If I follow the cloud build document, I have to specify encrypted secret on cloudbuild.yaml.
secrets:
- kmsKeyName: projects/[PROJECT-ID]/locations/global/keyRings/[KEYRING-NAME]/cryptoKeys/[KEY-NAME]
secretEnv:
MY_SECRET: <base64-encoded encrypted secret>
Even if it is encrypted, I don't commit secret value at code. Please tell me another way.
ex. via args from gcloud builds submit command or environment variables,...etc
You can use Google Secret Manager instead. We're still updating the documentation, but there is an example of how you can use it with Cloud Build:
First, create a secret:
$ echo -n "my-secret-data" | gcloud beta secrets create "my-api-key" \
--replication-policy "automatic" \
--data-file -
Grant the Cloud Build Service Account permission to access your secret:
$ gcloud beta secrets add-iam-policy-binding "my-api-key" \
--member "serviceAccount:<project-number>@cloudbuild.gserviceaccount.com" \
--role "roles/secretmanager.secretAccessor"
Then retrieve the secret in your build steps:
steps:
- name: 'my-step'
args:
- '--secret=$$MY_SECRET'
secretEnv:
- 'MY_SECRET'
availableSecrets:
secretManager:
- env: 'MY_SECRET'
versionName: 'projects/my-project/secrets/my-secret/versions/latest'
Then retrieve the secret in your build steps:
steps:
- name: 'gcr.io/cloud-builders/gcloud@sha256:c1dfa4702cae9416b28c45c9dcb7d48102043578d80bfdca57488f6179c2211b'
entrypoint: 'bash'
args:
- '-c'
- |
gcloud beta secrets versions access --secret=my-api-key latest > /secrets/my-api-key
volumes:
- name: 'secrets'
path: '/secrets'
- name: 'my-step'
volumes:
- name: 'secrets'
path: '/secrets'
args: # ... /secrets/my-api-key contains the secret