I was trying to parametrize service account in Cloud Build configuration:
steps:
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
args: [ 'gcloud', '--help']
substitutions:
_SERVICE_ACCOUNT: [email protected]
serviceAccount: 'projects/$PROJECT_ID/serviceAccounts/${_SERVICE_ACCOUNT}'
options:
logging: CLOUD_LOGGING_ONLY
but this returns error:
ERROR: (gcloud.builds.submit) INVALID_ARGUMENT: could not parse service account URL
So, I guess, custom substitutions are not supported in the service account field. If this is the case, what is a recommended way to reuse cloud build configuration with different service accounts?
From my deep understanding of Cloud build, it can't work.
Think about the architecture. When you start your Cloud Build instance, you have to load all the Google Cloud standard context, such as the metadata server. the metadata server serves the credentials and it must be known when the instance starts.
The substitution variable are interpreted at runtime, so after the instance start.
Therefore, you can't interpret the service account email with a substitution variable before the instance start, but only after. But after, it's too late to load the correct service account in the metadata server.