Google cloud build with pack and secrets manager not accessing environment variables

Question

I'm using a standard gcr.io/k8s-skaffold/pack build function to build my app for google cloud run using google cloud build.

In my cloudbuild.yaml I load 2 secrets from google secrets manager and pass it to the build function. The google cloud build has access to those secrets, otherwise I would get an error message for this (I got this kind of error at the beginning when setting up the build, now it seems to have access).

However, it seems like the environment variables don't get set.

I think that it might be a syntactical problem of how I try to pass the variables.

This is the stripped down cloudbuild.yaml

steps:
- name: gcr.io/k8s-skaffold/pack
  args:
      - build
      - '$_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA'
      - '--builder=gcr.io/buildpacks/builder:v1'
      - '--network=cloudbuild'
      - '--path=.'
      - '--env=SEC_A=$$SEC_A'
      - '--env=SEC_B=$$SEC_B' 
  secretEnv: ['SEC_A', 'SEC_B']
  id: Buildpack
  entrypoint: pack

availableSecrets:
    secretManager:
    - versionName: projects/<pid>/secrets/SEC_A/versions/latest
      env: SEC_A
    - versionName: projects/<pid>/secrets/SEC_B/versions/latest
      env: SEC_B

An Error message that I hacked into the build for checking shows me that the env var is empty during this build step.

I tried using $, $$ (as seen above), &&, ${...}, for substitution. But maybe the problem lies somewhere else.

Answer 1

Yes, it's a common issue and a trap on Cloud Build. In fact, your secrets can't be read if you use the args[] arrays to pass argument. you have to use the script mode, like that

steps:
- name: gcr.io/k8s-skaffold/pack
  entrypoint: bash
  args: 
      - -c
      - |
          pack build $_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA --builder=gcr.io/buildpacks/builder:v1 --network=cloudbuild --path=. --env=SEC_A=$$SEC_A --env=SEC_B=$$SEC_B 
  secretEnv: ['SEC_A', 'SEC_B']
  id: Buildpack