I am attempting to set up a simple Rails application using GCP Cloudbuild, and am running into a error message that indicates a failure to decrypt a variable due to the kms key not being found.
Currently, when running the build gcloud builds submit --config cloudbuild.yaml
, I get the following error:
ERROR: build step 2 "gcr.io/cloud-builders/docker" failed: Failed to decrypt "DB_PWD" using key "projects/onlydrams/locations/us-central1/keyRings/onlydrams/cryptoKeys/db_pwd_key/cryptoKeyVersions/1": googleapi: got HTTP response code 404 with body: <!DOCTYPE html>
The Google Cloud Build IAM role that is generated from authorizing the API in the account has the following roles assigned to it:
Cloud Build Service Account
Cloud KMS Admin
Cloud KMS CryptoKey Decrypter
The part that is most confusing to me, is if it were a problem with the role assignments and their permissions are missing some role - I would expect a 403 or 401, but in this case it is a 404.
In the codebuild.yaml
file, under availableSecrets
, the kmsKeyName is being copied directly from the Cloud Console, but it seems with that link that is auto generated a 404 occurs.
steps:
# Build image with tag 'latest' and pass decrypted Rails DB password as argument
- name: 'gcr.io/cloud-builders/docker'
args: ['build', '--tag', 'gcr.io/onlydrams/onlydrams:latest',
'--build-arg', 'DB_PWD', '.']
secretEnv: ['DB_PWD']
# Push new image to Google Cloud Registry
- name: 'gcr.io/cloud-builders/docker'
args: ['push', 'gcr.io/onlydrams/onlydrams:latest']
availableSecrets:
inline:
- kmsKeyName: projects/onlydrams/locations/us-central1/keyRings/onlydrams/cryptoKeys/db_pwd_key/cryptoKeyVersions/1
envMap:
DB_PWD: "CiQAYGWAVuMg5wxnkgWjKH07iWxR+GBD/wYE1YAcgYDa5nAPADwSOQDtVRn4Aj5LAMl5V0YiEnwJ48cd3RqG3lk4MN4IzhUyPIvKIZUtj5uKOVA86VbnzOaPxKNDPFUGIw=="
Is there a particular reason this Cloudbuild run might not have access or be able to find the key being references in the step calling it?
I think it's because you're passing it the key version when it's asking for the key name. Trying just using projects/onlydrams/locations/us-central1/keyRings/onlydrams/cryptoKeys/db_pwd_key