This is the preferred way to manage secrets for files, rather than cr_buildstep_decrypt, as it stores the encrypted file in the cloud rather than in your project workspace. For single environment values, cr_build_yaml_secrets may be more suitable.

cr_buildstep_secret(secret, decrypted, version = "latest", ...)



The secret data name in Secret Manager


The name of the file the secret will be decrypted into


The version of the secret


Other arguments sent to cr_buildstep_bash


This is for downloading encrypted files from Google Secret Manager. You will need to add the Secret Accessor Cloud IAM role to the Cloud Build service account to use it. Once you have uploaded your secret file and named it, it is available for Cloud Build to use.

See also


cr_buildstep_secret("my_secret", decrypted = "/workspace/secret.json")
#> [[1]] #> ==cloudRunnerBuildStep== #> name: #> entrypoint: bash #> args: #> - -c #> - gcloud secrets versions access latest --secret=my_secret > /workspace/secret.json #>