This is the preferred way to manage secrets for files, rather than cr_buildstep_decrypt, as it stores the encrypted file in the cloud rather than in your project workspace. For single environment values, cr_build_yaml_secrets may be more suitable.

cr_buildstep_secret(
  secret,
  decrypted,
  version = "latest",
  binary_mode = FALSE,
  ...
)

Arguments

secret

The secret data name in Secret Manager

decrypted

The name of the file the secret will be decrypted into

version

The version of the secret

binary_mode

Should the file be treated in binary/raw format?

...

Other arguments sent to cr_buildstep_bash

Details

This is for downloading encrypted files from Google Secret Manager. You will need to add the Secret Accessor Cloud IAM role to the Cloud Build service account to use it. Once you have uploaded your secret file and named it, it is available for Cloud Build to use.

Examples

cr_buildstep_secret("my_secret", decrypted = "/workspace/secret.json")
#> [[1]]
#> ==cloudRunnerBuildStep==
#> name: gcr.io/cloud-builders/gcloud
#> entrypoint: bash
#> args:
#> - -c
#> - gcloud secrets versions access latest --secret=my_secret  > /workspace/secret.json
#>