Managing Secrets with KMS and Google Cloudbuild

CipherZ
CipherZ
Feb 4 · 4 min read
Source: Google Cloud

Setup

git clone git@github.com:cipherzzz/ts-cloudbuild-secrets-example.git

Secrets management using Google KMS

Keyring/Keys

# If we do not have a keyring
gcloud kms keyrings create vmi-integration-secrets --location global
# If we already had a keyring or just created one, take a look at what keys are on it
gcloud kms keys list --location global --keyring vmi-integration-secrets
# To add a key - one per application
gcloud kms keys create vertigo-js-node-api --location global --keyring vmi-integration-secrets --purpose encryption
# Verify that your keyring has the keys you expect
gcloud kms keys list --location global --keyring vmi-integration-secrets

Encrypting Secrets

# Create a local file with the secret
echo "MyRedisPassword1234" > redis_pw.txt
# To encrypt a secret using KMS
gcloud kms encrypt \
--plaintext-file=redis_pw.txt \
--ciphertext-file=redis_pw.enc.txt \
--location=global \
--keyring=vmi-integration-secrets \
--key=vertigo-js-node-api
# Encode the binary encoded secret as base64 string
base64 redis_pw.enc.txt -w 0 > redis_pw.enc.64.txt

Decrypting the Secrets

Cloudbuild

steps:  # Building image
# Note: You need a shell to resolve environment variables with $$
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args: [
'-c',
'docker build -t gcr.io/$PROJECT_ID/appengine/ts-cloudbuild-secrets-example:latest -f Dockerfile --build-arg REDIS_PASS=$$REDIS_PW .'
]
secretEnv: ['REDIS_PW']
# Push Images
- name: 'gcr.io/cloud-builders/docker'
args: ['push', 'gcr.io/$PROJECT_ID/appengine/ts-cloudbuild-secrets-example:latest']
# Deploy to GAE
- name: 'gcr.io/cloud-builders/gcloud'
args:
- 'app'
- 'deploy'
- 'app.yaml'
- '--image-url'
- 'gcr.io/$PROJECT_ID/appengine/ts-cloudbuild-secrets-example:latest'
secrets:
- kmsKeyName: projects/vmi-integration/locations/global/keyRings/vmi-integration-secrets/cryptoKeys/vertigo-js-node-api
secretEnv:
REDIS_PW: CiQAkmpYKP7L1ELHIrdvp/J43k1w6EN/l4wgVZnBMMhbEr/dFxYSPQBMN3wJgwxNRTNmNpaif4rSOSHKy7gHTamaxsxo3la2qCLJfVSHz8jUA4jERssiMZAeKhHvfp5LBTDvjxk=

Dockerfile

FROM node:8 as native-build
COPY . .
RUN npm install
RUN npm run build
FROM node:carbon-alpineARG REDIS_PASS
ENV REDIS_PW=${REDIS_PASS}
WORKDIR /home/node/app
COPY --from=native-build /dist dist/
COPY --from=native-build /package.json .
COPY --from=native-build /node_modules node_modules/
EXPOSE 8080USER node
CMD ["npm", "start"]

Typescript

export function checkSecret(): Payload {
let message = process.env.REDIS_PW==='MyRedisPassword1234'?"Secret Correct":"Secret Wrong";
return { message }
}

Deployment

cloud-build-local --config=cloudbuild.yaml --dryrun=false .

Google Cloud Platform - Community

A collection of technical articles published or curated by Google Cloud Platform Developer Advocates. The views expressed are those of the authors and don't necessarily reflect those of Google.

CipherZ

Written by

CipherZ

I am a blockchain enthusiast…

Google Cloud Platform - Community

A collection of technical articles published or curated by Google Cloud Platform Developer Advocates. The views expressed are those of the authors and don't necessarily reflect those of Google.