Authenticating standalone gsutil in containers in Cloud ML Engine on Kubernetes with Workload Identity - McMap

About

Authenticating standalone gsutil in containers in Cloud ML Engine on Kubernetes with Workload Identity

Asked 23/4, 2020 at 10:35 Answered 24/4, 2020 at 19:7

Solved kubernetes google-cloud-ml gsutil google-cloud-ai

N

1

6

I'm launching container images on Google Cloud AI Training (Cloud ML Engine)

Inside those containers I need to use gsutil. Some containers have gsutil. In that case I can use it right away without any authentication steps.

Some containers do not have gsutil, so I have to install it. The problem is that the installed gsutil does not work.

When I'm using the official cloud-sdk image, gsutil works without any auth steps.

When I use the python:3.7 image and install gsutil from PyPI it does not work:

python -m pip install gsutil --quiet
gsutil cp a gs://b/c

ServiceException: 401 Anonymous caller does not have storage.objects.get access to ...

How can I make it so that the standalone gsutil obtains the needed credentials?

Most guides focus on manually calling gcloud auth, copying URL and copying back the token. This is not the solution that I seek (which should be automated). I know that the automated solution is possible since in some images gsutil works out of the box.

Nacelle answered 23/4, 2020 at 10:35 Comment(1)

Can you try this: github.com/GoogleCloudPlatform/ai-platform-samples/blob/master/… – Perfumery 24/4, 2020 at 4:40

D

10

This is because that pip install gsutil alone does not configure the credentials, which is why it's anonymous user as the error says. You'll want to configure credentials to access protected data.

Put following line in your docker file and it should work:

RUN echo '[GoogleCompute]\nservice_account = default' > /etc/boto.cfg

It's to configure gsutil to use the default service account.

Dimitri answered 24/4, 2020 at 19:7 Comment(5)

Fantastic answer! This in fact allows gsutil to use the service account in other GCP instances, such as Compute Engine's Container-Optimised OS. Using your answer I created a lighteight wrapper image for gsutil intended for GCP instances, check it out on GitHub. I wonder, where did you read about this solution? Can't find anything in the docs. Massive thanks either way! – Antin 29/10, 2020 at 5:23

this worked for me partially, let me explain i have two projects, first one worked with solution provided, but second one no, for each one i have a service account, this also can work: RUN echo '[GoogleCompute]\nservice_account = [email protected]' > /etc/boto.cfg you can change "default" for the name of your service account name. – Ine 15/7, 2021 at 4:10

Do you happen to know how to achieve the same thing for local user credentials. Where did you find information about this? – Dielle 28/3, 2022 at 19:22

Also interested about user credentials.. – Leventis 16/9, 2022 at 18:2

Turns out \n wasn't creating the new line with the original command. This one with $ interpolation worked RUN echo $'[GoogleCompute]\nservice_account = default' > /etc/boto.cfg – Permenter 30/3, 2023 at 9:59

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.