Skip to content

Instantly share code, notes, and snippets.

@jmhobbs
Created December 27, 2018 22:02
Show Gist options
  • Save jmhobbs/a572b47048eb42803bcb2102ac57a8df to your computer and use it in GitHub Desktop.
Save jmhobbs/a572b47048eb42803bcb2102ac57a8df to your computer and use it in GitHub Desktop.
Google Cloud Build Secret Environment Demo

Google Cloud Build Secret Environment Demo

See also: http://www.velvetcache.org/2018/12/27/using-environment-secrets-as-build-arguments-in-google-cloud-build

Creating the Secret

$ gcloud  kms keyrings create tinkering --location=global
$ gcloud  kms keys create cloud-build-demo --keyring=tinkering --purpose=encryption --location=global
$ echo -n "This is the super secret secret." | gcloud kms encrypt --plaintext-file=- --ciphertext-file=- --location=global --keyring=tinkering --key=cloud-build-demo | base64
CiQATajs0GI7M6ZFM68Qu+GbJTfJ/d3tqqLcHz69RY1AaHkzV20SSQDt7E4V65imqbOnq8DvieiaglxjEztxWQCwrr2Mtu+xwT6tko6FHB+NNauyos6X1nnh5x217Cwx5QbX3h0YtjOJ15I4dnHDM+I=

Example Local Build

$ cloud-build-local --dryrun=false .
2018/12/23 13:18:21 Warning: The server docker version installed (18.09.0) is different from the one used in GCB (17.12.0-ce)
2018/12/23 13:18:21 Warning: The client docker version installed (18.09.0) is different from the one used in GCB (17.12.0-ce)
Using default tag: latest
latest: Pulling from cloud-builders/metadata
Digest: sha256:bcdb85e67ab9719c6441cb80fe9e8badc6d5ab0ab8bc73ee67adc0112233d20c
Status: Image is up to date for gcr.io/cloud-builders/metadata:latest
2018/12/23 13:18:29 Started spoofed metadata server
2018/12/23 13:18:29 Build id = localbuild_9cef1240-3a68-4ec3-a273-f49cd018316d
2018/12/23 13:18:29 status changed to "BUILD"
BUILD
Starting Step #0 - "bash"
Step #0 - "bash": Already have image (with digest): gcr.io/cloud-builders/docker
Step #0 - "bash": This is the super secret secret.
Finished Step #0 - "bash"
Starting Step #1 - "docker"
Step #1 - "docker": Already have image (with digest): gcr.io/cloud-builders/docker
Step #1 - "docker": Sending build context to Docker daemon   5.12kB
Step #1 - "docker": Step 1/3 : FROM busybox
Step #1 - "docker":  ---> 59788edf1f3e
Step #1 - "docker": Step 2/3 : ARG THE_SECRET
Step #1 - "docker":  ---> Using cache
Step #1 - "docker":  ---> f289a756b157
Step #1 - "docker": Step 3/3 : RUN echo "::${THE_SECRET}::"
Step #1 - "docker":  ---> Running in 0e90f8f4f349
Step #1 - "docker": ::This is the super secret secret.::
Step #1 - "docker": Removing intermediate container 0e90f8f4f349
Step #1 - "docker":  ---> 75d19dee1d47
Step #1 - "docker": Successfully built 75d19dee1d47
Finished Step #1 - "docker"
2018/12/23 13:18:35 status changed to "DONE"
DONE
steps:
- id: bash
name: 'gcr.io/cloud-builders/docker'
entrypoint: "bash"
args: ['-c', 'echo "$$THE_SECRET"']
secretEnv: ['THE_SECRET']
- id: docker
name: 'gcr.io/cloud-builders/docker'
args: ['build', '--build-arg', 'THE_SECRET', '.']
secretEnv: ['THE_SECRET']
secrets:
- kmsKeyName: projects/hobbs-tinkering/locations/global/keyRings/tinkering/cryptoKeys/cloud-build-demo
secretEnv:
THE_SECRET: CiQATajs0GI7M6ZFM68Qu+GbJTfJ/d3tqqLcHz69RY1AaHkzV20SSQDt7E4V65imqbOnq8DvieiaglxjEztxWQCwrr2Mtu+xwT6tko6FHB+NNauyos6X1nnh5x217Cwx5QbX3h0YtjOJ15I4dnHDM+I=
FROM busybox
ARG THE_SECRET
RUN echo "::${THE_SECRET}::"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment