How to authenticate google cloud SDK on a docker Ubuntu image?

Asked 3/8, 2017 at 0:15 Answered 12/6, 2018 at 21:33

I am a bit confused about how I can authenticate the gcloud sdk on a docker container. Right now, my docker file includes the following:

#Install the google SDK
RUN curl https://dl.google.com/dl/cloudsdk/release/google-cloud-sdk.tar.gz > /tmp/google-cloud-sdk.tar.gz
RUN mkdir -p /usr/local/gcloud
RUN tar -C /usr/local/gcloud -xvf /tmp/google-cloud-sdk.tar.gz
RUN /usr/local/gcloud/google-cloud-sdk/install.sh
RUN /usr/local/gcloud/google-cloud-sdk/bin/gcloud init

However, I am confused how I would authenticate? When I run gcloud auth application-default login on my machine, it opens a new tab in chrome which prompts me to login. How would I input my credentials on the docker container if it opens a new tab in google chrome in the container?

Multiplicand answered 3/8, 2017 at 0:15 Comment(0)

You might consider using deb packages when setting up your docker container as it is done on docker hub.

That said you should NOT run gcloud init or gcloud auth application-default login or gcloud auth login... those are interactive commands which launch browser. To provide credentials to the container supply it with service account key file.

You can download one from cloud console: https://console.cloud.google.com/iam-admin/serviceaccounts/project?project=YOUR_PROJECT or create it with gcloud command

gcloud iam service-accounts keys create

see reference guide.

Either way once you have the key file ADD it to your container and run

gcloud auth activate-service-account --key-file=MY_KEY_FILE.json

You should be now set, but if you want to use it as Application Default Credentials (ADC), that is in the context of other libraries and tools, you need to set the following environment variable to point to the key file:

export GOOGLE_APPLICATION_CREDENTIALS=/the/path/to/MY_KEY_FILE.json

One thing to point out here is that gcloud tool does not use ADC, so later if you change your account to something else, for example via

gcloud config set core/account [email protected]

other tools and libraries will continue using old account via ADC key file but gcloud will now use different account.

Foulard answered 5/8, 2017 at 13:5 Comment(6)

The command has changed to gcloud auth activate-service-account --key-file=MY_KEY_FILE.json – Sodden 13/6, 2019 at 0:0

isn't a good practice to add json credentials to a container? I think google does not approve that practive. be carefull with this... – Antoneantonella 4/8, 2020 at 14:54

@LuisParada what other option remains if you can't add json credentials to a container? – Terrill 31/1, 2021 at 2:25

@LuisParada I believe the concern is with baking the credentials into the image. – Centrist 15/12, 2021 at 19:8

I would say the below answer is the correct one – Gazelle 21/12, 2022 at 16:4

Another option is workload identity federation. Wont need to create a key – Scrap 19/8, 2023 at 19:8

You can map your local Google SDK credentials into the image. [Source].

Begin by signing in using:

$ gcloud auth application-default login

Then add the following to your docker-compose.yaml:

volumes:
  - ~/.config/gcloud:/root/.config/gcloud

Babbler answered 12/6, 2018 at 21:33 Comment(1)

if you dont want to share the entire .config directory, ~/.config/gcloud:/root/.config/gcloud should also work. – Doroteya 4/8, 2020 at 16:58

Recommended topics

Hot tags