[英]Access GCP Secret during Cloud Build build step
Lets say I have a cloudbuild.yaml file that looks like this:假设我有一个 cloudbuild.yaml 文件,如下所示:
steps:
- name: 'gcr.io/cloud-builders/docker'
id: build
args: ['build', '-t', 'us.gcr.io/${PROJECT_ID}/image_name', '--build-arg', 'secret=$$SECRET', '.']
secretEnv: ['SECRET']
images:
- 'us.gcr.io/${PROJECT_ID}/image_name'
availableSecrets:
secretManager:
- versionName: projects/project/secrets/my_secret/versions/latest
env: 'SECRET'
Right now, the --build-arg is assigning to the Docker secret
arg the value $SECRET
instead of the value actually stored in the secret.现在,--build-arg 正在将值
$SECRET
分配给 Docker secret
arg,而不是实际存储在 secret 中的值。 How can I access the secret value during this step?在此步骤中如何访问秘密值? All of the examples I can find online say to add a bash entrypoint however only for steps that aren't actually doing the build call.
我可以在网上找到的所有示例都说要添加一个 bash 入口点,但仅适用于实际上没有进行构建调用的步骤。
It's a usual issue with Cloud Build and Secret Manager integration.这是 Cloud Build 和 Secret Manager 集成的常见问题。 You can access to the secret only in a script, not in entry-point and arguments (your case)
您只能在脚本中访问秘密,而不能在入口点和 arguments(您的情况)中访问
Try that试试那个
steps:
- name: 'gcr.io/cloud-builders/docker'
id: build
entrypoint: 'bash'
args:
- -c
- |
docker build -t us.gcr.io/${PROJECT_ID}/image_name --build-arg secret=$$SECRET .
secretEnv: ['SECRET']
The syntax for assigning secrets to docker args seems to be slightly different to that for normal environment variables.将秘密分配给 docker args 的语法似乎与普通环境变量的语法略有不同。 The following snippet is taken from a working project of my own and correctly accesses the secret, and you can see the difference compared to the normal environment variables:
以下片段取自我自己的一个工作项目并正确访问了秘密,你可以看到与普通环境变量相比的区别:
...
env:
- PROJECT_ID=$PROJECT_ID
- NO_DEPLOY=$_NO_DEPLOY
- NO_E2E=$_NO_E2E
secretEnv:
- "EXAMPLE_API_KEY"
args:
- --destination=gcr.io/$PROJECT_ID/api
- --cache=true
- --build-arg=PROJECT_ID
- --build-arg=EXAMPLE_API_KEY
- --build-arg=NO_DEPLOY
- --build-arg=NO_E2E
availableSecrets:
secretManager:
- versionName: projects/$PROJECT_ID/secrets/example-api-key/versions/latest
env: "EXAMPLE_API_KEY"
...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.