Authenticate Google Cloud service account on docker image

Asked 12/1, 2017 at 5:34 Answered 16/1, 2023 at 14:42

Solved docker google-cloud-platform gcloud

I'm finding different behavior from within and outside of a docker image for authenticating a google service account.

Outside. Succeeds.

C:\Users\Ben\AppData\Local\Google\Cloud SDK>gcloud auth activate-service-account [email protected] --key-file C:/Users/Ben/Dropbox/Google/MeerkatReader-d77c0d6aa04f.json --project api-project-773889352370
Activated service account credentials for: [[email protected]]

Run docker container, pass the .json key to tmp directory.

C:\Users\Ben\AppData\Local\Google\Cloud SDK>docker run -it -v C:/Users/Ben/Dropbox/Google/MeerkatReader-d77c0d6aa04f.json:/tmp/MeerkatReader-d77c0d6aa04f.json  --rm -p "127.0.0.1:8080:8080" --entrypoint=/bin/bash  gcr.io/cloud-datalab/datalab:local-20161227

From within docker, confirm the file is there

root@4a4a9314f15c:/tmp# ls
MeerkatReader-d77c0d6aa04f.json  npm-24-b7aa1bcf  npm-45-fd13ef7c  npm-7-22ec336e

Run the same command as before. Fails.

root@4a4a9314f15c:/tmp# gcloud auth activate-service-account [email protected]
t.com --key-file MeerkatReader-d77c0d6aa04f.json --project api-project-773889352370
ERROR: (gcloud.auth.activate-service-account) Failed to activate the given service account. Please ensure provided key file is valid.

What might cause this error? More broadly, what is the suggested strategy for passing credentials. I've tried this and it fails as well. I'm using the cloudml API and cloud vision, and i'd like to avoid manual gcloud init at the beginning of every run.

EDIT: To show gcloud info

root@7ff49b26484f:/# gcloud info --run-diagnostics
Network diagnostic detects and fixes local network connection issues.
Checking network connection...done.
Reachability Check passed.
Network diagnostic (1/1 checks) passed.

confirmed same behavior

root@7ff49b26484f:/tmp# gcloud auth activate-service-account [email protected] --key-file MeerkatReader-d77c0d6aa04f.json --project api-project-773889352370
ERROR: (gcloud.auth.activate-service-account) Failed to activate the given service account. Please ensure provided key file is valid.

Persona answered 12/1, 2017 at 5:34 Comment(6)

This error is produced when gcloud tries to an get access token. Do you have network connectivity and/or a proxy setup from the container. Can you run gcloud info --run-diagnostics ? – Camelopardus 12/1, 2017 at 16:1

Edited to add gcloud info. Is there something I need to add to docker run to allow access (to a given port?). – Persona 14/1, 2017 at 15:33

Also running into this issue, looks like a web login needs to be run at least once: "You only need to run the command once per local user environment." – Sealer 16/1, 2017 at 5:15

thanks @CoreyRowell , but that really hurts non-interactive runs. What if you want to push to compute engine? How to pass credentials? – Persona 16/1, 2017 at 21:41

@Persona I can attach to the container docker run -i -t <container-id> /bin/bash and the web login and key-file auth both work, just not as you said in non-interactive runs. – Sealer 17/1, 2017 at 18:16

verified it works after I restarted the doc for Mac. – Dander 5/5, 2017 at 2:22

Have you attempted to put the credential in the image from the beginning? Is that a similar outcome?

On the other hand, have you tried using --key-file /tmp/MeerkatReader-d77c0d6aa04f.json? Since it appears you're putting the json file in /tmp.

You might also consider checking the network configuration inside the container and with docker from the outside.

Emulsifier answered 3/2, 2017 at 19:49 Comment(0)

This is probably due to a clock skew of the docker VM. I debugged the activate-service-account function of the google SDK and got the following error message:

There was a problem refreshing your current auth tokens: invalid_grant:  
Invalid JWT: Token must be a short-lived token and in a reasonable timeframe
Please run:
$ gcloud auth login

to obtain new credentials, or if you have already logged in with a different account:

$ gcloud config set account ACCOUNT

to select an already authenticated account to use.

After rebooting the VM, it worked like a charm.

Coterie answered 12/2, 2017 at 20:29 Comment(3)

same issue here - clock was a few minutes ahead! – Cockrell 13/4, 2017 at 13:35

Checked date in docker, was wrong, restarted docker VM and is fixed. Thanks – Locality 27/4, 2017 at 9:38

Invalid JWT token is generally related to clock drift in Docker, which might be related to this issue: github.com/docker/for-mac/issues/2076 – Baggs 8/6, 2018 at 8:3

Have you attempted to put the credential in the image from the beginning? Is that a similar outcome?

On the other hand, have you tried using --key-file /tmp/MeerkatReader-d77c0d6aa04f.json? Since it appears you're putting the json file in /tmp.

You might also consider checking the network configuration inside the container and with docker from the outside.

Emulsifier answered 3/2, 2017 at 19:49 Comment(0)

In my case, I was using a workload identity provider, and I made a little mistake, I set the workload provider with the full name of the pool

How it should be: /projects/${project-number}/locations/global/workloadIdentityPools/my-pool/providers/${id-provider}

And I also added the following command:

 gcloud config set account ${{GCP_SERVICE_ACCOUNT}}

Before my docker push, because it was required.

In addition, according to the docs https://github.com/google-github-actions/auth#usage, my service account was missing the required roles:

roles/iam.serviceAccountTokenCreator
roles/iam.workloadIdentityUser

Edit: You may also need to grant access for your service account to your Workload Identity Pool, you can do it by command or interface:

gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \
    --role=roles/iam.workloadIdentityUser \
    --member="MEMBER_ID"

Docs:https://cloud.google.com/iam/docs/using-workload-identity-federation#gcloud

Outspeak answered 16/1, 2023 at 14:42 Comment(0)

Recommended topics

Hot tags