How to use custom substitutions with secretmanager in cloudbuild?

Question

I'm having an issue with using custom substitutions in my cloudbuild.yaml.

substitutions:
  _CUSTOM_SUBSTITUTION: this-is-a-path
availableSecrets:
  secretManager:
  - versionName: projects/$_CUSTOM_SUBSTITUTION/secrets/client_id/versions/1
    env: CLIENT_ID
  - versionName: projects/$_CUSTOM_SUBSTITUTION/secrets/client_secret/versions/1
    env: CLIENT_SECRET

From what I can tell from trial and error, using something like $PROJECT_ID in the place of $_CUSTOM_SUBSTITUTION will run the build, but if I use a custom substitution like above, the trigger does not run a build at all when a commit is pushed.

I've also tested with various other base substitutions, like $BRANCH_NAME to the same effect. I'm getting the feeling that it's just not possible to do this in cloudbuild at the moment?

Answer 1

It ended up being a combination of need curly braces ${_CUSTOM_SUBSTITUTION} and some syntax fixing in the cloudbuild.yaml. I didn't have enough experience with cloudbuild to find that.

The offending part was something this:

AUTH_TOKEN=$$(cat /workspace/token.txt). Originally I had just 1 $ there, which was also working code pulled from another project.

For anyone running into this in the future, using gloud builds submit can let you run it directly for troubleshooting.