如何使用Google Secrets Manager在Google Cloud Build中创建Docker ARG? [英] How do I use Google Secrets Manager to create a docker ARG in Google Cloud Build?

问题描述

我正在基于GCB进行构建，因此需要安装私有依赖项，因此我正在使用Google Secrets Manager.我的cloudbuild.yaml看起来像这样:

I'm doing a build on GCB in which I need to install private dependencies, so am using Google Secrets Manager. My cloudbuild.yaml looks like this:

steps:
- name: gcr.io/cloud-builders/gcloud
  entrypoint: 'bash'
  args: [ '-c', "gcloud secrets versions access latest --secret=PERSONAL_ACCESS_TOKEN_GITHUB --format='get(payload.data)' | tr '_-' '/+' | base64 -d > decrypted-pat.txt" ]
- name: 'gcr.io/cloud-builders/docker'
  args:
    - build
    - '--build-arg'
    - PERSONAL_ACCESS_TOKEN_GITHUB=$(cat decrypted-pat.txt)
    - '-t'
    - 'gcr.io/$PROJECT_ID/$REPO_NAME:$TAG_NAME'
    - .
images: [ gcr.io/$PROJECT_ID/$REPO_NAME:$TAG_NAME ]

但是， $(catcrypted-pat.txt)没有得到评估.在我的dockerfile中插入: RUN echo https://$ {PERSONAL_ACCESS_TOKEN_GITHUB} @ github.com 只是回显原义:当然， https://$(cat unlocked-pat.txt)@ github.com 不是我要查找的命令(是的，如果我得到要成功回显的东西，我会旋转令牌).

But, the $(cat decrypted-pat.txt) doesn't get evaluated. Inserting: RUN echo https://${PERSONAL_ACCESS_TOKEN_GITHUB}@github.com into my dockerfile simply echoes the literal: of course, https://$(cat decrypted-pat.txt)@github.com is not the command I'm looking for (and yes, if I get the thing to actually echo successfully, I'll rotate the token).

gcb/秘密文档

要在环境变量中使用秘密，您需要在变量名称前添加下划线"_"作为前缀.并使用'('转义该值.例如:_VARIABLE_NAME = $(cat password.txt)&& echo -n)_VARIABLE_NAME.

To use the secret in an environment variable, you need to prefix the variable name with an underscore "_" and escape the value using '('. For example: _VARIABLE_NAME=$(cat password.txt) && echo -n )_VARIABLE_NAME.

但是对于我来说，在构建args中使用它并没有多大意义.

But this doesn't make a lot of sense to me for use in the build args.

如何将这个秘密的实际值作为构建arg进入容器?

推荐答案

从2021年2月10日开始，您可以使用 availableSecrets 字段直接从Cloud Build访问Secret Manager机密:

As of 2021 February 10, you can access Secret Manager secrets directly from Cloud Build using the availableSecrets field:

steps:
- name: 'gcr.io/cloud-builders/docker'
  entrypoint: 'bash'
  args: ['-c', 'docker login --username=$$USERNAME --password=$$PASSWORD']
  secretEnv: ['USERNAME', 'PASSWORD']
availableSecrets:
  secretManager:
  - versionName: projects/PROJECT_ID/secrets/DOCKER_PASSWORD_SECRET_NAME/versions/DOCKER_PASSWORD_SECRET_VERSION
    env: 'PASSWORD'
  - versionName: projects/PROJECT_ID/secrets/DOCKER_USERNAME_SECRET_NAME/versions/DOCKER_USERNAME_SECRET_VERSION
    env: 'USERNAME'

文档

这篇关于如何使用Google Secrets Manager在Google Cloud Build中创建Docker ARG?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！