温馨提示:本文翻译自stackoverflow.com,查看原文请点击:google cloud build - How to specify secretEnv to cloudbuild.yaml via gcloud cli args or environment variables

google cloud build - 如何通过gcloud cli args或环境变量将secretEnv指定为cloudbuild.yaml

发布于 2020-03-31 23:10:35

如果遵循云构建文档,则必须在cloudbuild.yaml上指定加密的机密。

secrets:
- kmsKeyName: projects/[PROJECT-ID]/locations/global/keyRings/[KEYRING-NAME]/cryptoKeys/[KEY-NAME]
  secretEnv:
    MY_SECRET: <base64-encoded encrypted secret>

即使已加密,我也不会在代码中提交秘密值。请告诉我另一种方式。

例如 通过gcloud的args构建提交命令或环境变量等

查看更多

提问者
Takato Horikoshi
被浏览
12
sethvargo 2020-02-01 02:05

您可以改用Google Secret Manager我们仍在更新文档,但是有一个示例如何将其与Cloud Build一起使用:

首先,创建一个秘密:

$ echo -n "my-secret-data" | gcloud beta secrets create "my-api-key" \
    --replication-policy "automatic" \
    --data-file -

授予Cloud Build Service帐户访问您的机密的权限:

$ gcloud beta secrets add-iam-policy-binding "my-api-key" \
    --member "serviceAccount:<project-number>@cloudbuild.gserviceaccount.com" \
    --role "roles/secretmanager.secretAccessor"

然后在构建步骤中检索秘密:

steps:
- name: 'gcr.io/cloud-builders/gcloud@sha256:c1dfa4702cae9416b28c45c9dcb7d48102043578d80bfdca57488f6179c2211b'
  entrypoint: 'bash'
  args:
  - '-c'
  - |
       gcloud beta secrets versions access --secret=my-api-key latest > /secrets/my-api-key
  volumes:
  - name: 'secrets'
    path: '/secrets'

- name: 'my-step'
  volumes:
  - name: 'secrets'
    path: '/secrets'
  args: # ... /secrets/my-api-key contains the secret