This is the preferred way to manage secrets for files, rather than cr_buildstep_decrypt, as it stores the encrypted file in the cloud rather than in your project workspace. For single environment values, cr_build_yaml_secrets may be more suitable.
cr_buildstep_secret(secret, decrypted, version = "latest", ...)
| secret | The secret data name in Secret Manager |
|---|---|
| decrypted | The name of the file the secret will be decrypted into |
| version | The version of the secret |
| ... | Other arguments sent to cr_buildstep_bash |
This is for downloading encrypted files from Google Secret Manager. You will need to add the Secret Accessor Cloud IAM role to the Cloud Build service account to use it. Once you have uploaded your secret file and named it, it is available for Cloud Build to use.
How to set up secrets using Secret Manager
cr_build_yaml_secrets let you directly support environment arguments in the buildsteps
Other Cloud Buildsteps:
cr_buildstep_bash(),
cr_buildstep_decrypt(),
cr_buildstep_df(),
cr_buildstep_docker(),
cr_buildstep_edit(),
cr_buildstep_extract(),
cr_buildstep_gcloud(),
cr_buildstep_gitsetup(),
cr_buildstep_mailgun(),
cr_buildstep_nginx_setup(),
cr_buildstep_pkgdown(),
cr_buildstep_run(),
cr_buildstep_r(),
cr_buildstep_slack(),
cr_buildstep()
cr_buildstep_secret("my_secret", decrypted = "/workspace/secret.json")#> [[1]] #> ==cloudRunnerBuildStep== #> name: gcr.io/cloud-builders/gcloud #> entrypoint: bash #> args: #> - -c #> - gcloud secrets versions access latest --secret=my_secret > /workspace/secret.json #>