google-cloud-platformgoogle-cloud-buildcloudbuild.yaml

Cloudbuild unable to decrypt using key 404

I am attempting to set up a simple Rails application using GCP Cloudbuild, and am running into a error message that indicates a failure to decrypt a variable due to the kms key not being found.

Currently, when running the build gcloud builds submit --config cloudbuild.yaml, I get the following error:

ERROR: build step 2 "gcr.io/cloud-builders/docker" failed: Failed to decrypt "DB_PWD" using key "projects/onlydrams/locations/us-central1/keyRings/onlydrams/cryptoKeys/db_pwd_key/cryptoKeyVersions/1": googleapi: got HTTP response code 404 with body: <!DOCTYPE html>

The Google Cloud Build IAM role that is generated from authorizing the API in the account has the following roles assigned to it:

Cloud Build Service Account
Cloud KMS Admin
Cloud KMS CryptoKey Decrypter

The part that is most confusing to me, is if it were a problem with the role assignments and their permissions are missing some role - I would expect a 403 or 401, but in this case it is a 404.

In the codebuild.yaml file, under availableSecrets, the kmsKeyName is being copied directly from the Cloud Console, but it seems with that link that is auto generated a 404 occurs.

steps:
# Build image with tag 'latest' and pass decrypted Rails DB password as argument
- name: 'gcr.io/cloud-builders/docker'
  args: ['build', '--tag', 'gcr.io/onlydrams/onlydrams:latest', 
         '--build-arg', 'DB_PWD', '.']
  secretEnv: ['DB_PWD']

# Push new image to Google Cloud Registry       
- name: 'gcr.io/cloud-builders/docker'
  args: ['push', 'gcr.io/onlydrams/onlydrams:latest']

availableSecrets:
  inline:
  - kmsKeyName: projects/onlydrams/locations/us-central1/keyRings/onlydrams/cryptoKeys/db_pwd_key/cryptoKeyVersions/1
    envMap: 
      DB_PWD: "CiQAYGWAVuMg5wxnkgWjKH07iWxR+GBD/wYE1YAcgYDa5nAPADwSOQDtVRn4Aj5LAMl5V0YiEnwJ48cd3RqG3lk4MN4IzhUyPIvKIZUtj5uKOVA86VbnzOaPxKNDPFUGIw=="

Is there a particular reason this Cloudbuild run might not have access or be able to find the key being references in the step calling it?

Solution

  • I think it's because you're passing it the key version when it's asking for the key name. Trying just using projects/onlydrams/locations/us-central1/keyRings/onlydrams/cryptoKeys/db_pwd_key