I needed to read a secret stored in Google Cloud Secrets in a Docker build that is managed by the Kaniko project.
Already that's like too many moving parts but whatever.
It's fairly simple if you know the proper syntax and config which varies slightly from plain Docker vs Kaniko, but:
assuming you have a secret SENTRY_AUTH_TOKEN
in the GCP Secrets service you can make it available in your Cloud Build environment with:
availableSecrets:
secretManager:
- versionName: projects/000000000000/secrets/SENTRY_AUTH_TOKEN/versions/latest
env: SENTRY_AUTH_TOKEN
You'll also need to provide the correct permissions to your cloud build service account.
Then in your kaniko config:
steps:
- name: 'gcr.io/kaniko-project/executor:v1.9.0'
args:
- '--destination=$_IMAGE_NAME:$COMMIT_SHA'
- '--cache=true'
- '--cache-ttl=48h'
- '--dockerfile=$_DOCKERFILE_NAME'
- '--log-timestamp=true'
- '--build-arg=SENTRY_AUTH_TOKEN' # 👈 pass the exposed secret in as `SENTRY_AUTH_TOKEN` via a docker build argument
secretEnv:
- SENTRY_AUTH_TOKEN # 👈 explicitly make the secret available for this build step
Lastly your Dockerifle will need to read the argument:
ARG SENTRY_AUTH_TOKEN
Other notes:
ENV SENTRY_AUTH_TOKEN ${SENTRY_AUTH_TOKEN}