当前位置: 文江博客话题详情

可以在docker中对gcloud进行验证

发布于 2025-02-12 17:39:29 字数 1718 浏览 0 评论 0原文

我正在github操作中运行一个工作流,该操作构建了docker映像,然后在容器内运行一些gsutil命令。

我在身份验证方面有问题,gsutil命令需要在GCP上访问我的存储桶,并且我遇到了错误:

Run docker run ltr:latest /bin/sh -c "gsutil cat gs://test-bucket/test_file.txt"
ServiceException: 401 Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object.
Error: Process completed with exit code 1.

我无法提供完全可重复的代码,因为它需要在Github的秘密中保存GCP项目和服务帐户凭据,但这是我可以共享的最多:

github操作工作流程定义:

name: test

on: push

jobs:

  test-gsutil-command:
    runs-on: [self-hosted, ubuntu-latest]
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Authenticate to Google Cloud
        id: auth
        uses: google-github-actions/auth@v0
        with:
          credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
      - name: Set up Google Cloud SDK
        uses: google-github-actions/setup-gcloud@v0
      - name: Register gcloud as a Docker credential helper
        run: gcloud auth configure-docker
      - name: build
        run: docker build ltr:latest .
      - name: Run gcloud command in docker
        run: docker run ltr:latest /bin/sh -c "gsutil cat gs://test-bucket/test_file.txt" # this line is giving me the above error

dockerfile

FROM gcr.io/deeplearning-platform-release/tf-gpu.2-8
RUN mkdir -p /ltr
COPY requirements /ltr/requirements
COPY Makefile /ltr
COPY setup.py /ltr

WORKDIR /ltr

RUN python -m pip --no-cache-dir install -r requirements/base.txt

另一个重要的事情是,我确定我正在使用的服务帐户可以访问我想从 - i可以在本地运行GSUTIL命令。

您能告诉我我需要做什么,除了gcloud auth configure-docker在工作流程中,能够在docker容器中运行该gsutil命令吗?

原文

I am running a workflow in Github Actions that builds a docker image and then runs some gsutil commands inside a container.

I have problems with authentication, gsutil commands need access to my buckets on GCP and I'm getting errors:

Run docker run ltr:latest /bin/sh -c "gsutil cat gs://test-bucket/test_file.txt"
ServiceException: 401 Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object.
Error: Process completed with exit code 1.

I can't provide a completely reproducible code as it would demand having GCP project and service account credentials saved in github's secrets, but this is the most that I can share:

Github Actions workflow definition:

name: test

on: push

jobs:

  test-gsutil-command:
    runs-on: [self-hosted, ubuntu-latest]
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Authenticate to Google Cloud
        id: auth
        uses: google-github-actions/auth@v0
        with:
          credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
      - name: Set up Google Cloud SDK
        uses: google-github-actions/setup-gcloud@v0
      - name: Register gcloud as a Docker credential helper
        run: gcloud auth configure-docker
      - name: build
        run: docker build ltr:latest .
      - name: Run gcloud command in docker
        run: docker run ltr:latest /bin/sh -c "gsutil cat gs://test-bucket/test_file.txt" # this line is giving me the above error

Dockerfile

FROM gcr.io/deeplearning-platform-release/tf-gpu.2-8
RUN mkdir -p /ltr
COPY requirements /ltr/requirements
COPY Makefile /ltr
COPY setup.py /ltr

WORKDIR /ltr

RUN python -m pip --no-cache-dir install -r requirements/base.txt

Another important thing is that I am sure that the service account I'm using has access to the bucket that I want to read a file from - I can run that gsutil command locally.

Could you tell me what do I need to do, besides gcloud auth configure-docker in workflow, to be able to run that gsutil command in docker container?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

再浓的妆也掩不了殇 2025-02-19 17:39:29

默认情况下,设置-GCLOUD操作设置了指向凭据文件的ENV变量。因此,您可以将此文件安装在Docker容器中,并将Env变量指向这样的固定文件:

docker run --rm 
      --volume $GITHUB_WORKSPACE:/workspace
      --mount type=bind,source=$GOOGLE_APPLICATION_CREDENTIALS,target=/workspace/creds.json 
      --env GOOGLE_APPLICATION_CREDENTIALS=/workspace/creds.json
      --env CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=/workspace/creds.json
      --env GOOGLE_GHA_CREDS_PATH=/workspace/creds.json

这样做之后,GCLOUD CLI之后,GCLOUD CLI会自动检测到Creds Files,我可以进行认证的调用。希望这有帮助!

The setup-gcloud action by default sets env variables that point toward the credentials file. Therefore you can mount this file inside your docker container and point the env variables towards the mounted file like this:

docker run --rm 
      --volume $GITHUB_WORKSPACE:/workspace
      --mount type=bind,source=$GOOGLE_APPLICATION_CREDENTIALS,target=/workspace/creds.json 
      --env GOOGLE_APPLICATION_CREDENTIALS=/workspace/creds.json
      --env CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=/workspace/creds.json
      --env GOOGLE_GHA_CREDS_PATH=/workspace/creds.json

After I did this, the gcloud cli automatically detected the creds file and I could make authenticated calls. Hope this helps!

回复 原文
过潦 2025-02-19 17:39:29

Google开发了促进与Google Cloud集成的GitHub动作。参见 github动作,以对Google Cloud 进行身份验证。

一个好的机制是WorkFload身份联合会。 Google | GitHub支持使用此验证github动作,请参见从github动作中启用无钥匙auth

Google has developed GitHub Actions that facilitate integration with Google Cloud. See GitHub Action for authenticating to Google Cloud.

A good mechanism to consider is Workfload Identity Federation. Google|GitHub support using this to authenticate GitHub Actions, see Enabling keyless auth from GitHub Actions

回复 原文
~没有更多了~

关于作者

猛虎独行

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

李珊平

文章 0 评论 0

Quxin

文章 0 评论 0

范无咎

文章 0 评论 0

github_ZOJ2N8YxBm

文章 0 评论 0

若言

文章 0 评论 0

南…巷孤猫

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文