Gcloud cloud build local component failing with error “Error loading config file: unknown field ”availableSecrets“ in cloudbuild.Build”

3
votes

Greetings stackoverflow community! First time asker, long time user.

I am testing out my cloudbuild.yaml file locally using Cloud Build Local component and Secret Manager and it is failing on "availableSecrets".

Error message: Error loading config file: unknown field "availableSecrets" in cloudbuild.Build

  • OS Platform: Windows 10/WSL2/Ubuntu 18.04
  • cloud-build-local: v0.5.2
  • Docker engine: v20.10.2
  • Nodejs version: v14.15.3
  • NPM version: 6.14.9
  • gcloud version: 326.0.0
  • Installed components: [BigQuery Command Line Tool, Cloud Datastore Emulator, Cloud SDK Core Libraries, Cloud Storage Command Line Tool, Google Cloud Build Local Builder, gcloud Beta Commands]

Documentation on Cloud Build build file: https://cloud.google.com/cloud-build/docs/build-config Documentation to configure secrets with cloud build: https://cloud.google.com/cloud-build/docs/securing-builds/use-secrets Documentation for cloud build local: https://cloud.google.com/cloud-build/docs/build-debug-locally

Steps performed:

  1. Added secrets to Secret Manager
  2. Enabled API between Cloud Build and Secrets Manager
  3. Added cloudbuild service account as member of each secret password.
  4. Added IAM permission Secret Manager Secrets Accessor to cloudbuild user. I don't know where I got this info from but it is residual at this point from other attempts to use Secret Manager with cloudbuild. I am not sure of the difference between applying access here vs applying to the Secret Manager secret.

Command: cloud-build-local --config=cloudbuild.staging.yaml --dryrun=false .

cloudbuild.staging.yaml:

- name: gcr.io/cloud-builders/npm
  entrypoint: 'npm'
  args: [ 'install' ]
- name: 'gcr.io/cloud-builders/gcloud'
  args: ["app", "deploy"]
  env:
  - 'DAO_FACTORY=datastore'
  - 'POLL_INTERVAL=15'
  - 'PROMPT=staging>'
  - 'ENVIRONMENT=staging'
  - 'NAMESPACE=staging'
  - 'RESET_DATASTORE=false'
  secretEnv: ['ADMIN_USER', 'SUPER_ADMINS', 'BOT_TOKEN']
availableSecrets:
  secretManager:
  - versionName: projects/{project token}/secrets/SYSTEM_USER/versions/1
    env: 'ADMIN_USER'
  - versionName: projects/{project token}/secrets/SUPER_ADMINS/versions/1
    env: 'SUPER_ADMINS'
  - versionName: projects/{project token}/secrets/BOT_TOKEN/versions/2
    env: 'BOT_TOKEN'```


Tag: cloud-build-local. I guess without reputation a meaningful tag cannot be created. Maybe an esteemed community member will create this as this may be specific to cloud-build-local only.
2
google-app-enginegcloudgoogle-cloud-buildcloudbuild.yaml
The feature is very very new (less than 1 week). Did you get the latest version of cloudbuild local?guillaume blaquiere
Yeah, I figured that may be the case; I am never this close to a release :). I pushed the cloudbuild file with availableSecrets and it worked fine. I have other cloud build issues now but I will open a new ticket if I have some questions. Thank you for the validation.Dan Doyle

2 Answers

0
votes

Support for Google Secret Manager in Google Cloud Build descriptor file is apparently very new and does not appear to be supported by cloud-build-local component at this time; please see comment from Guillaume about feature being a week old. When cloud build descriptor is ran in Cloud Build, it works fine.

0
votes

I fixed a similar issue by upgrading the gcloud tool.