not able to perform gcloud init inside dockerfile

Asked 25/5, 2016 at 5:11 Answered 1/6, 2016 at 11:3

Solved docker dockerfile gcloud google-kubernetes-engine gcloud-node

I have made a Dockerfile for deploying my node.js application into google container engine .It looks like as below

FROM node:0.12
COPY google-cloud-sdk /google-cloud-sdk
RUN /google-cloud-sdk/bin/gcloud init
COPY bpe /bpe
CMD cd /bpe;npm start

I should use gcloud init inside Dockerfile because my node.js application is using gcloud-node module for creating buckets in GCS . When i am using the above dockerfile and doing docker built it is failing with following errors

sudo docker build -t gcr.io/[PROJECT_ID]/test-node:v1 .

Sending build context to Docker daemon 489.3 MB
Sending build context to Docker daemon 
Step 0 : FROM node:0.12
 ---> 57ef47f6c658
Step 1 : COPY google-cloud-sdk /google-cloud-sdk
 ---> f102b82812f5
Removing intermediate container 4433b0f3627f
Step 2 : RUN /google-cloud-sdk/bin/gcloud init
 ---> Running in 21aead97cf65
Welcome! This command will take you through the configuration of gcloud.

Your current configuration has been set to: [default]

To continue, you must log in. Would you like to log in (Y/n)?  
Go to the following link in your browser:

    https://accounts.google.com/o/oauth2/auth?redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&prompt=select_account&response_type=code&client_id=32555940559.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute&access_type=offline


ERROR: There was a problem with web authentication.
ERROR: (gcloud.auth.login) invalid_grant
ERROR: (gcloud.init) Failed command: [auth login --force --brief] with exit code [1]

I done it working by hard coding the authentication key inside google-cloud-sdk source code.Please let me know the proper way to solve this issue .

Stadia answered 25/5, 2016 at 5:11 Comment(2)

You can't do that since gcloud init is a dynamic script, you can see that it is waiting for user input. My guess is that you have to perform a gcloud init outside docker, gather every file generated, and put them in your docker image. Or you could use /usr/bin/expect in order to automatically answer the scripts questions – Collinear 25/5, 2016 at 9:56

how to make docker image using the files generated?? and if i do gcloud init, what are the files generated and modified??Is any idea on this? – Stadia 25/5, 2016 at 11:19

gcloud init is a wrapper command which runs

gcloud config configurations create MY_CONFIG
gcloud config configurations activate MY_CONFIG
gcloud auth login
gcloud config set project MY_PROJECT

which allows user to choose configuration, login (via browser) and choose a project.

For your use case you probably do not want to use gcloud init, instead you should download service account key file from https://console.cloud.google.com/iam-admin/serviceaccounts/project?project=MY_PROJECT, make it accessible inside docker container and activate it via

gcloud auth activate-service-account --key-file my_service_account.json
gcloud config set project MY_PROJECT

Entitle answered 25/5, 2016 at 12:10 Comment(4)

@Entitle What are the security implications for keeping the key file inside the docker container? – Seta 27/5, 2016 at 9:12

This issue is not specific to gcloud. To mitigate it somewhat, you can mount a volume when running docker image and set CLOUDSDK_CONFIG environment variable to point to it. That way all configuration and credentials for gcloud can be externalized and even shared. You can also active service account even before starting the container. – Entitle 27/5, 2016 at 11:25

which is the bare minimum permission for the service account that allow this? (I need it only for Firebase TestLab) – Lurcher 29/3, 2017 at 8:44

It might be worth looking at the secrets directive in docker-compose, which provides a handy way to inject secrets (like this key) into containers at start time: docs.docker.com/compose/compose-file/#secrets – Bonanza 1/11, 2018 at 15:58

Better way to use gcs from container engine is give permission to cluster. For example, if you had created your VM with devstorage.read_only scope, trying to write to a bucket would fail, even if your service account has permission to write to the bucket. You would need devstorage.full_control or devstorage.read_write.

while creating cluster we can use following command

gcloud container clusters create catch-world \
        --num-nodes 1 \
        --machine-type n1-standard-1 \
        --scopes https://www.googleapis.com/auth/devstorage.full_control

Stadia answered 1/6, 2016 at 11:3 Comment(0)

Recommended topics

Hot tags