本页面介绍如何在 Cloud Build 中添加密码和 API 密钥等敏感信息。
Secret Manager 是 Google Cloud 服务,可安全存储 API 密钥、密码和其他敏感数据。 如需在构建中包含敏感信息,您可以将信息存储在 Secret Manager 中,然后将构建配置为从 Secret Manager 中访问信息。
准备工作
-
Enable the Cloud Build and Secret Manager APIs.
如需使用本指南中的命令行示例,请安装并配置 Google Cloud CLI。
确保您已将 Secret 存储在 Secret Manager 中。如需了解相关说明,请参阅创建 Secret。
- 记下 Secret 的 Secret 名称和 Secret 版本。您需要使用此信息将 Cloud Build 配置为访问 Secret。
必需的 IAM 权限
授予 Secret Manager Secret Accessor
(roles/secretmanager.secretAccessor
) IAM 角色
用于构建的服务账号的 Secret:
在 Google Cloud 控制台中打开 Secret Manager 页面:
选中您要在构建中使用的 Secret 对应的复选框。
如果面板尚未打开,请点击显示信息面板将其打开。
在面板中的权限下,点击添加主账号。
在新的主账号字段中,输入您的服务的电子邮件地址 。
在选择角色下拉框中,选择 Secret Manager Secret Accessor。
点击保存。
配置构建以从 Secret Manager 访问 UTF-8 Secret
在项目根目录中,创建一个名为
cloudbuild.yaml
或cloudbuild.json
Cloud Build 配置文件。在构建配置文件中:
- 在所有构建
steps
之后,添加availableSecrets
字段以指定用于密文的密文版本和环境变量。您可以在secretVersion
字段的值中添加替代变量。您可以在构建中指定多个 Secret。 - 在您要指定 Secret 的构建步骤中:
- 添加指向
bash
的entrypoint
字段,以在构建步骤中使用 bash 工具。这是引用环境变量的必要条件 密钥。 - 添加
secretEnv
字段以指定环境变量。 - 在
args
字段中,添加-c
标志作为第一个参数。您在-c
之后传递的任何字符串均被视为命令。如需详细了解如何使用-c
运行 bash 命令,请参阅 bash 文档。 - 在
args
字段中指定 Secret 时,使用 前缀为$$
.
- 添加指向
The following example build config file shows how to login to Docker using the Docker username and password stored in Secret Manager.
YAML
steps: - name: 'gcr.io/cloud-builders/docker' entrypoint: 'bash' args: ['-c', 'docker login --username=$$USERNAME --password=$$PASSWORD'] secretEnv: ['USERNAME', 'PASSWORD'] availableSecrets: secretManager: - versionName: projects/PROJECT_ID/secrets/DOCKER_PASSWORD_SECRET_NAME/versions/DOCKER_PASSWORD_SECRET_VERSION env: 'PASSWORD' - versionName: projects/PROJECT_ID/secrets/DOCKER_USERNAME_SECRET_NAME/versions/DOCKER_USERNAME_SECRET_VERSION env: 'USERNAME'
JSON
{ "steps": [ { "name": "gcr.io/cloud-builders/docker", "entrypoint": "bash", "args": [ "-c", "docker login --username=$$USERNAME --password=$$PASSWORD" ], "secretEnv": [ "USERNAME", "PASSWORD" ] } ], "availableSecrets": { "secretManager": [{ "versionName": "projects/PROJECT_ID/secrets/DOCKER_PASSWORD_SECRET_NAME/versions/DOCKER_PASSWORD_SECRET_VERSION", "env": "PASSWORD" }, { "versionName": "projects/PROJECT_ID/secrets/DOCKER_USERNAME_SECRET_NAME/versions/DOCKER_USERNAME_SECRET_VERSION", "env": "USERNAME" }] } }
Replace the placeholder values in the above commands with the following:
PROJECT_ID
: The ID of the Google Cloud project where you've stored your secrets.DOCKER_USERNAME_SECRET_NAME
: The secret name corresponding to your Docker username. You can get the secret name from the Secret Manager page in the Google Cloud console.DOCKER_USERNAME_SECRET_VERSION
: The secret version of your Docker username. You can get the secret version by clicking on a secret name on the Secret Manager page in the Google Cloud console.DOCKER_PASSWORD_SECRET_NAME
: The secret name corresponding to your Docker password. You can get the secret name from the Secret Manager page in the Google Cloud console.DOCKER_PASSWORD_SECRET_VERSION
: The secret version of your Docker password. You can get the secret version by clicking on a secret name on the Secret Manager page in the Google Cloud console.
- 在所有构建
Use the build config file to start a build using the command line or to automate builds using triggers.
Example: Accessing secrets from scripts and processes
secretEnv
field adds the value of the secret to the environment and you can
access this value via environment variable from scripts or processes:
YAML
steps:
- name: python:slim
entrypoint: python
args: ['main.py']
secretEnv: ['MYSECRET']
availableSecrets:
secretManager:
- versionName: projects/$PROJECT_ID/secrets/mySecret/versions/latest
env: 'MYSECRET'
JSON
{
"steps": [
{
"name": "python:slim",
"entrypoint": "python",
"args": [
"main.py"
],
"secretEnv": [
"MYSECRET"
]
}
],
"availableSecrets": {
"secretManager": [
{
"versionName": "projects/$PROJECT_ID/secrets/mySecret/versions/latest",
"env": "MYSECRET"
}
]
}
}
The following contents of main.py
prints the first five characters of the secret:
import os
print(os.environ.get("MYSECRET", "Not Found")[:5], "...")
Example: authenticating to Docker
In some situations, before interacting with Docker images, your build would need to authenticate to Docker. For example, Docker authentication is required for builds to pull private images and push private or public images to Docker Hub. In these cases, you can store your Docker username and password in Secret Manager and then configure Cloud Build to access the username and password from Secret Manager. For instructions on doing this see Interacting with Docker Hub images.
Example: GitHub pull request creation
Another example where you might want to configure your build to access a sensitive information from Secret Manager is for creating a GitHub pull request in response to builds. To do this:
- Create a GitHub token.
- Store the GitHub token in Secret Manager.
- In your build config file:
- After all the build
steps
, add anavailableSecrets
field to specify the secret version and the environment variable to use for the GitHub token. - Add a build step to invoke the command to create a GitHub pull request.
- After all the build
- Create a GitHub app trigger and use the build config file to invoke the trigger.
The following example config file shows how to create a GitHub pull request using the GitHub token:
YAML
steps: - name: 'launcher.gcr.io/google/ubuntu1604' id: Create GitHub pull request entrypoint: bash args: - -c - curl -X POST -H "Authorization:Bearer $$GH_TOKEN" -H 'Accept:application/vnd.github.v3+json' https://api.github.com/repos/GITHUB_USERNAME/REPO_NAME/pulls -d '{"head":"HEAD_BRANCH","base":"BASE_BRANCH", "title":"NEW_PR"}' secretEnv: ['GH_TOKEN'] availableSecrets: secretManager: - versionName: projects/PROJECT_ID/secrets/GH_TOKEN_SECRET_NAME/versions/latest env: GH_TOKEN
的环境变量JSON
{ "steps": [ { "name": "launcher.gcr.io/google/ubuntu1604", "id": "Create GitHub pull request", "entrypoint": "bash", "args": [ "-c", "curl -X POST -H \"Authorization:Bearer $$GH_TOKEN\" -H 'Accept:application/vnd.github.v3+json' https://api.github.com/repos/GITHUB_USERNAME/REPO_NAME -d '{\"head\":\"HEAD_BRANCH\",\"base\":\"BASE_BRANCH\", \"title\":\"NEW_PR\"}' ], "secretEnv": ['GH_TOKEN'] } ], "availableSecrets": { "secretManager": [ { "versionName": "projects/PROJECT_ID/secrets/GH_TOKEN_SECRET_NAME/versions/latest", "env": "GH_TOKEN" } ] } }
将上述命令中的占位值替换为以下内容:
PROJECT_ID
:Google Cloud 项目的 ID 您存储 Secret 的位置。GITHUB_USERNAME
:代码库所有者的 GitHub 用户名。REPO_NAME
:GitHub 代码库的名称。HEAD_BRANCH
:在其中实现更改的分支的名称。对于同一网络中的跨代码库拉取请求,具有用户的命名空间head
如下所示:username:branch
。BASE_BRANCH
:您希望将更改拉取到其中的分支的名称。此分支应该是当前代码库中的现有分支。您无法将拉取请求提交到一个请求与另一个代码库合并的代码库。GH_TOKEN_SECRET_NAME
:与您的 GitHub 令牌对应的 Secret 名称。NEW_PR
:您要创建的新拉取请求。
配置构建以从 Secret Manager 访问非 UTF-8 Secret
在构建配置文件中,添加构建步骤以访问 Secret Manager 中的密钥版本并将其存储在文件中。执行以下构建步骤可访问 secret-name 并将其存储在名为 decrypted-data.txt 的文件中:
YAML
steps: - name: gcr.io/cloud-builders/gcloud entrypoint: 'bash' args: [ '-c', "gcloud secrets versions access latest --secret=secret-name --format='get(payload.data)' | tr '_-' '/+' | base64 -d > decrypted-data.txt" ]
JSON
{ "steps": [ { "name": "gcr.io/cloud-builders/gcloud", "entrypoint": "bash", "args": [ "-c", "gcloud secrets versions access latest --secret=secret-name --format='get(payload.data)' | tr '_-' '/+' | base64 -d > decrypted-data.txt" ] } ] }
在构建步骤中使用包含解密后数据的文件。以下代码段使用 decrypted-data.txt 登录到私有 Docker 注册表:
YAML
steps: - name: gcr.io/cloud-builders/gcloud entrypoint: 'bash' args: [ '-c', "gcloud secrets versions access latest --secret=secret-name --format='get(payload.data)' | tr '_-' '/+' | base64 -d > decrypted-data.txt" ] - name: gcr.io/cloud-builders/docker entrypoint: 'bash' args: [ '-c', 'docker login --username=my-user --password-stdin < decrypted-data.txt']
JSON
{ "steps": [ { "name": "gcr.io/cloud-builders/gcloud", "entrypoint": "bash", "args": [ "-c", "gcloud secrets versions access latest --secret=secret-name --format='get(payload.data)' | tr '_-' '/+' | base64 -d > password.txt" ] }, { "name": "gcr.io/cloud-builders/docker", "entrypoint": "bash", "args": [ "-c", "docker login --username=my-user --password-stdin < decrypted-data.txt" ] } ] }
使用构建配置文件通过命令行启动构建或通过触发器自动执行构建。
后续步骤
- 了解如何在构建中使用加密凭据。
- 了解如何访问私有 GitHub 代码库。
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2024-10-01。