This is the preferred way to manage secrets, rather than cr_buildstep_decrypt, as it stores the encrypted file in the cloud rather than in your project workspace.

cr_buildstep_secret(secret, decrypted, version = "latest", ...)

Arguments

secret

The secret data name in Secret Manager

decrypted

The name of the file the secret will be decrypted into

version

The version of the secret

...

Other arguments sent to cr_buildstep_bash

Details

This is for downloading encrypted files from Google Secret Manager. You will need to add the Secret Accessor Cloud IAM role to the Cloud Build service account to use it. Once you have uploaded your secret file and named it, it is available for Cloud Build to use.

See also

Examples

cr_buildstep_secret("my_secret", decrypted = "/workspace/secret.json")
#> [[1]] #> ==cloudRunnerBuildStep== #> name: gcr.io/cloud-builders/gcloud #> entrypoint: bash #> args: #> - -c #> - gcloud secrets versions access latest --secret=my_secret > /workspace/secret.json #>