Question 82679 in Docker Question posted in
The official documentation can be found here.

Can't authenticate to gcloud in docker in Github Actions

I am running a workflow in Github Actions that builds a docker image and then runs some gsutil commands inside a container.

I have problems with authentication, gsutil commands need access to my buckets on GCP and I’m getting errors:

Run docker run ltr:latest /bin/sh -c "gsutil cat gs://test-bucket/test_file.txt"
ServiceException: 401 Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object.
Error: Process completed with exit code 1.

I can’t provide a completely reproducible code as it would demand having GCP project and service account credentials saved in github’s secrets, but this is the most that I can share:

Github Actions workflow definition:

name: test

on: push

jobs:

  test-gsutil-command:
    runs-on: [self-hosted, ubuntu-latest]
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Authenticate to Google Cloud
        id: auth
        uses: google-github-actions/auth@v0
        with:
          credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
      - name: Set up Google Cloud SDK
        uses: google-github-actions/setup-gcloud@v0
      - name: Register gcloud as a Docker credential helper
        run: gcloud auth configure-docker
      - name: build
        run: docker build ltr:latest .
      - name: Run gcloud command in docker
        run: docker run ltr:latest /bin/sh -c "gsutil cat gs://test-bucket/test_file.txt" # this line is giving me the above error

Dockerfile

FROM gcr.io/deeplearning-platform-release/tf-gpu.2-8
RUN mkdir -p /ltr
COPY requirements /ltr/requirements
COPY Makefile /ltr
COPY setup.py /ltr

WORKDIR /ltr

RUN python -m pip --no-cache-dir install -r requirements/base.txt

Another important thing is that I am sure that the service account I’m using has access to the bucket that I want to read a file from – I can run that gsutil command locally.

Could you tell me what do I need to do, besides gcloud auth configure-docker in workflow, to be able to run that gsutil command in docker container?

Tags:

2

Answers


  1. 0

    Google has developed GitHub Actions that facilitate integration with Google Cloud. See GitHub Action for authenticating to Google Cloud.

    A good mechanism to consider is Workfload Identity Federation. Google|GitHub support using this to authenticate GitHub Actions, see Enabling keyless auth from GitHub Actions

    Login or Signup to reply.
  2. 0

    The setup-gcloud action by default sets env variables that point toward the credentials file. Therefore you can mount this file inside your docker container and point the env variables towards the mounted file like this:

    docker run --rm 
      --volume $GITHUB_WORKSPACE:/workspace
      --mount type=bind,source=$GOOGLE_APPLICATION_CREDENTIALS,target=/workspace/creds.json 
      --env GOOGLE_APPLICATION_CREDENTIALS=/workspace/creds.json
      --env CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=/workspace/creds.json
      --env GOOGLE_GHA_CREDS_PATH=/workspace/creds.json

    After I did this, the gcloud cli automatically detected the creds file and I could make authenticated calls. Hope this helps!

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search