Inject Credentials file with Cloud Build

Dan Putt

The saga continues....

In trying to get my jibbized container (yes, the same one I continue to write about) to run in Google Cloud Run I started getting an error with my Spring Boot Stack driver logging.  I wasn't getting this error when deploying locally so what could it be?

In this project I'm using Spring Cloud Stack Driver Logging so that I can plug right into the robust tools GCP provides out of the box for logging.  When running locally I found that have have to GOOGLE_APPLICATION_CREDENTIALS environment variable.  

In my local build this is fine since in my jib task I can set it at compile time to a local file since jib copies everything from the src/main/jib directory into the new container.  

jib {
    to {
        image= "gcr.io/${System.env.GCP_PROJECT}/{MyServiceName}"
        tags= ['{TagForImage}']
    }
    container {
        environment=[GOOGLE_APPLICATION_CREDENTIALS: './cred/logging_service_account.json']
        ports= ['8080']
    }
}

But when running in Google Cloud Build I don't have the credentials file since I dont want to put it into my source repository.  This causes an error on startup of the application

java.lang.RuntimeException: com.google.cloud.logging.LoggingException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: The request is missing a valid API key. at com.google.cloud.logging.LoggingImpl$7.onFailure(LoggingImpl.java:616) at com.google.api.core.ApiFutures$1.onFailure(ApiFutures.java:68) at 

So how can this be solved?  

Well, the quick way is to

  1. Create a private Google Cloud Storage Bucket
  2. Upload the credentials file (This assumes you know how to create the logging credentials file)
  3. Use GSUtil to download the file and copy it into your project directory

Here is what that last step looks like in your cloudbuild.yaml file

steps:
  - name: 'gcr.io/cloud-builders/gsutil'
    args: ['cp', 'gs://{project-name}/{credential_file_name}.json', './src/main/jib/cred']

Eventually I'll switch all of this to use Google Cloud KMS and do it securely.  But for now this got me down the road.

*update:  I've now explained how to use GCP's KMS functionality to encrypt and decrypt a credentials file*

*One thing to note - make sure the directory you are copying into - in my case ./src/main/jib/cred exists.  The copy step will show success but the file will not be download if it doesn't exist*

You should also read:

Comments