I am following this tutorial for getting encrypted keys into my cloudbuild YAML file. I am trying to understand how am I supposed to " use the decrypted ... file in the workspace directory" variables in the subsequent steps of my YAML file.
My cloudbuild step where I decrypt the keys file is as follows:
- name: gcr.io/cloud-builders/gcloud
args: ['kms', 'decrypt', '--ciphertext-file=<encrypted_file>', '--plaintext-file=<decrypted_file>', '--location=<location>', '--keyring=<keyring>', '--key=<key>']
The tutorial is not clear on how to do this and I cannot find anything on the Internet related to this.
Any help is very appreciated.
Thanks.
When you encrypt your content with gcloud kms encrypt
, you can write the output to a file in your workspace, for example:
# replace with your values
gcloud kms encrypt \
--location=global \
--keyring=my-kr \
--key=my-key \
--plaintext-file=./data-to-encrypt \
--ciphertext-file=./encrypted-data
Where ./data-to-encrypt
is a file on disk that contains your plaintext secret and ./encrypted-data
is the destination path on disk where the encrypted ciphertext should be written.
When working directly with the API, the interaction looks like this:
plaintext -> kms(encrypt) -> ciphertext
However, when working with gcloud
, it looks like this:
plaintext-file -> gcloud(read) -> kms(encrypt) -> ciphertext -> gcloud(write)
When you invoke Cloud Build, it effectively gets a tarball of your application, minus any files specified in a .gcloudignore
. That means ./encrypted-data
will be available on the filesystem inside the container step:
steps:
# decrypt the value in ./my-secret
- name: gcr.io/cloud-builders/gcloud
args:
- kms
- decrypt
- --location=global
- --keyring=my-kr
- --key=my-key
- --ciphertext=file=./encrypted-data
- --plaintext-file=./my-secret
- name: gcr.io/my-project/my-image
steps:
- my-app start --secret=./my-secret
At present, the only way to share data between steps in Cloud Build is with files, but all build steps have the same shared filesystem.