https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# general
s
This message was deleted.
i
I cannot see what is going on there, but I can tell you that I created a script for local use in switching clusters that will obtain the extra access token that I use for getting to the kubernetes dashboard. This script bridges some pulumi stack outputs with the local gcloud config and kube config: https://gist.github.com/rosskevin/211eb1facd94cbd65b53d0df80778a45
^^^ is for dev purposes only, not for use in ci etc
w
Hrm - that's unfortunate design from GCP there:
Because the formatting differs between each method, it's easiest to generate a key using the same method you plan to use when making future API calls. For example, if you're using gcloud, also generate your key using gcloud. To use a key for one method that's been generated using a different method (such as using a REST-generated key with gcloud), you'll need to edit the key to match the appropriate format.
You can of course shell out to the CLI as part of a DyanmicProvider if really needed. It may actually be easier to post-process the data programmatically to turn it into the other format. (the description above makes it seem like all the required data is there - it's just in the wrong format).
i
@orange-tailor-85423 I just ran into this - my ruby code in-cluster trying to utilize a service account and receiving 
Unable to read the credential file specified by GOOGLE_APPLICATION_CREDENTIALS: the json is missing the 'type' field
. Seems to be the same thing, I verified the json in-cluster looks like the one you referenced https://cloud.google.com/iam/docs/creating-managing-service-account-keys#iam-service-account-keys-create-rest did you end up modifying this with code? It’s feasible for me since I have to turn around and store it as a k8s secret. Got any code that works to convert it?
I’ll work on a bit of ts code
o
Yes, I got it worked out
i
did you code a converter or something else?
o
so it turns out that the creds you get from the REST API contain the creds in the format that an application wants
it’s just the private key field in the JSON
Copy code
/**
 * Create a Key for aan IAM Service account
 *
 * @export
 * @param {string} name Name of the pulumi resource to create
 * @param {gcp.serviceAccount.Account} serviceAccountId IAM Service Account to create the key for.
 * @returns
 */
export function createKey(
    name: string,
    serviceAccountId: gcp.serviceAccount.Account
) {
    return new gcp.serviceAccount.Key(`${name}-key`, {
        serviceAccountId: serviceAccountId.name
    });
}

/**
 * Create a secret from an account key
 *
 * @export
 * @param {gcp.serviceAccount.Key} key The service account key to create a secret from.
 * @returns {pulumi.Output<string>}
 */
export function getPrivateKey(
    key: gcp.serviceAccount.Key
): pulumi.Output<string> {
    return key.privateKey.apply(k =>
        JSON.parse(Buffer.from(k, 'base64').toString('ascii'))
    ) as pulumi.Output<string>;
}
i
ah, ok thanks
o
see above - so I output that secret from our “IAM” stack for consumption by another stack or human or put in a bucket etc
i
lol, I already had that in my 
Identity
component, I was just using the wrong one.
o
you did - that’s where I got it from - LOL
the circle is complete
😂 1
🙂
11 Views
Open in Slack
PreviousNext
Powered by