Google Cloud Build不会替换cloudbuild.yaml的Secrets部分中的值 [英] Google Cloud Build doesn't substitute values in secrets section of cloudbuild.yaml
问题描述
我正在尝试创建一个Cloud Build触发器,其中使用Cloud KMS对秘密环境变量进行加密并将其存储为Cloud Build中的替代变量.这样,我的云构建yaml就相当通用,并且在我们要部署到的所有环境中都是相同的.
I'm trying to create a Cloud Build trigger where secret environment variables are encrypted with cloud KMS and stored as a substitution variable in Cloud Build. This way my cloud build yaml is fairly generic and the same across all environments we're deploying to.
此云构建Yaml正常工作:
This cloud build yaml works fine:
steps:
- name: 'ubuntu'
entrypoint: 'bash'
args: ['-c', 'echo "$$APP_NAME HAS A VALUE $$HELLO_WORLD"']
env:
- 'APP_NAME=${_APP_NAME}'
secretEnv:
- 'HELLO_WORLD'
secrets:
- kmsKeyName: 'projects/my-first-cicd-project/locations/europe-west1/keyRings/keyring-dev/cryptoKeys/key-backend'
secretEnv:
HELLO_WORLD: xxxxxxxxxxx
构建步骤产生以下日志行:
The build steps produce this log line:
My App Name HAS A VALUE Hello there world!
完全符合预期.
现在要解决不起作用的事情,或者至少我不能开始工作.假设我想使密钥环名称动态化.然后,我将该Yaml中的"keyring-dev"替换为${_KMS_KEYRING_NAME}
.这将产生如下错误:
Now for the thing that doesn't work, or at least I can't get to work. Let's say I want to make the keyring name dynamic. I'd then replace "keyring-dev" in that yaml to ${_KMS_KEYRING_NAME}
. This will produce an error like:
invalid build: failed to check access to "projects/my-first-cicd-project/locations/europe-west1/keyRings/${_KMS_KEYRING_NAME}/cryptoKeys/key-backend"
如果我将YAML(以"CiQAH ..."开头)中的base64字符串更改为$ {__ KMS_VAR_HELLO_WORLD}之类的替代变量,则会收到此错误:
If I change the base64 string in the YAML (Starting with "CiQAH...") to a substitution variable like ${_KMS_VAR_HELLO_WORLD}, I'll get this error:
failed unmarshalling build config cloudbuild.yaml: illegal base64 data at input byte 0
仅供参考:该base64字符串的值不超过变量值的最大字符数255.
FYI: the value of that base64 string does not exceed the maximum amount of characters of 255 for a variable value.
所以我的猜测是,Cloud Build不会替代cloudbuild.yaml的secret部分中的任何内容.有人知道解决方案吗?
So my guess is, Cloud Build does not substitute anything in the secrets section of cloudbuild.yaml. Does anyone know a solution to this?
推荐答案
这是API的已知限制.
This is a known limitation of the API.
- 替换适用于字符串"字段,尽管机密值使用字节"字段.因此,我们不能将替代值应用于它们.
- 关于密钥环的名称和项目,对其进行更改会更改加密的内容,并且该内容不可替代.
这篇关于Google Cloud Build不会替换cloudbuild.yaml的Secrets部分中的值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!