Secret environment variables in Cloudbuild (with out files), how?

Question

I am creating a CI/CD pipeline in Cloud Build of a very basic Node.js app with deployment to GCP appengine standard.

None-secret environment variables are stored in app.yaml file. But of course I don't want to put my secrets there. In fact I don't want to put them in any file any where (encrypted or not) since this file will end up on the AppEngine instance and can be "viewed" by a "bad admin". There are many samples out there that suggests to encrypt/decrypt complete files (and some times even code) but I don't want to go down that path.

I am looking for a way to set secret environment variables "in memory" as part of the CI/CD pipeline. Anyone?

I added none secrets in the app.yaml file (env_variables) - works fine Added encrypted secrets into my cloudbuild.yaml file (secrets) - no error Added secretEnv: into a build steps but value don't end up as process.env.[KEY] in app engine

cloudbuild.yaml

steps:
- name: 'gcr.io/cloud-builders/npm'
  args: ['install']
  dir: "appengine/hello-world/standard"
 - name: "gcr.io/cloud-builders/gcloud"
  args: ["app", "deploy", "test-app.yaml"]
  dir: "appengine/hello-world/standard"
  secretEnv: ['API_KEY', 'API_URL']

secrets:
- kmsKeyName: projects/XXXXXXXX/locations/global/keyRings/customintegrations-secrets/cryptoKeys/integration-secrets
  secretEnv:
    API_KEY: XXQAoHgKKoHBKOURrUU2RqU+ki8XyqmTjz+ns+MEWp5Kx3hQBpgSQgATFQ5yRdW4m1TLNqNRIdHIqVJi8tn8jFrtlHIEouOzNDe/ASlOT0ZQBfl9Rf7xlvOHAa667poBq2hEoMNvOclxUQ==
    API_URL: YYQAoHgKKklo08ZsQF+/8M2bmi9nhWEtb6klyY4rNthUhSIhQ8oSQQATFQ5ywKOxaM/TLwGDmvMtCpl/1stXOOK0kgy42yipYbw/J/QZL68bMat1u4H3Hvp/GMbUVIKEb9jwUtN2xvbL

I was hoping that the secretEnv: ['API_KEY', 'API_URL'] would make the decrypted values accessable in code (process.env.API_KEY) in app engine.

Answer 1

Here is a full tutorial on how to securely store env vars in your cloud build (triggers) settings and import them into your app.

Basically there are three steps:

1. Add your env vars to the 'variables' section in one of your build trigger settings

   Screenshot of where to add variables in build triggers

   By convention variables set in the build trigger must begin with an underscore (_)

2. Configure cloudbuild.yaml (on the second step in the code example) to read in variables from your build trigger, set them as env vars, and write all env vars in a local .env file

   Add couldbuild.yaml (below) to your project root directory

steps:
- name: node:10.15.1
  entrypoint: npm
  args: ["install"]
- name: node:10.15.1
  entrypoint: npm
  args: ["run", "create-env"]
  env:
    - 'MY_SECRET_KEY=${_MY_SECRET_KEY}'
- name: "gcr.io/cloud-builders/gcloud"
  args: ["app", "deploy"]
timeout: "1600s"

Add create-env script to package.json

"scripts": {
  "create-env": "printenv > .env"
},

3. Read env vars from .env to your app (config.js)

   Install dotenv package

   npm i dotenv -S

   Add a config.js to your app

// Import all env vars from .env file
require('dotenv').config()

export const MY_SECRET_KEY = process.env.MY_SECRET_KEY

console.log(MY_SECRET_KEY) // => Hello

Done! Now you may deploy your app by triggering the cloud build and your app will have access to the env vars.

Answer 2

Using secrets from Secrets Manager

Your sample would become:

steps:
- name: 'gcr.io/cloud-builders/npm'
  args: ['install']
  dir: "appengine/hello-world/standard"
- name: "gcr.io/cloud-builders/gcloud"
  args: ["app", "deploy", "test-app.yaml"]
  dir: "appengine/hello-world/standard"
  secretEnv: ['API_KEY', 'API_URL']

availableSecrets:
  secretManager:
  - versionName: projects/$PROJECT_ID/secrets/<secret name>/versions/latest
    env: API_KEY 
  - versionName: projects/$PROJECT_ID/secrets/<secret name 2>/versions/latest
    env: API_URL