Last active
March 17, 2022 18:45
-
-
Save tam7t/fca881ed3009d722bd3b28e13d8488ae to your computer and use it in GitHub Desktop.
Access Google Secret Manager from Cloud Build step
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Usage: gcloud builds submit --no-source | |
| # | |
| # Remember to first grant the cloud build service account permissions to access | |
| # secret 'foo' | |
| # | |
| # gcloud beta secrets add-iam-policy-binding foo \ | |
| # --member=serviceAccount:<project-number>@cloudbuild.gserviceaccount.com \ | |
| # --role=roles/secretmanager.secretAccessor | |
| steps: | |
| # fetch the secret and write to a volume | |
| - name: 'gcr.io/cloud-builders/gcloud' | |
| entrypoint: 'bash' | |
| args: | |
| - '-c' | |
| - | | |
| gcloud secrets versions access --secret=foo latest > /secrets/foo | |
| volumes: | |
| - name: 'secrets' | |
| path: '/secrets' | |
| # example of how to consume the secret from a separate step by reading it from | |
| # the filesystem. | |
| # NOTE: this prints the secret to the build logs, dont do this for real. | |
| - name: 'ubuntu' | |
| volumes: | |
| - name: 'secrets' | |
| path: '/secrets' | |
| args: ['cat', '/secrets/foo'] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment