I am running a workflow in Github Actions that builds a docker image and then runs some gsutil commands inside a container.
I have problems with authentication, gsutil commands need access to my buckets on GCP and I’m getting errors:
Run docker run ltr:latest /bin/sh -c "gsutil cat gs://test-bucket/test_file.txt"
ServiceException: 401 Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object.
Error: Process completed with exit code 1.
I can’t provide a completely reproducible code as it would demand having GCP project and service account credentials saved in github’s secrets, but this is the most that I can share:
Github Actions workflow definition:
name: test
on: push
jobs:
test-gsutil-command:
runs-on: [self-hosted, ubuntu-latest]
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@v0
with:
credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
- name: Set up Google Cloud SDK
uses: google-github-actions/setup-gcloud@v0
- name: Register gcloud as a Docker credential helper
run: gcloud auth configure-docker
- name: build
run: docker build ltr:latest .
- name: Run gcloud command in docker
run: docker run ltr:latest /bin/sh -c "gsutil cat gs://test-bucket/test_file.txt" # this line is giving me the above error
Dockerfile
FROM gcr.io/deeplearning-platform-release/tf-gpu.2-8
RUN mkdir -p /ltr
COPY requirements /ltr/requirements
COPY Makefile /ltr
COPY setup.py /ltr
WORKDIR /ltr
RUN python -m pip --no-cache-dir install -r requirements/base.txt
Another important thing is that I am sure that the service account I’m using has access to the bucket that I want to read a file from – I can run that gsutil command locally.
Could you tell me what do I need to do, besides gcloud auth configure-docker
in workflow, to be able to run that gsutil command in docker container?
2
Answers
Google has developed GitHub Actions that facilitate integration with Google Cloud. See GitHub Action for authenticating to Google Cloud.
A good mechanism to consider is Workfload Identity Federation. Google|GitHub support using this to authenticate GitHub Actions, see Enabling keyless auth from GitHub Actions
The setup-gcloud action by default sets env variables that point toward the credentials file. Therefore you can mount this file inside your docker container and point the env variables towards the mounted file like this:
After I did this, the gcloud cli automatically detected the creds file and I could make authenticated calls. Hope this helps!