[memo] GCP Berglas command line

Posted: May 25, 2020

Setup

# Install
go install github.com/GoogleCloudPlatform/berglas

# Save credential for berglas cli
gcloud auth application-default login

# Set common variables to envvar
export PROJECT_ID=foo
export BERGLAS_BUCKET=bar

# bootstrapping
berglas bootstrap --project $PROJECT_ID --bucket $BERGLAS_BUCKET

Create secrets

# Add credential for AWS Access Key ID
berglas create \
  ${BERGLAS_BUCKET}/aws-access-key-id \
  AKIAAAAAAAAAAAAA \
  --key projects/${PROJECT_ID}/locations/global/keyRings/berglas/cryptoKeys/berglas-key

# Add credential for AWS Secret Key
berglas create \
  ${BERGLAS_BUCKET}/aws-secret-key \
  ................ \
  --key projects/${PROJECT_ID}/locations/global/keyRings/berglas/cryptoKeys/berglas-key

View secrets

berglas access ${BERGLAS_BUCKET}/aws-access-key-id
# => AKIAAAAAAAAAAAAA

berglas access ${BERGLAS_BUCKET}/aws-secret-key
# => ................

Use Credential on Cloud Run

# Add permission to custom service account (SA)
berglas grant ${BERGLAS_BUCKET}/aws-access-key-id --member serviceAccount:foobar@your-project.iam.gserviceaccount.com
berglas grant ${BERGLAS_BUCKET}/aws-secret-key --member serviceAccount:foobar@your-project.iam.gserviceaccount.com

# * if you use default SA (your project number is: `000000000000`)
# berglas grant ${BERGLAS_BUCKET}/aws-access-key-id --member serviceAccount:000000000000-compute@your-project.iam.gserviceaccount.com
# berglas grant ${BERGLAS_BUCKET}/aws-secret-key --member serviceAccount:000000000000-compute@your-project.iam.gserviceaccount.com


# deploy to Cloud Run
gcloud beta run deploy foobar_app \
  --platform managed \
  --project ${PROJECT_ID} \
  --image gcr.io/${PROJECT_ID}/foobar_app:latest \
  --region us-central1 \
  --service-account foobar@your-project.iam.gserviceaccount.com \  # using custom SA
  --set-env-vars AWS_REGION=us-east-1 \  # normal environment variable
  --set-env-vars AWS_ACCESS_KEY_ID=berglas://${BERGLAS_BUCKET}/aws-access-key-id \  # variable on berglas

  --set-env-vars AWS_SECRET_ACCESS_KEY=berglas://${BERGLAS_BUCKET}/aws-secret-key \  # variable on berglas
  --add-cloudsql-instances ${PROJECT_ID}:us-central1:foobar-master-db1 \
  --allow-unauthenticated

I prefer use a berglas-only bucket and add view/read permissions to custom SA.

So you can omit to grant operation.

.. on Golang

Just add _ "github.com/GoogleCloudPlatform/berglas/pkg/auto" in import.

But if you add it, you must use appropriate GOOGLE_APPLICATION_CREDENTIALS variable.

It might bother you on testing or local development.

So use build tags and separate a file.

// +build prod

package main

import (
	_ "github.com/GoogleCloudPlatform/berglas/pkg/auto"
)

Dockerfile may be like below,

ARG BUILD_TAGS=none

FROM golang:1.14.0-alpine3.11 as builder

RUN apk add --no-cache curl git

WORKDIR /go/src/github.com/evalphobia/my-test-app/app
ENV GO111MODULE on
COPY go.mod ./
RUN go mod download

COPY . .
ARG BUILD_TAGS
RUN go build -v -o myapp -tags ${BUILD_TAGS}


FROM alpine:3.11.3

RUN apk add --no-cache ca-certificates mysql-client

COPY --from=builder /go/src/github.com/evalphobia/my-test-app/app/myapp /myapp

CMD ["/myapp"]

Build docker image, using prod build tag of Golang,

docker build . -t gcr.io/${PROJECT_ID}/foobar_app:latest --build-arg BUILD_TAGS=prod
docker push gcr.io/${PROJECT_ID}/foobar_app:latest