Google cloud built not substituting environment variable for firebase token

Solution 1:

Build firebase Docker image.

See:

  • https://github.com/GoogleCloudPlatform/cloud-builders-community
$ git clone https://github.com/GoogleCloudPlatform/cloud-builders-community
$ cd firebase
$ gcloud builds submit --config cloudbuild.yaml .

Encrypt ci token

$ firebase login:ci
$ gcloud kms keyrings create cloudbuilder --location global
$ gcloud kms keys create firebase-token --location global --keyring cloudbuilder --purpose encryption
$ echo -n <ciToken> | gcloud kms encrypt \
  --plaintext-file=- \
  --ciphertext-file=- \
  --location=global \
  --keyring=cloudbuilder \
  --key=firebase-token | base64

Set encrypted ci token in cloudbuild.yaml

See:

  • https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-secrets-credentials?hl=ja#example_build_request_using_an_encrypted_variable
  • https://github.com/GoogleCloudPlatform/cloud-builders-community/blob/master/firebase/firebase.bash#L5
  • https://github.com/firebase/firebase-tools#user-content-using-with-ci-systems
secrets:
- kmsKeyName: projects/<projectName>/locations/global/keyRings/cloudbuilder/cryptoKeys/firebase-token
  secretEnv:
    FIREBASE_TOKEN: <EncryptedCiToken>
steps:
- id: 'npm install'
  name: 'gcr.io/cloud-builders/npm'
  args: ['install']

- id: 'functions npm install'
  name: 'gcr.io/cloud-builders/npm'
  args: ['install']
  dir: 'functions'

- id: "deploy firebase"
  name: 'gcr.io/$PROJECT_ID/firebase'
  args: ['deploy', '--project=<projectName>']

# Deploy specific Firebase services
# (If you only want to deploy specific Firebase services or features)
#
# - id: "deploy firebase"
#   name: 'gcr.io/$PROJECT_ID/firebase'
#   args: ['deploy', '--only', 'functions', '--project=<projectName>']
# 
# - id: "deploy firebase storage"
#   name: 'gcr.io/$PROJECT_ID/firebase'
#   args: ['deploy', '--only', 'storage', '--project=<projectName>']
#   secretEnv: ['FIREBASE_TOKEN']
# 
# - id: "deploy firebase firestore"
#   name: 'gcr.io/$PROJECT_ID/firebase'
#   args: ['deploy', '--only', 'firestore', '--project=<projectName>']
#   secretEnv: ['FIREBASE_TOKEN']
# 
# - id: "deploy firebase hosting"
#   name: 'gcr.io/$PROJECT_ID/firebase'
#   args: ['deploy', '--only', 'hosting', '--project=<projectName>']

More information

  • https://github.com/zkohi/firebase-sub-guides/blob/master/content/docs/ja/cd/index.md