GCB in which I need to install private dependencies, so am using Google Secrets Manager.我正在 GCB 上进行构建,我需要在其中安装私有依赖项,因此我正在使用 Google Secrets Manager。 My cloudbuild.yaml looks like this:我的 cloudbuild.yaml 看起来像这样:
steps:
- name: gcr.io/cloud-builders/gcloud
entrypoint: 'bash'
args: [ '-c', "gcloud secrets versions access latest --secret=PERSONAL_ACCESS_TOKEN_GITHUB --format='get(payload.data)' | tr '_-' '/+' | base64 -d > decrypted-pat.txt" ]
- name: 'gcr.io/cloud-builders/docker'
args:
- build
- '--build-arg'
- PERSONAL_ACCESS_TOKEN_GITHUB=$(cat decrypted-pat.txt)
- '-t'
- 'gcr.io/$PROJECT_ID/$REPO_NAME:$TAG_NAME'
- .
images: [ gcr.io/$PROJECT_ID/$REPO_NAME:$TAG_NAME ]
But, the $(cat decrypted-pat.txt)
doesn't get evaluated.但是, $(cat decrypted-pat.txt)
没有得到评估。 Inserting: RUN echo https://${PERSONAL_ACCESS_TOKEN_GITHUB}@github.com
into my dockerfile simply echoes the literal: of course, https://$(cat decrypted-pat.txt)@github.com
is not the command I'm looking for (and yes, if I get the thing to actually echo successfully, I'll rotate the token). Inserting: RUN echo https://${PERSONAL_ACCESS_TOKEN_GITHUB}@github.com
into my dockerfile simply echoes the literal: of course, https://$(cat decrypted-pat.txt)@github.com
is not the command I'我正在寻找(是的,如果我得到实际成功回显的东西,我将旋转令牌)。
There's a note in the gcb / secrets docs gcb / secrets 文档中有一条注释
To use the secret in an environment variable, you need to prefix the variable name with an underscore "_" and escape the value using '('. For example: _VARIABLE_NAME=$(cat password.txt) && echo -n )_VARIABLE_NAME.要在环境变量中使用密钥,您需要在变量名称前加上下划线“_”并使用 '(' 转义该值。例如:_VARIABLE_NAME=$(cat password.txt) && echo -n )_VARIABLE_NAME。
But this doesn't make a lot of sense to me for use in the build args.但这对我在构建参数中使用没有多大意义。
How can I get the actual value of this secret into the container as a build arg?如何将这个秘密的实际值作为构建参数放入容器中?
As of 2021 February 10, you can access Secret Manager secrets directly from Cloud Build using the availableSecrets
field:自 2021 年 2 月 10 日起,您可以使用availableSecrets
字段直接从 Cloud Build 访问 Secret Manager 机密:
steps:
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args: ['-c', 'docker login --username=$$USERNAME --password=$$PASSWORD']
secretEnv: ['USERNAME', 'PASSWORD']
availableSecrets:
secretManager:
- versionName: projects/PROJECT_ID/secrets/DOCKER_PASSWORD_SECRET_NAME/versions/DOCKER_PASSWORD_SECRET_VERSION
env: 'PASSWORD'
- versionName: projects/PROJECT_ID/secrets/DOCKER_USERNAME_SECRET_NAME/versions/DOCKER_USERNAME_SECRET_VERSION
env: 'USERNAME'
I figured out that I could circumvent the default entrypoint on the docker build step, then use a bash command straightforwardly to invoke docker.我发现我可以绕过 docker 构建步骤中的默认入口点,然后使用 bash 命令直接调用 docker。
steps:
- name: gcr.io/cloud-builders/gcloud
entrypoint: 'bash'
args: [ '-c', "gcloud secrets versions access latest --secret=PERSONAL_ACCESS_TOKEN_GITHUB --format='get(payload.data)' | tr '_-' '/+' | base64 -d > decrypted-pat.txt" ]
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args:
- "-c"
- |
# For getting the secret and pass it to a command/script
docker build --build-arg PERSONAL_ACCESS_TOKEN_GITHUB=$(cat decrypted-pat.txt) -t gcr.io/$PROJECT_ID/$REPO_NAME:$TAG_NAME .
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.