This guide assumes you have followed the setup instructions in the README. Specifically, it is assumed that you have created a project, Cloud Storage bucket, and Cloud KMS key.
At present, Cloud Build does not have a way to share environment variables across processes. All Berglas references must resolve to the filesystem and use a shared volume mount to pass along secrets.
-
Make sure you are in the
examples/cloudbuild
folder before continuing! -
Enable the Cloud Build service:
gcloud services enable --project $PROJECT_ID \ cloudbuild.googleapis.com
-
Export the environment variables for your configuration:
export PROJECT_ID=my-project export BUCKET_ID=my-bucket export KMS_KEY=projects/${PROJECT_ID}/locations/global/keyRings/berglas/cryptoKeys/berglas-key
-
Create two secrets using the
berglas
CLI (see README for installation instructions):berglas create ${BUCKET_ID}/api-key "xxx-yyy-zzz" \ --key ${KMS_KEY}
berglas create ${BUCKET_ID}/tls-key "=== BEGIN RSA PRIVATE KEY..." \ --key ${KMS_KEY}
-
Get the Cloud Build service account email:
PROJECT_NUMBER=$(gcloud projects describe ${PROJECT_ID} --format 'value(projectNumber)') export SA_EMAIL=${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com
-
Grant the service account access to the secrets:
berglas grant ${BUCKET_ID}/api-key --member serviceAccount:${SA_EMAIL} berglas grant ${BUCKET_ID}/tls-key --member serviceAccount:${SA_EMAIL}
-
Build a container using Cloud Build and publish it to Container Registry:
gcloud builds submit \ --project ${PROJECT_ID} \ --substitutions=_BUCKET_ID=${BUCKET_ID} \ .
-
(Optional) Revoke access to the secrets:
berglas revoke ${BUCKET_ID}/api-key --member serviceAccount:${SA_EMAIL} berglas revoke ${BUCKET_ID}/tls-key --member serviceAccount:${SA_EMAIL}