A team uses Cloud Build to build Docker images and push them to Artifact Registry. The cloudbuild.yaml has a step that requires a secret API key to call an external service during build. How should the secret be provided securely?
Cloud Build's `availableSecrets.secretManager` configuration retrieves the secret value at build time and makes it available as an environment variable, without logging the value.
Why this answer
Option B is correct because Cloud Build's `availableSecrets` field allows you to securely inject secrets from Secret Manager into build steps as environment variables or files, without exposing them in the build configuration or logs. This approach ensures the API key is encrypted at rest and in transit, and access can be controlled via IAM permissions, making it the only secure method among the options.
Exam trap
Google Cloud often tests the misconception that substitution variables are secure because they are 'variables,' but they are actually passed as plain text and can be logged, whereas `availableSecrets` is the only method that guarantees the secret is never exposed in the build configuration or logs.
How to eliminate wrong answers
Option A is wrong because substitution variables are passed as plain text in the `gcloud builds submit` command and can be visible in build logs or command history, violating security best practices. Option C is wrong because storing the API key in a Cloud Storage bucket and downloading it in a build step exposes the key to potential unauthorized access if the bucket is misconfigured, and the key is still visible in the build step's command or logs. Option D is wrong because hardcoding the API key in `cloudbuild.yaml` and storing it in the source repository makes the key accessible to anyone with repository access, and it can be exposed in version control history or build logs.