Google Cloud Build不会替换cloudbuild.yaml的Secrets部分中的值 [英] Google Cloud Build doesn't substitute values in secrets section of cloudbuild.yaml

查看:129
本文介绍了Google Cloud Build不会替换cloudbuild.yaml的Secrets部分中的值的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试创建一个Cloud Build触发器,其中使用Cloud KMS对秘密环境变量进行加密并将其存储为Cloud Build中的替代变量.这样,我的云构建yaml就相当通用,并且在我们要部署到的所有环境中都是相同的.

I'm trying to create a Cloud Build trigger where secret environment variables are encrypted with cloud KMS and stored as a substitution variable in Cloud Build. This way my cloud build yaml is fairly generic and the same across all environments we're deploying to.

此云构建Yaml正常工作:

This cloud build yaml works fine:

steps:
- name: 'ubuntu'
  entrypoint: 'bash'
  args: ['-c', 'echo "$$APP_NAME HAS A VALUE $$HELLO_WORLD"']
  env:
    - 'APP_NAME=${_APP_NAME}'
  secretEnv:
    - 'HELLO_WORLD'
secrets:
- kmsKeyName: 'projects/my-first-cicd-project/locations/europe-west1/keyRings/keyring-dev/cryptoKeys/key-backend'
  secretEnv:
    HELLO_WORLD: xxxxxxxxxxx

构建步骤产生以下日志行:

The build steps produce this log line:

My App Name HAS A VALUE Hello there world!

完全符合预期.

现在要解决不起作用的事情,或者至少我不能开始工作.假设我想使密钥环名称动态化.然后,我将该Yaml中的"keyring-dev"替换为${_KMS_KEYRING_NAME}.这将产生如下错误:

Now for the thing that doesn't work, or at least I can't get to work. Let's say I want to make the keyring name dynamic. I'd then replace "keyring-dev" in that yaml to ${_KMS_KEYRING_NAME}. This will produce an error like:

invalid build: failed to check access to "projects/my-first-cicd-project/locations/europe-west1/keyRings/${_KMS_KEYRING_NAME}/cryptoKeys/key-backend"

如果我将YAML(以"CiQAH ..."开头)中的base64字符串更改为$ {__ KMS_VAR_HELLO_WORLD}之类的替代变量,则会收到此错误:

If I change the base64 string in the YAML (Starting with "CiQAH...") to a substitution variable like ${_KMS_VAR_HELLO_WORLD}, I'll get this error:

failed unmarshalling build config cloudbuild.yaml: illegal base64 data at input byte 0

仅供参考:该base64字符串的值不超过变量值的最大字符数255.

FYI: the value of that base64 string does not exceed the maximum amount of characters of 255 for a variable value.

所以我的猜测是,Cloud Build不会替代cloudbuild.yaml的secret部分中的任何内容.有人知道解决方案吗?

So my guess is, Cloud Build does not substitute anything in the secrets section of cloudbuild.yaml. Does anyone know a solution to this?

推荐答案

这是API的已知限制.

This is a known limitation of the API.

  • 替换适用于字符串"字段,尽管机密值使用字节"字段.因此,我们不能将替代值应用于它们.
  • 关于密钥环的名称和项目,对其进行更改会更改加密的内容,并且该内容不可替代.

这篇关于Google Cloud Build不会替换cloudbuild.yaml的Secrets部分中的值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆