
Inject Credentials file with Cloud Build
The saga continues....
In trying to get my jibbized container (yes, the same one I continue to write about) to run in Google Cloud Run I started getting an error with my Spring Boot Stack driver logging. I wasn't getting this error when deploying locally so what could it be?
In this project I'm using Spring Cloud Stack Driver Logging so that I can plug right into the robust tools GCP provides out of the box for logging. When running locally I found that have have to GOOGLE_APPLICATION_CREDENTIALS environment variable.
In my local build this is fine since in my jib task I can set it at compile time to a local file since jib copies everything from the src/main/jib directory into the new container.
jib {
to {
image= "gcr.io/${System.env.GCP_PROJECT}/{MyServiceName}"
tags= ['{TagForImage}']
}
container {
environment=[GOOGLE_APPLICATION_CREDENTIALS: './cred/logging_service_account.json']
ports= ['8080']
}
}
But when running in Google Cloud Build I don't have the credentials file since I dont want to put it into my source repository. This causes an error on startup of the application
java.lang.RuntimeException: com.google.cloud.logging.LoggingException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: The request is missing a valid API key. at com.google.cloud.logging.LoggingImpl$7.onFailure(LoggingImpl.java:616) at com.google.api.core.ApiFutures$1.onFailure(ApiFutures.java:68) at
So how can this be solved?
Well, the quick way is to
- Create a private Google Cloud Storage Bucket
- Upload the credentials file (This assumes you know how to create the logging credentials file)
- Use GSUtil to download the file and copy it into your project directory
Here is what that last step looks like in your cloudbuild.yaml file
steps:
- name: 'gcr.io/cloud-builders/gsutil'
args: ['cp', 'gs://{project-name}/{credential_file_name}.json', './src/main/jib/cred']
Eventually I'll switch all of this to use Google Cloud KMS and do it securely. But for now this got me down the road.
*update: I've now explained how to use GCP's KMS functionality to encrypt and decrypt a credentials file*
*One thing to note - make sure the directory you are copying into - in my case ./src/main/jib/cred exists. The copy step will show success but the file will not be download if it doesn't exist*
Comments