dockergoogle-cloud-platformenvironment-variablesgoogle-cloud-run

How to access cloud run environment variables in Dockerfile


I have built a containerised python application which runs without issue locally using a .env file and and a docker-compose.yml file compiled with compose build.

I am then able to use variables within the Dockerfile like this.

ARG APP_USR
ENV APP_USR ${APP_USR}

ARG APP_PASS
ENV APP_PASS ${APP__PASS}

RUN pip install https://${APP_USR}:${APP_PASS}@github.org/*****/master.zip

I am deploying to cloud run via a synced bitbucket repository, and have defined under "REVISIONS" > "SECRETS AND VARIABLES",(as described here: https://cloud.google.com/run/docs/configuring/environment-variables) but I can not work out how to access these variables in the Dockerfile during build.

As I understand it, I need to create a cloudbuild.yaml file to define the variables, but I haven't been able to find a clear example of how to set this up using the Environment variables defined in cloud run.


Solution

  • My understanding is that it is not possible to directly use a Cloud Run revision's environment variables in the Dockerfile because the build is managed by Cloud Build, which doesn't know about Cloud Run revision before the deployment.

    But I was able to use Secret Manager's secrets in the Dockerfile.

    Sources:

    Quick summary:

    In your case, for APP_USR and APP_PASS:

    1. Grant the Secret Manager Secret Accessor (roles/secretmanager.secretAccessor) IAM role for the secret to the Cloud Build service account (see first source).

    2. Add an availableSecrets block at the end of the cloudbuild.yaml file (out of the steps block):

    availableSecrets:
      secretManager:
      - versionName: <APP_USR_SECRET_RESOURCE_ID_WITH_VERSION>
        env: 'APP_USR'
      - versionName: <APP_PASS_SECRET_RESOURCE_ID_WITH_VERSION>
        env: 'APP_PASS'
    
    1. Pass the secrets to your build step (depends on how you summon docker build, Google's documentation uses 'bash', I use Docker directly):
      - id: Build
        name: gcr.io/cloud-builders/docker
        args:
          - build
          - '-f=Dockerfile'
          - '.'
    
          # Add these two `--build-arg` params:
    
          - '--build-arg'
          - 'APP_USR=$$APP_USR'
    
          - '--build-arg'
          - 'APP_PASS=$$APP_PASS'
    
        secretEnv: ['APP_USR', 'APP_PASS'] # <=== add this line
    
    1. Use these secrets as standard environment variables in your Dockerfile:
    ARG APP_USR
    ENV APP_USR=$APP_USR
    
    ARG APP_PASS
    ENV APP_PASS=$APP_PASS
    
    RUN pip install https://$APP_USR:$APP_PASS@github.org/*****/master.zip