Secrets in Cloud Build With Kaniko

I needed to read a secret stored in Google Cloud Secrets in a Docker build that is managed by the Kaniko project.
Already that's like too many moving parts but whatever.

It's fairly simple if you know the proper syntax and config which varies slightly from plain Docker vs Kaniko, but:

assuming you have a secret SENTRY_AUTH_TOKEN in the GCP Secrets service you can make it available in your Cloud Build environment with:

availableSecrets:
  secretManager:
    - versionName: projects/000000000000/secrets/SENTRY_AUTH_TOKEN/versions/latest
      env: SENTRY_AUTH_TOKEN

You'll also need to provide the correct permissions to your cloud build service account.

Then in your kaniko config:

steps:
  - name: 'gcr.io/kaniko-project/executor:v1.9.0'
    args:
      - '--destination=$_IMAGE_NAME:$COMMIT_SHA'
      - '--cache=true'
      - '--cache-ttl=48h'
      - '--dockerfile=$_DOCKERFILE_NAME'
      - '--log-timestamp=true'
      - '--build-arg=SENTRY_AUTH_TOKEN' # 👈 pass the exposed secret in as `SENTRY_AUTH_TOKEN` via a docker build argument
    secretEnv:
      - SENTRY_AUTH_TOKEN # 👈 explicitly make the secret available for this build step

Lastly your Dockerifle will need to read the argument:

ARG SENTRY_AUTH_TOKEN

Other notes:

• Make sure to add the docker `ARG` statement to the relevant layer if using multiple layers.
• In the case of Sentry specifically I needed to set the arg as an env var so: ENV SENTRY_AUTH_TOKEN ${SENTRY_AUTH_TOKEN}