{"id":17241718,"url":"https://github.com/jacobian/cloud-builder-copy-env","last_synced_at":"2025-03-26T03:20:40.602Z","repository":{"id":66481802,"uuid":"230285962","full_name":"jacobian/cloud-builder-copy-env","owner":"jacobian","description":"Copy env vars from Cloud Run to Cloud Build","archived":false,"fork":false,"pushed_at":"2019-12-26T16:00:45.000Z","size":49,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-24T01:36:12.492Z","etag":null,"topics":["cloud-build","cloud-builder","cloud-builders","cloud-run","gcloud","google-cloud-platform","google-cloud-run"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jacobian.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-12-26T15:27:08.000Z","updated_at":"2020-12-05T15:40:51.000Z","dependencies_parsed_at":null,"dependency_job_id":"71771c8e-5a0a-4dc1-b0f8-dde8472cc540","html_url":"https://github.com/jacobian/cloud-builder-copy-env","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jacobian%2Fcloud-builder-copy-env","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jacobian%2Fcloud-builder-copy-env/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jacobian%2Fcloud-builder-copy-env/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jacobian%2Fcloud-builder-copy-env/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jacobian","download_url":"https://codeload.github.com/jacobian/cloud-builder-copy-env/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245580272,"owners_count":20638769,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud-build","cloud-builder","cloud-builders","cloud-run","gcloud","google-cloud-platform","google-cloud-run"],"created_at":"2024-10-15T06:10:51.843Z","updated_at":"2025-03-26T03:20:40.584Z","avatar_url":"https://github.com/jacobian.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Copy env vars from Cloud Run to Cloud Build \n\n![It's a Hack!](hack.jpg)\n\nSo you have a Cloud Run service, and you'd like to run a build step that has access to some secrets stored in your service's env vars -- like a database migration, for example.\n\nYou could do this the right, by [messing with KMS and secrets and stuff](https://github.com/GoogleCloudPlatform/django-demo-app-unicodex). But you're lazy, and env vars are fine by your threat model.\n\nSo here's this dingus. It'll copy env vars from a Cloud Run service into an env file, which you can then read in a later build step.\n\n## Usage\n\n1. Push this guy to your private container registry so you can use it in cloudbuild:\n\n ```bash\n git clone https://github.com/jacobian/cloud-builder-copy-env\n cd cloud-builder-copy-env\n gcloud builds submit\n ```\n\n2. Grant permissions - this guy needs to be able to be able to read env vars from that project:\n\n ```bash\n export PROJECT_ID=your-project-id\n export PROJECT_NUMBER=$(gcloud projects describe ${PROJECT_ID} --format 'value(projectNumber)')\n export SERVICE_ACCOUNT=\"${PROJECT_NUMBER@cloudbuild.gserviceaccount.com\"\n\n gcloud projects add-iam-policy-binding ${PROJECT_ID} \\\n --member serviceAccount:$SERVICE_ACCOUNT \\\n --role roles/run.admin\n ```\n\n NB: you may also want to add `roles/cloudsql.client` while you're at it, as if you're using this for the common database migration use case, you'll need that permission later too.\n\n FIXME: is this correct? I did things differently so I'm not 100% sure.\n\n3. Use this build step in your cloudbuild.yaml:\n\n ```yaml\n - id: copyenv\n name: gcr.io/$PROJECT_ID/copyenv\n args: [--service, your-service-name]\n ```\n\n This takes some optional arguments:\n \n * `--region` (default: `us-central`)\n * `--platform` (default: `managed`)\n * `--dest` (default: `/workspace.env`)\n\nThis will write all your secrets to `/workspace/.env`, which is automatically persisted between build steps. So subsequent build steps can read from there and pick up all your config. \n\nFor example, I use [django-environ](https://django-environ.readthedocs.io/en/latest/), so my Django settings file has something like this:\n\n```python\nimport environ\n\nenv = environ.Env()\nenv.read_env(os.environ.get(\"ENV_FILE\", \".env\"))\nDATABASES = {\"default\": env.db()}\n```\n\nAnd I make sure that my migration build step looks like:\n\n```yaml\n - id: release\n name: gcr.io/google-appengine/exec-wrapper\n args:\n - -i\n - gcr.io/$PROJECT_ID/my-service-name\n - -e\n - ENV_FILE=/workspace/.env # \u003c- 👀 this is the important line\n - --\n - sh\n - release.sh\n``` \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjacobian%2Fcloud-builder-copy-env","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjacobian%2Fcloud-builder-copy-env","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjacobian%2Fcloud-builder-copy-env/lists"}