Cloud Key Management Service adalah layanan Google Cloud yang memungkinkan Anda mengelola dan menggunakan kunci kriptografis. Halaman ini menjelaskan cara menggunakan informasi terenkripsi dari Cloud KMS di Cloud Build.
Sebelum memulai
-
Enable the Cloud Build and Cloud KMS APIs.
Untuk menggunakan contoh command line dalam panduan ini, instal dan konfigurasikan Google Cloud CLI.
Enkripsi informasi sensitif menggunakan Cloud KMS. Cloud KMS menyimpan konten terenkripsi Anda dalam file.
[OPSIONAL] Untuk mengonfigurasi build agar menggunakan data terenkripsi, konversikan ENCRYPTED_FILE ke base64 (langkah ini tidak diperlukan untuk konfigurasi build yang menggunakan file terenkripsi):
base64 ENCRYPTED_FILE
Izin IAM yang diperlukan
Berikan peran IAM
Cloud KMS CryptoKey Decrypter (roles/cloudkms.cryptoKeyDecrypter)
ke akun layanan build:
Di konsol Google Cloud, buka halaman Setelan Cloud Build:
Temukan baris dengan peran Pendekripsi Cloud KMS CryptoKey dan tetapkan Status-nya ke ENABLED.
Mengonfigurasi build untuk menggunakan data terenkripsi
Di direktori utama project, buat file konfigurasi build Cloud Build bernama
cloudbuild.yamlataucloudbuild.json.Dalam file konfigurasi build Anda:
- Setelah semua build
steps, tambahkan kolomavailableSecretsuntuk menentukan nilai terenkripsi sebagai variabel lingkungan dankmsKeyNameyang akan digunakan untuk mendekripsinya. Anda dapat menggunakan variabel penggantian dalam nilaikmsKeyName. - Pada langkah build tempat Anda ingin menentukan secret:
- Tambahkan kolom
entrypointyang mengarah kebashuntuk menggunakan alat bash di langkah build. Hal ini diperlukan untuk merujuk ke variabel lingkungan untuk secret. - Tambahkan kolom
secretEnvyang menentukan variabel lingkungan untuk nilai terenkripsi. - Di kolom
args, tambahkan flag-csebagai argumen pertama. Setiap string yang Anda teruskan setelah -c akan diperlakukan sebagai perintah. Untuk informasi selengkapnya tentang cara menjalankan perintah bash dengan -c, lihat dokumentasi bash. - Saat menentukan nilai terenkripsi di kolom
args, tentukan menggunakan variabel lingkungan yang diawali dengan$$.
- Tambahkan kolom
The following example build config file shows how to login to Docker and pull a private image:
YAML
steps: - name: 'gcr.io/cloud-builders/docker' entrypoint: 'bash' args: ['-c', 'docker login --username=$$USERNAME --password=$$PASSWORD'] secretEnv: ['USERNAME', 'PASSWORD'] - name: 'gcr.io/cloud-builders/docker' entrypoint: 'bash' args: ['-c', 'docker pull $$USERNAME/IMAGE:TAG'] secretEnv: ['USERNAME'] availableSecrets: inline: - kmsKeyName: projects/PROJECT_ID/locations/global/keyRings/USERNAME_KEYRING_NAME/cryptoKeys/USERNAME_KEY_NAME envMap: USERNAME: 'ENCRYPTED_USERNAME' - kmsKeyName: projects/PROJECT_ID/locations/global/keyRings/PASSWORD_KEYRING_NAME/cryptoKeys/PASSWORD_KEY_NAME envMap: PASSWORD: 'ENCRYPTED_PASSWORD'JSON
{ "steps": [ { "name": "gcr.io/cloud-builders/docker", "entrypoint": "bash", "args": [ "-c", "docker login --username=$$USERNAME --password=$$PASSWORD" ], "secretEnv": [ "USERNAME", "PASSWORD" ] }, { "name": "gcr.io/cloud-builders/docker", "entrypoint": "bash", "args": [ "-c", "docker pull $$USERNAME/REPOSITORY:TAG" ], "secretEnv": [ "USERNAME" ] } ], "availableSecrets": { "inline": [{ "kmsKeyName": "projects/PROJECT_ID/locations/global/keyRings/USERNAME_KEYRING_NAME/cryptoKeys/USERNAME_KEY_NAME", "envMap": { "USERNAME": "ENCRYPTED_USERNAME" } }, { "kmsKeyName": "projects/PROJECT_ID/locations/global/keyRings/PASSWORD_KEYRING_NAME/cryptoKeys/PASSWORD_KEY_NAME", "envMap": { "PASSWORD": "ENCRYPTED_PASSWORD" } }] } }Replace the placeholder values in the above commands with the following:
PROJECT_ID: The ID of the Google Cloud project which contains your Cloud KMS service.USERNAME_KEYRING_NAME: The key ring name of your Docker username.USERNAME_KEY_NAME: The key name of your Docker username.ENCRYPTED_USERNAME: Your encrypted Docker username in base64 format.PASSWORD_KEYRING_NAME: The key ring name of your Docker password.PASSWORD_KEY_NAME: The key name of your Docker password.ENCRYPTED_PASSWORD: Your encrypted Docker password in base64 format.REPOSITORY: The name of your Docker repository from where you're pulling the image.TAG: The tag name of your image.
- Setelah semua build
Use the build config file to manually start a build or to automate builds using triggers.
Configuring builds to use encrypted files
In your project root directory, create a Cloud Build build config file named
cloudbuild.yamlorcloudbuild.json.In your build config file, before any build steps that interact with the decrypted file, add a
gcloudbuild step to decrypt the encrypted file using the encryption key. The following example build config file shows how to login to Docker using the encrypted file with Docker password:YAML
steps: - name: gcr.io/cloud-builders/gcloud args: - kms - decrypt - "--ciphertext-file=ENCRYPTED_PASSWORD_FILE" - "--plaintext-file=PLAINTEXT_PASSWORD_FILE" - "--location=global" - "--keyring=KEYRING_NAME" - "--key=KEY_NAME" - name: gcr.io/cloud-builders/docker entrypoint: bash args: - "-c" - docker login --username=DOCKER_USERNAME --password-stdin < PLAINTEXT_PASSWORD_FILEJSON
{ "steps": [ { "name": "gcr.io/cloud-builders/gcloud", "args": [ "kms", "decrypt", "--ciphertext-file=ENCRYPTED_PASSWORD_FILE", "--plaintext-file=PLAINTEXT_PASSWORD_FILE", "--location=global", "--keyring=KEYRING_NAME", "--key=KEY_NAME" ] }, { "name": "gcr.io/cloud-builders/docker", "entrypoint": "bash", "args": [ "-c", "docker login --username=DOCKER_USERNAME --password-stdin < PLAINTEXT_PASSWORD_FILE" ] } ] }Replace the placeholder values in the above commands with the following:
KEYRING_NAME: The key ring name of your Docker password.KEY_NAME: The key name of your Docker password.ENCRYPTED_PASSWORD_FILE: Encrypted file with your Docker password.PLAINTEXT_PASSWORD_FILE: Plaintext file with your Docker password.
Use the build config file to manually start a build or to automate builds using triggers.
Configuring builds to use encrypted data (legacy)
To encrypt sensitive data using Cloud KMS and use that data in a build config file:
In your build config file, add a
secretsfield to specify the encrypted value and theCryptoKeyto use to decrypt it. Then, in the build step where you want to use the encrypted variable, add asecretEnvfield to specify the variable as an environment variable. Include the variable's name in thesecretEnvfield. If you specify the variable value, or a non-secret environment variable with the same name, Cloud Build throws an error.YAML
steps: - name: 'gcr.io/cloud-builders/docker' entrypoint: 'bash' args: ['-c', 'docker login --username=user-name --password=$$PASSWORD'] secretEnv: ['PASSWORD'] - name: 'gcr.io/cloud-builders/docker' args: ['push', 'user-name/myubuntu'] secrets: - kmsKeyName: projects/project-id/locations/global/keyRings/keyring-name/cryptoKeys/key-name secretEnv: PASSWORD: 'encrypted-password'JSON
{ "steps": [ { "name": "gcr.io/cloud-builders/docker", "entrypoint": "bash", "args": [ "-c", "docker login --username=user-name --password=$$PASSWORD" ], "secretEnv": [ "PASSWORD" ] }, { "name": "gcr.io/cloud-builders/docker", "args": [ "push", "user-name/myubuntu" ] } ], "secrets": [ { "kmsKeyName": "projects/project-id/locations/global/keyRings/keyring-name/cryptoKeys/key-name", "secretEnv": { "PASSWORD": "encrypted-password" } } ] }Langkah selanjutnya
- Pelajari cara mengonfigurasi build untuk mengakses secret dari Secret Manager.
- Pelajari cara mengakses repositori GitHub pribadi.
Kecuali dinyatakan lain, konten di halaman ini dilisensikan berdasarkan Lisensi Creative Commons Attribution 4.0, sedangkan contoh kode dilisensikan berdasarkan Lisensi Apache 2.0. Untuk mengetahui informasi selengkapnya, lihat Kebijakan Situs Google Developers. Java adalah merek dagang terdaftar dari Oracle dan/atau afiliasinya.
Terakhir diperbarui pada 2024-12-21 UTC.