Within my code, I am attempting to gather the Application Default Credentials from the associated service account in Cloud Build:
from google.auth import default
credentials, project_id = default()
This works fine in my local space because I have set the environment variable GOOGLE_APPLICATION_CREDENTIALS
appropriately. However, when this line is executed (via a test step in my build configuration) within Cloud Build, the following error is raised:
google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials.
Please set GOOGLE_APPLICATION_CREDENTIALS or explicitly create credentials and re-run the application.
For more information, please see https://cloud.google.com/docs/authentication/getting-started
This is confusing me because, according to the docs:
By default, Cloud Build uses a special service account to execute builds on your behalf. This service account is called the Cloud Build service account and it is created automatically when you enable the Cloud Build API in a Google Cloud project. Read Here
If the environment variable GOOGLE_APPLICATION_CREDENTIALS isn't set, ADC uses the service account that is attached to the resource that is running your code. Read Here
So why is the default call not able to access the Cloud Build service account credentials?
Edit: Please find the cloudbuild.yaml below:
steps:
- name: gcr.io/cloud-builders/docker
entrypoint: 'docker'
args:
- build
- '--no-cache'
- '-t'
- '$_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA'
- .
- '-f'
- 'Dockerfile'
- name: gcr.io/cloud-builders/docker
args:
- push
- '$_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA'
id: Push
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:slim'
args:
- run
- services
- update
- $_SERVICE_NAME
- '--platform=managed'
- '--image=$_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA'
- >-
--labels=managed-by=gcp-cloud-build-deploy-cloud-run,commit-sha=$COMMIT_SHA,gcb-build-id=$BUILD_ID,gcb-trigger-id=$_TRIGGER_ID,$_LABELS
- '--region=$_DEPLOY_REGION'
- '--quiet'
id: Deploy
entrypoint: gcloud
images:
- '$_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA'
serviceAccount: 'projects/$PROJECT_ID/serviceAccounts/$_SERVICE_ACCOUNT'
logsBucket: 'gs://$_LOGS_BUCKET'
options:
substitutionOption: ALLOW_LOOSE
logging: GCS_ONLY
substitutions:
_DEPLOY_REGION:
_GCR_HOSTNAME:
_PLATFORM:
_LABELS:
_TRIGGER_ID:
_SERVICE_NAME:
_SERVICE_ACCOUNT:
_LOGS_BUCKET:
Below is the associated Dockerfile:
FROM python:3.9.7-slim
ENV PYTHONUNBUFFERED=True
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
COPY . .
RUN python -m unittest discover -s tests <-- this is the line that fails.
CMD exec gunicorn --bind :$PORT --workers 1 --threads 8 --timeout 0 src.app:app
The function which gathers default credentials is detailed below:
from google.auth import default
def get_default_credentials():
credentials, _ = default()
return credentials
and finally, this is the test that fails during the build process with the error quoted above:
import unittest
from google.oauth2.service_account import Credentials
from src.auth.default_credentials import get_default_credentials
class TestDefaultCredentials(unittest.TestCase):
def test_get_default_credentials(self):
credentials = get_default_credentials()
self.assertIsInstance(credentials, Credentials)
source https://stackoverflow.com/questions/70143131/application-default-credentials-in-google-cloud-build
Comments
Post a Comment