如何使用 Google Secrets Manager 在 Google Cloud Build 中创建 docker ARG?
[英]How do I use Google Secrets Manager to create a docker ARG in Google Cloud Build?
问题描述
I'm doing a build on GCB in which I need to install private dependencies, so am using Google Secrets Manager.
我正在 GCB 上进行构建,我需要在其中安装私有依赖项,因此我正在使用 Google Secrets Manager。 My cloudbuild.yaml looks like this:我的 cloudbuild.yaml 看起来像这样:
steps:
- name: gcr.io/cloud-builders/gcloud
entrypoint: 'bash'
args: [ '-c', "gcloud secrets versions access latest --secret=PERSONAL_ACCESS_TOKEN_GITHUB --format='get(payload.data)' | tr '_-' '/+' | base64 -d > decrypted-pat.txt" ]
- name: 'gcr.io/cloud-builders/docker'
args:
- build
- '--build-arg'
- PERSONAL_ACCESS_TOKEN_GITHUB=$(cat decrypted-pat.txt)
- '-t'
- 'gcr.io/$PROJECT_ID/$REPO_NAME:$TAG_NAME'
- .
images: [ gcr.io/$PROJECT_ID/$REPO_NAME:$TAG_NAME ]
But, the $(cat decrypted-pat.txt) doesn't get evaluated.但是, $(cat decrypted-pat.txt)没有得到评估。 Inserting: RUN echo https://${PERSONAL_ACCESS_TOKEN_GITHUB}@github.com into my dockerfile simply echoes the literal: of course, https://$(cat decrypted-pat.txt)@github.com is not the command I'm looking for (and yes, if I get the thing to actually echo successfully, I'll rotate the token). Inserting: RUN echo https://${PERSONAL_ACCESS_TOKEN_GITHUB}@github.com into my dockerfile simply echoes the literal: of course, https://$(cat decrypted-pat.txt)@github.com is not the command I'我正在寻找(是的,如果我得到实际成功回显的东西,我将旋转令牌)。
There's a note in the gcb / secrets docs gcb / secrets 文档中有一条注释
To use the secret in an environment variable, you need to prefix the variable name with an underscore "_" and escape the value using '('. For example: _VARIABLE_NAME=$(cat password.txt) && echo -n )_VARIABLE_NAME.
But this doesn't make a lot of sense to me for use in the build args.但这对我在构建参数中使用没有多大意义。
How can I get the actual value of this secret into the container as a build arg?如何将这个秘密的实际值作为构建参数放入容器中?
2 个解决方案
解决方案1
2 2021-02-10 15:02:15
As of 2021 February 10, you can access Secret Manager secrets directly from Cloud Build using the availableSecrets field:自 2021 年 2 月 10 日起,您可以使用availableSecrets字段直接从 Cloud Build 访问 Secret Manager 机密:
steps:
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args: ['-c', 'docker login --username=$$USERNAME --password=$$PASSWORD']
secretEnv: ['USERNAME', 'PASSWORD']
availableSecrets:
secretManager:
- versionName: projects/PROJECT_ID/secrets/DOCKER_PASSWORD_SECRET_NAME/versions/DOCKER_PASSWORD_SECRET_VERSION
env: 'PASSWORD'
- versionName: projects/PROJECT_ID/secrets/DOCKER_USERNAME_SECRET_NAME/versions/DOCKER_USERNAME_SECRET_VERSION
env: 'USERNAME'
解决方案2
1 2020-12-15 09:15:23
I figured out that I could circumvent the default entrypoint on the docker build step, then use a bash command straightforwardly to invoke docker.我发现我可以绕过 docker 构建步骤中的默认入口点,然后使用 bash 命令直接调用 docker。
steps:
- name: gcr.io/cloud-builders/gcloud
entrypoint: 'bash'
args: [ '-c', "gcloud secrets versions access latest --secret=PERSONAL_ACCESS_TOKEN_GITHUB --format='get(payload.data)' | tr '_-' '/+' | base64 -d > decrypted-pat.txt" ]
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args:
- "-c"
- |
# For getting the secret and pass it to a command/script
docker build --build-arg PERSONAL_ACCESS_TOKEN_GITHUB=$(cat decrypted-pat.txt) -t gcr.io/$PROJECT_ID/$REPO_NAME:$TAG_NAME .
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.