Cloudbuild Bug: Substitutions don't work in secrets key and secretEnv key array doesn't accept substitutions

[Govind Rai]

steps:
  - name: 'gcr.io/cloud-builders/npm'
    args: ['run', 'configure']

    env: ['ENVIRONMENT=${_ENVIRONMENT}']
    secretEnv: [ 'SERVICE_ACCOUNT_CREDENTIALS', 'FIREBASE_CLIENT_SECRET', 'POSTGRES_PASSWORD']
timeout: '900s'
substitutions:
  _ENVIRONMENT: 'integration'
  _APP_ENGINE_PROJECT_ID: '$PROJECT_ID'
  _APP_ENGINE_REGION: 'INTEGRATION ENVIRONMENT APP ENGINE REGION'
  _FIREBASE_PROJECT_ID: 'INTEGRATION ENVIRONMENT FIREBASE PROJECT ID (SHOULD BE EVENTUALLY SAME AS APP ENGINE PROJECT ID)'
  _FIREBASE_CLIENT_SECRET: 'ENCRYPTED INTEGRATION ENVIRONMENT FIREBASE CLIENT SECRET HERE'
  _STATIC_ASSETS_BUCKET_URL: 'INTEGRATION ENVIRONMENT STATIC ASSETS BUCKET URL'
  _SERVICE_ACCOUNT_CREDENTIALS: 'ENCRYPTED INTEGRATION ENVIRONMENT SERVICE ACCOUNT CREDENTIALS'
options:
  substitution_option: 'ALLOW_LOOSE'
  machineType: 'N1_HIGHCPU_32'
secrets:
  - kmsKeyName: 'projects/${_APP_ENGINE_PROJECT_ID}/locations/global/keyRings/${_APP_ENGINE_PROJECT_ID}-keyring/cryptoKeys/${_APP_ENGINE_PROJECT_ID}-cryptokey'
    secretEnv:
      FIREBASE_CLIENT_SECRET: '${_FIREBASE_CLIENT_SECRET}' #NOT WORKING
      SERVICE_ACCOUNT_CREDENTIALS: '${_SERVICE_ACCOUNT_CREDENTIALS}' #NOT WORKING
      POSTGRES_PASSWORD: '${_POSTGRES_PASSWORD}' #NOT WORKING

Because substitution is not working as expected I get the following error:

invalid build: failed to check access to "projects/${_APP_ENGINE_PROJECT_ID}/locations/global/keyRings/${_APP_ENGINE_PROJECT_ID}-keyring/cryptoKeys/${_APP_ENGINE_PROJECT_ID}-cryptokey"

I expect substitutions to be a simple 'find and replace' opearation that cloudbuild does replacing values where ever it sees a substitution key. It doesn't seem to be working with all keys.

Also I cannot use substitutions in secrets.secretEnv (see '#NOT WORKING' comments above (last three lines)). 

When trying to use substitutions there I get the following error:

failed unmarshalling build config cloudbuild/cloudbuild-full.yaml: illegal base64 data at input byte 0

That occurs because the parser is expecting Base64 text and "$" and "{" and "}" are not valid base64 characters. However if substitutions were working correctly my base64 values specified in my cloudbuild triggers would have been interpolated there and things would work as expected

Also options.substitution_options with a value of "ALLOW_LOOSE" doesn't work with secretEnvs; Cloudbuild still expects you to use all of the secret envs that you declare which also seems to be not working as expected.

[Nicolas (Google Cloud Platform Support)]

Hi,

 

Thanks for reporting this, 

 

I would recommend you to open an issue on the issue tracker to report this as this would be the right channel to reach the Cloud Build engineering team.

 

Google Groups hosts discussion forums where you're likely to find information like service status updates, release notes and high-level discussions on the platform.