Versions Compared

Old Version 4

changes.mady.by.user Ray O'Meara

Saved on

compared with

New Version Current

changes.mady.by.user Chris Potts

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

...

  1. Create a KeyRing and a CryptoKey in the Encryption keys section of IAM. 
  2. Ensure that Google users have access to the KeyRing and CryptoKey just created by adding the allAuthenticatedUsers members, assigned with the owner role, to the CryptoKey permissions. For additional information about KMS permissions and roles, refer to the KMS Permissions and Roles page.
  3. Generate an Access Token for the Application you're scanning with.
    • In Black Duck, generate it by navigating to the Profile section for your user in the top right of the screen.
    • In Polaris, generate it by navigating to your user Profile in the top left of the screen.

  4. Encrypt the token by using gcloud's KMS encrypt with the KeyRing and CryptoKey names that were created in the previous steps as shown in the following command: 


    Code Block
    themeRDark
    titleKMS commands
    # - Optional, save the Token to an Environment Variable
export TOKEN=<<Token from Black Duck or Polaris>>

# - Echo the Token Value, Piped to KMS Encrypt, then Piped to base64
echo -n $TOKEN | gcloud kms encrypt \
  --plaintext-file=- \  # - reads from stdin
  --ciphertext-file=- \  # - writes to stdout
  --location=global \
  --keyring=[KEYRING-NAME] \
  --key=[KEY-NAME] | base64
 


  5. The command in step four outputs a base64-encoded string when is runs sucessfully.
    Copy this string, and post it in the build configuration file under secrets > secretsEnv.

Sample build configuration file with Secrets decrypted with KMS

Code Block
themeRDark
titleSample build configuration YAML with KMS decrypted secrets
steps:
- name: 'gcr.io/cloud-marketplace/blackduck-devpublic/googlesynopsys-cloudbuild-scanner'
  secretEnv: [ 'BD_TOKEN' ]
  args:
  - '--blackduck.url'
  - '<<Black Duck URL>>' # The URL of your Black Duck Instance
  - '--blackduck.api.token'
  - '$$BD_TOKEN' # Black Duck API Token decrypted by KMS
  - '--detect.project.name'
  - '<<Project_Name>>' # Project Name to map scan to in Black Duck UI
  - '--detect.project.version.name'
  - '<<Project Version>>' # Project Version to map scan to in Black Duck UI
  - '--detect.tools' 
  - 'SIGNATURE_SCAN' # List of Scanners to Run
  - '--detect.source.path' 
  - '/workspace' # Target for Signature Scan
secrets:
- kmsKeyName: projects/[PROJECT_ID]/locations/global/keyRings/[KEY_RING_NAME]/cryptoKeys/[KEY_NAME]
  secretEnv:
    BD_TOKEN: <<base64 encoded encrypted Black Duck API Token>>

...