I’m in the process of migrating my apps from a self-hosted server (without docker, just pure nginx routing and dot runs) to GCP Cloud Run, but I’ve hit a roadblock trying to access secrets from the Secret Manager.
I have added multiple secrets which contain values and are accessible via the Cloud Run IAM principle. I’m using cloudbuild.yaml to setup the pipelines and I’ve got the docker build working with the first couple of apps, but I’m unable to get the secrets flowing.
I setup a test step to ensure that the Cloud Build could at least read the secrets which worked:
steps:
- id: 'Secrets in Pipeline'
name: 'gcr.io/cloud-builders/gcloud'
entrypoint: '/bin/bash'
secretEnv: ['Urls_AuthIssuer']
args:
- '-c'
- |
echo "$$Urls_AuthIssuer"
availableSecrets:
secretManager:
- versionName: projects/$PROJECT_ID/secrets/Urls_AuthIssuer/versions/latest
env: 'Urls_AuthIssuer'
However when I try and consume these at build time, the environment variables don’t seem to be accessible to the .NET application:
steps:
- name: 'gcr.io/cloud-builders/docker'
args: ['build','-t', 'gcr.io/$PROJECT_ID/$_IMAGE_NAME', '-f', './WOML.WebAPI/Dockerfile', '.']
# Push the container image to Container Registry
- name: 'gcr.io/cloud-builders/docker'
args: ['push', 'gcr.io/$PROJECT_ID/$_IMAGE_NAME']
# Deploy container image to Cloud Run
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
entrypoint: gcloud
args: ['run', 'deploy', '$_SERVICE_NAME', '--image', 'gcr.io/$PROJECT_ID/$_IMAGE_NAME', '--region', '$_DEPLOY_REGION']
secretEnv: [
'Urls_AuthIssuer',
]
availableSecrets:
secretManager:
- versionName: projects/$PROJECT_ID/secrets/Urls_AuthIssuer/versions/latest
env: 'Urls_AuthIssuer'
options:
logging: CLOUD_LOGGING_ONLY
images: ['gcr.io/$PROJECT_ID/$_IMAGE_NAME']
My dockerfile is very basic and is currently just a “copy all and run” for simplicity sake – I haven’t tried to do anything clever in there yet to trim things down
FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
WORKDIR /src
COPY . ./
RUN ls /src
RUN dotnet restore "WOML.WebAPI/WOML.WebAPI.csproj"
RUN dotnet publish "WOML.WebAPI/WOML.WebAPI.csproj" -c Release -o /app/build
FROM build AS final
EXPOSE 8080
ENTRYPOINT ["dotnet", "/app/build/WOML.WebAPI.dll"]
The build & deploy is successful, however the Cloud Run instance fails errors because it can’t access any of the variables to perform setup. I added some log lines to try and read the variables and they’re all empty.
Am I doing the secretEnv in the right step, or is there a better way to approach this? Should I add a step before the deployment which reads the secrets from Secret Manager and prints them out to an env file which the docker container can read? Most examples I find are small examples which suggest adding a -e variable to the run step for every single variable, which is not sustainable as the apps have many config settings and will only grow.
2
A container is an isolated piece of software. The build also is. I mean, the build process do not know the external environment, variables, binaries and others. It’s isolated, hermetic to the rest of the world!
If you want to push an external data into it, you must do it explicitly. You already provide the path . with your sources, and you also have to provide build args to push your env var.
In addition, event it would be too simple, the secrets in Cloud Build are only available in script mode, not in args mode.
Here, I mean you have to perform something like this
args:
- -c
- |
<your script>
and not
args: [my, script, args]
You can find more detail in an already answered question here