@many-telephone-49025 As you asked me to tag you on twitter i’m tagging you here. I’ve been trying to use pulumi deployment to build a docker image, push it to GAR and then deploy a cloud run service. But this requires I run

gcloud auth configure-docker <http://asia-south2-docker.pkg.dev|asia-south2-docker.pkg.dev>

which does run successfully. But after that pulumi crashes with following error

You do not currently have an active account selected. See <https://cloud.google.com/sdk/docs/authorizing> for more information.

. I’m using Workload Identity Federation and the service acc has all the permissions it should.

hey @colossal-quill-8119, do you have a way to share your code as gtist? and can you print your

pulumi about

Give me a min i’ll share it

We recently had to make some changes to some of our GCP container templates to accommodate the switch from GCR to GAR. As part of that, I had to spend a fair amount of time in Docker authentication. If you are using the

docker-credential-gcloud

credential helper (the default), then you need to make sure you run

gcloud auth login

before running a Pulumi operation. If you are using the

docker-crdedential-gcr

credential helper, then you need to run

gcloud auth application-default login

before running a Pulumi operation. This isn’t something that we can work around in Pulumi code, AFAIK.

there is a previous convo here about this: https://pulumi-community.slack.com/archives/CRFUR2DGB/p1689342329458449 Looks like - using deployments with OIDC complicates this a little

@salmon-account-74572 running both

gcloud auth login

and

gcloud auth application-default login

as a Pre-run command emits a browser link to login

Yes, it will do that. I don’t know of any other way around getting appropriate credentials for Docker to auth properly against GAR. However, I have a couple of contacts at Google, let me try contacting them to see if they can offer any insight.

Thank you. Please keep me updated this is really important for us.

You got it---I just reached out to one of my contacts and will let you know as soon as I hear back.

Thanks

This isn’t an answer to your question, but I wanted to point out that we have a #pulumi-deployments channel here that you might find helpful. Still waiting to hear back from my Google contact.

@salmon-account-74572 any updates from google?

Unfortunately, my contact at Google wasn’t able to offer anything different than what we’ve already suggested. Are you a customer (i.e., do you pay for Pulumi Cloud)? If so, then I’d suggest opening a support ticket. If not, that’s OK; I’m going to keep digging on this.

Unfortunately I'm not on an enterprise plan. I am on the team plan but was unable to file a ticket

@colossal-quill-8119 There is a thread going internally on your problem, and we’ve opened an issue in our Pulumi Cloud repo to look into how our OIDC integration works (so that we can better support

gcloud

being able to find credentials where it expects credentials). One question you had in the other thread was in regard to running

gcloud auth activate-service-account

. One of our engineers had this suggestion: 1. Set the contents of

key-file

as a secret environment variable in the Deployment configuration 2. Have a pre-run command that echos the environment variable into a file on disk 3. Run the

gcloud auth activate-service-account

command referencing the file that was written to disk Would you mind trying that and seeing if it helps the situation at all? Thanks!

I can try that but I won't be able to revert back with the results before Friday. Is that ok?

No worries, I just want to try to get you unstuck. Give it a try and let me know (when you’re able) how it turns out.

Hi folks! I had the same issue and Scott’s advice is spot on. I added a pre-run command and successfully built an image. Thanks! 🙏🏻

Awesome, thanks for confirming it works and for sharing your experience @bland-dog-47600!

I tried it and it build and pushes successfully. But there’s now a new issue regarding using that image to deploy a cloud run revision. I’m getting the following error:

gcp:cloudrun:Service (service): 
245
     error: 1 error occurred: 
246
     	* updating urn:pulumi:dev::api-gateway::gcp:cloudrun/service:Service::service: 1 error occurred: 
247
     	* Error updating Service "locations/asia-east1/namespaces/ride-app-dev-2/services/api-gateway": Put "<https://asia-east1-run.googleapis.com/apis/serving.knative.dev/v1/namespaces/ride-app-dev-2/services/api-gateway?alt=json>": oauth2/google: unable to generate access token: Post "<https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/cloud-run-service-manager@ride-app-dev-2.iam.gserviceaccount.com:generateAccessToken>": oauth2/google: status code 400: {"error":"invalid_target","error_description":"The target service indicated by the \"audience\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist."}

@colossal-quill-8119 I had a similar problem. https://pulumi-community.slack.com/archives/C048NVDH6DV/p1690173567200419?thread_ts=1690170041.730299&cid=C048NVDH6DV The audience must be your organisation name as in Pulumi.

@bland-dog-47600 how do I do that? What’s the assertion I need to make? I already have my org name as allowed audiences

You don’t have to specify assertions.

so I have my org already enabled as allowed audiences

@colossal-quill-8119 Glad it’s working! As you mentioned, though, the ultimate “fix” belongs to Docker. Our OIDC support enables us to create resources, but it’s the Docker-Artifact Registry auth that was tripping things up.