Skip to content

Instantly share code, notes, and snippets.

@yurifrl

yurifrl/create-kms-secret.sh

Created November 8, 2018 20:42
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save yurifrl/917b5fcd6538cfb0efd90ba39b877bdc to your computer and use it in GitHub Desktop.
Save yurifrl/917b5fcd6538cfb0efd90ba39b877bdc to your computer and use it in GitHub Desktop.
Download ZIP
Create secret on kms
Raw
create-kms-secret.sh
#!/usr/bin/env sh
KEY=$1
VALUE=$2
INIT=$3
: "${KEYRING:=global}"
: "${LOCATION:=global}"
: "${SERVICE_ACCOUNT:?Variable not set or empty}"
gcloud () {
echo "Running: gcloud $@"
docker run \
--rm \
-t $([[ -t 0 ]] && echo "-i") \
-v kube-data:/root \
gcr.io/cloud-builders/gcloud "$@"
}
gcloud_kms_encrypt () {
KEY=$1
VALUE=$2
LOCATION=$3
KEYRING=$4
CMD="echo -n $VALUE | gcloud kms encrypt --key=$KEY --plaintext-file=- --ciphertext-file=- --location=$LOCATION --keyring=$KEYRING | base64 -w 0"
echo "Running: $CMD"
docker run \
--rm \
-v kube-data:/root \
--entrypoint= \
gcr.io/cloud-builders/gcloud \
bash -c "$CMD"
}
if [ "$INIT" = true ] ; then
gcloud kms keyrings create "$KEYRING" --location="$LOCATION"
fi
gcloud kms keys create "$KEY" --location="$LOCATION" --keyring="$KEYRING" --purpose=encryption
gcloud_kms_encrypt "$KEY" "$VALUE" "$LOCATION" "$KEYRING"
gcloud kms keys add-iam-policy-binding "$KEY" \
--location="$LOCATION" --keyring="$KEYRING" \
--member="serviceAccount:$SERVICE_ACCOUNT@cloudbuild.gserviceaccount.com" \
--role=roles/cloudkms.cryptoKeyEncrypterDecrypter
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment