-
-
Save uchilaka/45560897e7a2ef211ff9e92687fc978a to your computer and use it in GitHub Desktop.
Access Google Secret Manager from Cloud Build step
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Usage: gcloud builds submit --no-source | |
| # | |
| # Remember to first grant the cloud build service account permissions to access | |
| # secret 'foo' | |
| # | |
| # gcloud beta secrets add-iam-policy-binding foo \ | |
| # --member=serviceAccount:<project-number>@cloudbuild.gserviceaccount.com \ | |
| # --role=roles/secretmanager.secretAccessor | |
| steps: | |
| # fetch the secret and write to a volume | |
| - name: 'gcr.io/cloud-builders/gcloud' | |
| entrypoint: 'bash' | |
| args: | |
| - '-c' | |
| - | | |
| gcloud secrets versions access --secret=foo latest > /secrets/foo | |
| volumes: | |
| - name: 'secrets' | |
| path: '/secrets' | |
| # example of how to consume the secret from a separate step by reading it from | |
| # the filesystem. | |
| # NOTE: this prints the secret to the build logs, dont do this for real. | |
| - name: 'ubuntu' | |
| volumes: | |
| - name: 'secrets' | |
| path: '/secrets' | |
| args: ['cat', '/secrets/foo'] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment