How to pass multiple environment variables as secrets using Google Cloud Build with KMS in cloudbuild.yaml?

0
votes

How should I edit my cloudbuild.yaml file so that I can pass multiple environment variables as secrets?

I have stored two authentication tokens in two separate files, SECRET1.txt and SECRET2.txt on my local machine's current working directory.

I want to pass both these authentication tokens as secrets to Google Cloud Build using KMS.

How should the cloudbuild.yaml file look like so that my tokens are safely accessed by Cloud Build?

I tried to use encrypted secrets found here https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-secrets-credentials

Here is what I tried for cloudbuild.yaml:

steps:
- name: "gcr.io/cloud-builders/gcloud"
  secretEnv: ['SECRET1', 'SECRET2']
timeout: "1600s"

secrets:
- kmsKeyName: projects/<Project-Name>/locations/global/keyRings/<Key-Ring-Name>/cryptoKeys/<Key-Name>
  secretEnv:
    SECRET1: <encrypted-key-base64 here>
    SECRET2: <encrypted-key-base64 here>

I am getting this error message: Error

Cloud Build is able to read the token(I have struck it out using RED ink here Error), yet it outputs an error message saying that 'Error: ENOENT: no such file or directory'.

Can anyone tell me what went wrong in my approach and why Cloud Build is not able to access these authentication tokens(secrets)?

1
node.jsgoogle-app-enginegoogle-cloud-platformgoogle-cloud-build
When posting a question include the results and error messages. - John Hanley

1 Answers

0
votes

If you are decrypting a value to use as an env var for a build step, you could use the following setup as you described.

steps:
  - name: "gcr.io/cloud-builders/gcloud"
    secretEnv: ['SECRET1', 'SECRET2', ...]
    timeout: "1600s"

secrets:
  - kmsKeyName: projects/[Project-Name]/locations/global/keyRings/[Key-Ring-Name]/cryptoKeys/[Key-Name]
    secretEnv:
      SECRET1: [encrypted-base64-encoded-secret]
      SECRET2: [encrypted-base64-encoded-secret]

However, if you are decrypting a files, you would need to decrypt them in build steps prior to where they are being used, like so:

steps:
  - name: "gcr.io/cloud-builders/gcloud"
    args:
      - kms
      - decrypt
      - --ciphertext-file=SECRET1.txt.enc
      - --plaintext-file=SECRET1.txt
      - --project=$PROJECT_ID
      - --location=global
      - --keyring=[KEYRING-NAME]
      - --key=[KEY-NAME]

  - name: "gcr.io/cloud-builders/gcloud"
    args:
      - kms
      - decrypt
      - --ciphertext-file=SECRET2.txt.enc
      - --plaintext-file=SECRET2.txt
      - --project=$PROJECT_ID
      - --location=global
      - --keyring=[KEYRING-NAME]
      - --key=[KEY-NAME]

  - name: "gcr.io/cloud-builders/gcloud"
    args:
      - [something that uses SECRET1.txt and SECRET2.txt]
    timeout: "1600s"