5

Suppose having a project in a bitbucket repository storing a secret API key in a config file like config.json:

{
    "secret": 
}

Is it possible refer to the "secret" variable from variables in bitbucket pipeline and then deploy this automatically to google App Engine, so that App Engine "knows" the secret variable?

David
  • 2,926
  • 1
  • 27
  • 61

1 Answers1

6

You can use envsubst command in your pipeline.

Your json file would look like this and be named config_template.json:

{
    "secret": $SECRET
}

The step in your pipline would look like this:

- step:
    name: replace secret
    script:
      # pipe config_template.json to envsubst and store result in a file called config.json
      - cat config_template.json | envsubst > config.json
      # show config.json TODO: Remove this when you are sure it is working!
      - cat config.json
      # Deploy config.json to App Engine here!

This assumes that you have envsubst in your build image and a repository variable called SECRET in your pipeline.

VolkerK
  • 1,412
  • 13
  • 28
  • So by this way, App Engine would not hold the original keys, correct? – David Apr 08 '20 at 17:31
  • I don't know exactly what you mean, but you can change the file in your bitbucket to `config_template.json` or something and then upload to App Engine as `config.json`. I will update the example accordingly. – VolkerK Apr 09 '20 at 06:07
  • Commenting here as it might save someone's time: Pipeline masks all occurrences of a secure variable's value in the log files, therefore, the `cat` command would still show the secret variable's name instead of value. One may share/download the rendered file for verification. – kamimanzoor Jun 15 '22 at 13:46
  • @kamimanzoor You're saying even the `config.json` file will show only the variable, but hadn't we just written the secret to a file. Is there a way to verify that it got written. All I see in the `config.json` is the variable name? Essentially I am trying to verify why my deployment script when accessing `config.json` says `Unexpected token` I would assume because the `config.json` doesn't have the variable. I will probably open a question for this, but thought it would be good to have the issue identified here. – Anders Kitson Sep 21 '22 at 20:50
  • @AndersKitson The file does get rendered with the correct secret value. Bitbucket just masks the secret value while displaying on the console i.e., if you print the contents of the file using for instance `cat` command, the secret will be masked and only the variable name will be shown. You may upload the file in "Downloads" and download it to verify that it contains the right secret value. You may use [bitbucket-upload-file](https://bitbucket.org/atlassian/bitbucket-upload-file/src/master/) pipe for this purpose – kamimanzoor Sep 22 '22 at 14:08
  • @kamimanzoor so you're saying to write a separate pipeline to upload the `config.json` and then re-download it? I am little confused as to how and why. Maybe you could take a look at my issue here https://stackoverflow.com/questions/73807001/using-envsubst-for-a-meteor-app-with-bitbucket-pipelines Thanks for responding. – Anders Kitson Sep 22 '22 at 17:36