This is the preferred way to manage secrets, rather than cr_buildstep_decrypt, as it stores the encrypted file in the cloud rather than in your project workspace.
cr_buildstep_secret(secret, decrypted, version = "latest", ...)
| secret | The secret data name in Secret Manager |
|---|---|
| decrypted | The name of the file the secret will be decrypted into |
| version | The version of the secret |
| ... | Other arguments sent to cr_buildstep_bash |
This is for downloading encrypted files from Google Secret Manager. You will need to add the Secret Accessor Cloud IAM role to the Cloud Build service account to use it. Once you have uploaded your secret file and named it, it is available for Cloud Build to use.
How to set up secrets using Secret Manager
Other Cloud Buildsteps:
cr_buildstep_bash(),
cr_buildstep_decrypt(),
cr_buildstep_df(),
cr_buildstep_docker(),
cr_buildstep_edit(),
cr_buildstep_extract(),
cr_buildstep_gcloud(),
cr_buildstep_gitsetup(),
cr_buildstep_mailgun(),
cr_buildstep_nginx_setup(),
cr_buildstep_pkgdown(),
cr_buildstep_run(),
cr_buildstep_r(),
cr_buildstep_slack(),
cr_buildstep()
cr_buildstep_secret("my_secret", decrypted = "/workspace/secret.json")#> [[1]] #> ==cloudRunnerBuildStep== #> name: gcr.io/cloud-builders/gcloud #> entrypoint: bash #> args: #> - -c #> - gcloud secrets versions access latest --secret=my_secret > /workspace/secret.json #>