docker google-cloud-platform environment-variables google-cloud-run

How to access cloud run environment variables in Dockerfile

I have built a containerised python application which runs without issue locally using a .env file and and a docker-compose.yml file compiled with compose build.

I am then able to use variables within the Dockerfile like this.

ARG APP_USR
ENV APP_USR ${APP_USR}

ARG APP_PASS
ENV APP_PASS ${APP__PASS}

RUN pip install https://${APP_USR}:${APP_PASS}@github.org/*****/master.zip

I am deploying to cloud run via a synced bitbucket repository, and have defined under "REVISIONS" > "SECRETS AND VARIABLES",(as described here: https://cloud.google.com/run/docs/configuring/environment-variables) but I can not work out how to access these variables in the Dockerfile during build.

As I understand it, I need to create a cloudbuild.yaml file to define the variables, but I haven't been able to find a clear example of how to set this up using the Environment variables defined in cloud run.

Solution

My understanding is that it is not possible to directly use a Cloud Run revision's environment variables in the Dockerfile because the build is managed by Cloud Build, which doesn't know about Cloud Run revision before the deployment.

But I was able to use Secret Manager's secrets in the Dockerfile.

Sources:

Passing secrets from Secret Manager to cloudbuild.yaml: https://cloud.google.com/build/docs/securing-builds/use-secrets
Passing an environment variable from cloudbuild.yaml to Dockerfile: https://vsupalov.com/docker-build-pass-environment-variables/

Quick summary:

In your case, for APP_USR and APP_PASS:

Grant the Secret Manager Secret Accessor (roles/secretmanager.secretAccessor) IAM role for the secret to the Cloud Build service account (see first source).
Add an availableSecrets block at the end of the cloudbuild.yaml file (out of the steps block):

availableSecrets:
  secretManager:
  - versionName: <APP_USR_SECRET_RESOURCE_ID_WITH_VERSION>
    env: 'APP_USR'
  - versionName: <APP_PASS_SECRET_RESOURCE_ID_WITH_VERSION>
    env: 'APP_PASS'

Pass the secrets to your build step (depends on how you summon docker build, Google's documentation uses 'bash', I use Docker directly):

  - id: Build
    name: gcr.io/cloud-builders/docker
    args:
      - build
      - '-f=Dockerfile'
      - '.'

      # Add these two `--build-arg` params:

      - '--build-arg'
      - 'APP_USR=$$APP_USR'

      - '--build-arg'
      - 'APP_PASS=$$APP_PASS'

    secretEnv: ['APP_USR', 'APP_PASS'] # <=== add this line

Use these secrets as standard environment variables in your Dockerfile:

ARG APP_USR
ENV APP_USR=$APP_USR

ARG APP_PASS
ENV APP_PASS=$APP_PASS

RUN pip install https://$APP_USR:$APP_PASS@github.org/*****/master.zip