envsubst won't substitute secrets

[jrean]

Affected builder image

gcr.io/cloud-builders-community/envsubst

Expected Behavior

APP_KEY=1234
TEST_APP_KEY=hello-world

Actual Behavior

APP_KEY=$APP_KEY
TEST_APP_KEY=hello-world

Steps to Reproduce the Problem

app.yaml file:

...
env_variables:
  APP_KEY: ${SECRET_APP_KEY}
  TEST_APP_KEY: ${TEST_APP_KEY}

cloudbuild.yaml:

steps:
  - id: Config
    name: 'gcr.io/${PROJECT_ID}/envsubst'
    args: ['app.yaml']
    env: ['SECRET_APP_KEY=$$APP_KEY', 'TEST_APP_KEY=hello-world']
    secretEnv: ['APP_KEY']

availableSecrets:
  secretManager:
    - versionName: projects/$PROJECT_ID/secrets/APP_KEY/versions/latest
      env: 'APP_KEY'

Additional Info

I can't get the secret value substituted. What am I missing?

[kevinblanco]

@jrean based on this documentation you must use _ underscore:

You can also define your own substitutions. User-defined substitutions must conform to the following rules:

Substitutions must begin with an underscore (_) and use only uppercase-letters and numbers (respecting the regular expression _[A-Z0-9_]+). This prevents conflicts with built-in substitutions. To use an expression starting with $ you must use $$. Thus:
$FOO is invalid since it is not a built-in substitution.
$$FOO evaluates to the literal string $FOO.
The number of parameters is limited to 100 parameters. The length of a parameter key is limited to 100 bytes and the length of a parameter value is limited to 4000 bytes.
You can specify variables in one of two ways: $_FOO or ${_FOO}:

Both $_FOO and ${_FOO} evaluate to the value of _FOO. However, ${} lets the substitution work without surrounding spaces, which allows for substitutions like ${_FOO}BAR.
$$ allows you to include a literal $ in the template. Thus:
$_FOO evaluates to the value of _FOO.
$$_FOO evaluates to the literal string $_FOO.
$$$_FOO evaluates to the literal string $ followed by the value of _FOO.

[jrean]

@kevinblanco Thanks! Helpful. Do you mind to update my example ; I can't get it to work right now.