Cloud Key Management Service 是 Google Cloud 服务,可让您管理和使用加密密钥。本页面介绍如何在 Cloud Build 中使用 Cloud KMS 中的加密信息。
准备工作
-
Enable the Cloud Build and Cloud KMS APIs.
如需使用本指南中的命令行示例,请安装并配置 Google Cloud CLI。
使用 Cloud KMS 加密敏感信息。Cloud KMS 将加密内容保存在文件中。
[可选] 如需将构建配置为使用加密数据,请将 ENCRYPTED_FILE 转换为 base64(对于使用加密文件的构建配置,无需执行此步骤):
base64 ENCRYPTED_FILE
必需的 IAM 权限
授予
Cloud KMS CryptoKey Decrypter (roles/cloudkms.cryptoKeyDecrypter
)
授予构建服务账号的 IAM 角色:
在 Google Cloud 控制台中,前往 Cloud Build 设置页面:
找到具有 Cloud KMS CryptoKey Decrypter 角色的行,并将其状态设置为已启用。
配置构建以使用加密数据
在项目根目录中,创建一个名为
cloudbuild.yaml
或cloudbuild.json
的Cloud Build 构建配置文件。在您的构建配置文件中:
- 在所有构建
steps
之后,添加availableSecrets
字段以将加密值指定为环境变量,以及添加kmsKeyName
以用于解密该值。您可以在kmsKeyName
的值中使用替代变量。 - 在您要指定 Secret 的构建步骤中:
- 添加指向
bash
的entrypoint
字段,以在构建步骤中使用 bash 工具。这是引用 Secret 的环境变量所必需的。 - 添加
secretEnv
字段以指定加密值的环境变量。 - 在
args
字段中,添加-c
标志作为第一个参数。您在 -c 之后传递的任何字符串均被视为命令。如需详细了解如何使用 -c 运行 bash 命令,请参阅 bash 文档。 - 在
args
字段中指定加密值时,请使用前缀为$$
.
- 添加指向
The following example build config file shows how to login to Docker and pull a private image:
YAML
steps: - name: 'gcr.io/cloud-builders/docker' entrypoint: 'bash' args: ['-c', 'docker login --username=$$USERNAME --password=$$PASSWORD'] secretEnv: ['USERNAME', 'PASSWORD'] - name: 'gcr.io/cloud-builders/docker' entrypoint: 'bash' args: ['-c', 'docker pull $$USERNAME/IMAGE:TAG'] secretEnv: ['USERNAME'] availableSecrets: inline: - kmsKeyName: projects/PROJECT_ID/locations/global/keyRings/USERNAME_KEYRING_NAME/cryptoKeys/USERNAME_KEY_NAME envMap: USERNAME: 'ENCRYPTED_USERNAME' - kmsKeyName: projects/PROJECT_ID/locations/global/keyRings/PASSWORD_KEYRING_NAME/cryptoKeys/PASSWORD_KEY_NAME envMap: PASSWORD: 'ENCRYPTED_PASSWORD'
的环境变量指定该加密值JSON
{ "steps": [ { "name": "gcr.io/cloud-builders/docker", "entrypoint": "bash", "args": [ "-c", "docker login --username=$$USERNAME --password=$$PASSWORD" ], "secretEnv": [ "USERNAME", "PASSWORD" ] }, { "name": "gcr.io/cloud-builders/docker", "entrypoint": "bash", "args": [ "-c", "docker pull $$USERNAME/REPOSITORY:TAG" ], "secretEnv": [ "USERNAME" ] } ], "availableSecrets": { "inline": [{ "kmsKeyName": "projects/PROJECT_ID/locations/global/keyRings/USERNAME_KEYRING_NAME/cryptoKeys/USERNAME_KEY_NAME", "envMap": { "USERNAME": "ENCRYPTED_USERNAME" } }, { "kmsKeyName": "projects/PROJECT_ID/locations/global/keyRings/PASSWORD_KEYRING_NAME/cryptoKeys/PASSWORD_KEY_NAME", "envMap": { "PASSWORD": "ENCRYPTED_PASSWORD" } }] } }
Replace the placeholder values in the above commands with the following:
PROJECT_ID
: The ID of the Google Cloud project which contains your Cloud KMS service.USERNAME_KEYRING_NAME
: The key ring name of your Docker username.USERNAME_KEY_NAME
: The key name of your Docker username.ENCRYPTED_USERNAME
: Your encrypted Docker username in base64 format.PASSWORD_KEYRING_NAME
: The key ring name of your Docker password.PASSWORD_KEY_NAME
: The key name of your Docker password.ENCRYPTED_PASSWORD
: Your encrypted Docker password in base64 format.REPOSITORY
: The name of your Docker repository from where you're pulling the image.TAG
: The tag name of your image.
- 在所有构建
Use the build config file to manually start a build or to automate builds using triggers.
Configuring builds to use encrypted files
In your project root directory, create a Cloud Build build config file named
cloudbuild.yaml
orcloudbuild.json
.In your build config file, before any build steps that interact with the decrypted file, add a
gcloud
build step to decrypt the encrypted file using the encryption key. The following example build config file shows how to login to Docker using the encrypted file with Docker password:YAML
steps: - name: gcr.io/cloud-builders/gcloud args: - kms - decrypt - "--ciphertext-file=ENCRYPTED_PASSWORD_FILE" - "--plaintext-file=PLAINTEXT_PASSWORD_FILE" - "--location=global" - "--keyring=KEYRING_NAME" - "--key=KEY_NAME" - name: gcr.io/cloud-builders/docker entrypoint: bash args: - "-c" - docker login --username=DOCKER_USERNAME --password-stdin < PLAINTEXT_PASSWORD_FILE
JSON
{ "steps": [ { "name": "gcr.io/cloud-builders/gcloud", "args": [ "kms", "decrypt", "--ciphertext-file=ENCRYPTED_PASSWORD_FILE", "--plaintext-file=PLAINTEXT_PASSWORD_FILE", "--location=global", "--keyring=KEYRING_NAME", "--key=KEY_NAME" ] }, { "name": "gcr.io/cloud-builders/docker", "entrypoint": "bash", "args": [ "-c", "docker login --username=DOCKER_USERNAME --password-stdin < PLAINTEXT_PASSWORD_FILE" ] } ] }
Replace the placeholder values in the above commands with the following:
KEYRING_NAME
: The key ring name of your Docker password.KEY_NAME
: The key name of your Docker password.ENCRYPTED_PASSWORD_FILE
: Encrypted file with your Docker password.PLAINTEXT_PASSWORD_FILE
: Plaintext file with your Docker password.
Use the build config file to manually start a build or to automate builds using triggers.
Configuring builds to use encrypted data (legacy)
To encrypt sensitive data using Cloud KMS and use that data in a build config file:
In your build config file, add a
secrets
field to specify the encrypted value and theCryptoKey
to use to decrypt it. Then, in the build step where you want to use the encrypted variable, add asecretEnv
field to specify the variable as an environment variable. Include the variable's name in thesecretEnv
field. If you specify the variable value, or a non-secret environment variable with the same name, Cloud Build throws an error.YAML
steps: - name: 'gcr.io/cloud-builders/docker' entrypoint: 'bash' args: ['-c', 'docker login --username=user-name --password=$$PASSWORD'] secretEnv: ['PASSWORD'] - name: 'gcr.io/cloud-builders/docker' args: ['push', 'user-name/myubuntu'] secrets: - kmsKeyName: projects/project-id/locations/global/keyRings/keyring-name/cryptoKeys/key-name secretEnv: PASSWORD: 'encrypted-password'
JSON
{ "steps": [ { "name": "gcr.io/cloud-builders/docker", "entrypoint": "bash", "args": [ "-c", "docker login --username=user-name --password=$$PASSWORD" ], "secretEnv": [ "PASSWORD" ] }, { "name": "gcr.io/cloud-builders/docker", "args": [ "push", "user-name/myubuntu" ] } ], "secrets": [ { "kmsKeyName": "projects/project-id/locations/global/keyRings/keyring-name/cryptoKeys/key-name", "secretEnv": { "PASSWORD": "encrypted-password" } } ] }
后续步骤
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2024-12-22。