Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

authenticating with env var #152

Closed
jotto opened this issue Oct 26, 2018 · 8 comments
Closed

authenticating with env var #152

jotto opened this issue Oct 26, 2018 · 8 comments

Comments

@jotto
Copy link

jotto commented Oct 26, 2018

Is there a way to authenticate with a single service-account JSON file?

I understand the docs suggest using docker run -ti --name gcloud-config google/cloud-sdk gcloud auth login but this seems antithetical to Docker or k8 style config since it creates several files in the mounted volume. Further, k8 on AWS doesn't allow ReadWriteMany.

I've tried setting the GOOGLE_APPLICATION_CREDENTIALS env var to a file mounted into the container but this doesn't work (with the bq CLI at least).
@salrashid123
Copy link
Contributor

the credentials used by gcloud does not honor the full application default credentials specifications (eg. the env var there directly). It instead sets up its own context and credentials files (the inverse is true though: application defaults will seek out creds from gcloud credentials folder)

There is an override of gcloud using auth/credential_file_override that may help in creating a similar flow though its a couple steps to setup the credentials file and then enable it:
eg:

$ cp /path/to/local/svc_account.json .

$ docker run -ti -v `pwd`:/tmp/certs google/cloud-sdk:alpine /bin/bash


bash-4.4# gcloud config set auth/credential_file_override /tmp/certs/svc_account.json
Updated property [auth/credential_file_override].


bash-4.4# gcloud config list
[auth]
credential_file_override = /tmp/certs/svc_account.json
[component_manager]
disable_update_check = true
[core]
disable_usage_reporting = true
[metrics]
environment = github_docker_image

Your active configuration is: [default]


bash-4.4# gcloud compute instances list --project your_project
NAME                ZONE           MACHINE_TYPE   PREEMPTIBLE  INTERNAL_IP  EXTERNAL_IP     STATUS
be-central-ig-5ltf  us-central1-a  g1-small                    10.128.0.9   35.224.237.96   RUNNING

(perhaps an image witht that default config value set to a volume or secret mount for the certs in k8s?)

though not what you're asking in this issue, for completeness, i'll just mention the override for the full config folder with env.var: CLOUDSDK_CONFIG

$ cp -R ~/.config/gcloud mygcloud

$ docker run -ti -e CLOUDSDK_CONFIG=/tmp/mygcloud -v `pwd`/mygcloud:/tmp/mygcloud google/cloud-sdk:alpine gcloud config list
[core]
account = [email protected]

@salrashid123
Copy link
Contributor

one other thing: you can predefine a configuration and set it with CLOUDSDK_CONFIG that presets auth/credential_file_override

that is, CLOUDSDK_CONFIG that is set below for /tmp/mygcloud already specifies the path to look for the cert file with auth/credential_file_override

then both together:

$ docker run -ti -e CLOUDSDK_CONFIG=/tmp/mygcloud -v `pwd`/mygcloud:/tmp/mygcloud -v `pwd`:/tmp/certs  google/cloud-sdk:alpine gcloud compute instances list --project your_project

NAME                ZONE           MACHINE_TYPE   PREEMPTIBLE  INTERNAL_IP  EXTERNAL_IP     STATUS
be-central-ig-5ltf  us-central1-a  g1-small                    10.128.0.9   35.224.237.96   RUNNING

@jotto
Copy link
Author

jotto commented Oct 29, 2018
edited
Loading

I guess we can just skip the CLOUDSDK_CONFIG env var right?

Just need a writeable directory mounted at /root/.config that looks like:

$ tree mygcloud
├── configurations
│   └── config_default

where config_default looks like:

[auth]
credential_file_override = /tmp/certs/svc_account.json

and svc_account.json is in your current directory.

docker run -ti -v $(pwd)/mygcloud:/root/.config/gcloud -v $(pwd):/tmp/certs google/cloud-sdk:latest gcloud compute instances list

@jotto
Copy link
Author

jotto commented Oct 29, 2018

I wrapped it here: https://github.com/messari/docker-google-cloud-sdk-auth-wrapper thanks @salrashid123

@salrashid123
Copy link
Contributor

glad it worked; I'll add the instruction set for the alternative to this repo's main README.md here

@Conky5 Conky5 mentioned this issue Jan 17, 2019
Closed
@dustym dustym mentioned this issue Dec 15, 2019
Closed
@ghost ghost mentioned this issue Dec 16, 2019
Merged
@mortensorensen
Copy link

Thanks @jotto! Spent hours trying to figure this out.
gcloud auth activate-service-account --key-file=/certs/key.json

@leriel
Copy link

leriel commented Oct 12, 2022

Sorry to comment on an old thread, but it does come up in search.
One way to set it up with env vars only (without need for running an extra command) is:

docker run --rm -it \
  -v /path/to/sa.json:/config/sa.json \
  -e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=/config/sa.json \
  -e CLOUDSDK_CORE_PROJECT=project-name \
  google/cloud-sdk \
  gcloud storage ls

@alectrico-pro
Copy link

alectrico-pro commented Dec 30, 2022
edited
Loading

Thanks to @leriel it worked.
Even more, I discoverd a file named application_default_credentials.json with the credentials inside so I ended with:

Makefile

list:
   docker run --rm -it \
  -v $(shell pwd)/.config/gcloud/application_default_credentials.json:/config/sa.json \
  -e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=/config/sa.json \
  -e CLOUDSDK_CORE_PROJECT=designer-368008\
  google/cloud-sdk \
  gcloud projects list

Note: yout can call make list on the bash.

@antonalekseev antonalekseev mentioned this issue Mar 30, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jotto @mortensorensen @leriel @salrashid123 @alectrico-pro