GCP Cloud Build

reading time 5 mins

This guide will show you how to use the Doppler CLI to supply secrets as environment variables for GCP Cloud Build.

Prerequisites

  • You have an existing GCP project and are familiar with Cloud Build and IAM permissions
  • You have enabled the Secret Manager API for your GCP project
  • Experience in using GCP Secret Manager is advantageous but not required

Doppler Service Token Storage

To supply secrets in Cloud Build, the Doppler CLI requires a Service Token and there are two methods for storing this token in GCP:

1. GCP Secret Manager
2. Trigger Substitution Variable

We recommend using Secret Manager for encrypted storage and the ability to use IAM roles to restrict secret access to the Cloud Build service account and authorized users.

In contrast to Secret Manager, Trigger Substitution Variables are visible and editable by anyone that has access to Cloud Build triggers.

GCP Secret Manager

Using GCP Secret Manager to provide secrets for Cloud Build is the most secure storage and access mechanism for the Doppler Service Token.

Create a Service Token to provide read-only access to a specific config, then copy the Service Token value.

Go to the Secret Manager console, then create a new secret in GCP Secret Manager named DOPPLER_TOKEN containing the service token value, then click the CREATE SECRET button.

Now let's give the Cloud Build service account access to the DOPPLER_TOKEN secret and to do this, we need the email belonging to the Cloud Build Service Account (learn more in the Cloud Build access docs).

To find this, head to the IAM console and copy the email address belonging to the Cloud Build Service Account.

Next, head back to the Secret Manager console, click on the DOPPLER_TOKEN secret, and under the PERMISSIONS tab, click the ADD button.

Paste in the Cloud Build Service Account email address, and select the Secret Manager Secret Accessor IAM role, then click the SAVE button.

Now that Cloud Build can access the DOPPLER_TOKEN secret, the next step is to create or modify your Cloud Build file to:

  1. Install the Doppler CLI
  2. Fetch the DOPPLER_TOKEN secret using the availableSecrets definition
  3. Populate the DOPPLER_TOKEN environment variable using the secretEnv field
  4. Use the Doppler CLI to supply secrets to your build scripts or commands

A complete example could look like the following:

steps:
  - name: ubuntu
    entrypoint: bash
    args:
      - -c
      - apt-get update > /dev/null && 
        apt-get install -y curl gnupg > /dev/null &&
        (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh &&
        doppler run -- ./your-build-script.sh;
    secretEnv: ['DOPPLER_TOKEN']

availableSecrets:
  secretManager:
  - versionName: projects/your-project/secrets/DOPPLER_TOKEN/versions/latest                 
    env: DOPPLER_TOKEN

Trigger Substitution Variable

User-defined Trigger Substitution Variables is the easiest method to set up but don't provide the same level of security compared with GCP Secret Manager.

To use this method, first create a Service Token to provide read-only access to a specific config, then copy the Service Token value.

Now either create or edit an existing Trigger and create a new Substitution variable named _DOPPLER_TOKEN containing the service token value, then click the SAVE button.

Then create or modify your Cloud Build file to:

  1. Install the Doppler CLI
  2. Set the value of the DOPPLER_TOKEN environment variable to the _DOPPLER_TOKEN substitution variable
  3. Use the Doppler CLI to supply secrets to your build scripts or commands.

A complete example could look like the following:

steps:
  - name: ubuntu
    entrypoint: bash
    args:
      - -c
      - apt-get update > /dev/null && 
        apt-get install -y curl gnupg > /dev/null &&
        (curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh || wget -t 3 -qO- https://cli.doppler.com/install.sh) | sh &&
        doppler run -- ./your-build-script.sh;
    env:
      - DOPPLER_TOKEN=$_DOPPLER_TOKEN

πŸ‘

Amazing Work!

Now you know how to use Doppler CLI to supply secrets as environment variables for GCP Cloud Build.


Did this page help you?