Instantly share code, notes, and snippets.

Embed
What would you like to do?
Create secret on kms
#!/usr/bin/env sh
KEY=$1
VALUE=$2
INIT=$3
: "${KEYRING:=global}"
: "${LOCATION:=global}"
: "${SERVICE_ACCOUNT:?Variable not set or empty}"
gcloud () {
echo "Running: gcloud $@"
docker run \
--rm \
-t $([[ -t 0 ]] && echo "-i") \
-v kube-data:/root \
gcr.io/cloud-builders/gcloud "$@"
}
gcloud_kms_encrypt () {
KEY=$1
VALUE=$2
LOCATION=$3
KEYRING=$4
CMD="echo -n $VALUE | gcloud kms encrypt --key=$KEY --plaintext-file=- --ciphertext-file=- --location=$LOCATION --keyring=$KEYRING | base64 -w 0"
echo "Running: $CMD"
docker run \
--rm \
-v kube-data:/root \
--entrypoint= \
gcr.io/cloud-builders/gcloud \
bash -c "$CMD"
}
if [ "$INIT" = true ] ; then
gcloud kms keyrings create "$KEYRING" --location="$LOCATION"
fi
gcloud kms keys create "$KEY" --location="$LOCATION" --keyring="$KEYRING" --purpose=encryption
gcloud_kms_encrypt "$KEY" "$VALUE" "$LOCATION" "$KEYRING"
gcloud kms keys add-iam-policy-binding "$KEY" \
--location="$LOCATION" --keyring="$KEYRING" \
--member="serviceAccount:$SERVICE_ACCOUNT@cloudbuild.gserviceaccount.com" \
--role=roles/cloudkms.cryptoKeyEncrypterDecrypter
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment