https://pulumi.com logo
o

orange-tailor-85423

03/22/2019, 7:01 PM
Anybody run into this issue with GCP service account credentials?
i

important-leather-28796

03/22/2019, 7:18 PM
I cannot see what is going on there, but I can tell you that I created a script for local use in switching clusters that will obtain the extra access token that I use for getting to the kubernetes dashboard. This script bridges some pulumi stack outputs with the local gcloud config and kube config: https://gist.github.com/rosskevin/211eb1facd94cbd65b53d0df80778a45
^^^ is for dev purposes only, not for use in ci etc
w

white-balloon-205

03/22/2019, 7:20 PM
Hrm - that's unfortunate design from GCP there:
Because the formatting differs between each method, it's easiest to generate a key using the same method you plan to use when making future API calls. For example, if you're using gcloud, also generate your key using gcloud. To use a key for one method that's been generated using a different method (such as using a REST-generated key with gcloud), you'll need to edit the key to match the appropriate format.
You can of course shell out to the CLI as part of a DyanmicProvider if really needed. It may actually be easier to post-process the data programmatically to turn it into the other format. (the description above makes it seem like all the required data is there - it's just in the wrong format).
i

important-leather-28796

03/26/2019, 8:34 PM
@orange-tailor-85423 I just ran into this - my ruby code in-cluster trying to utilize a service account and receiving
Unable to read the credential file specified by GOOGLE_APPLICATION_CREDENTIALS: the json is missing the 'type' field
. Seems to be the same thing, I verified the json in-cluster looks like the one you referenced https://cloud.google.com/iam/docs/creating-managing-service-account-keys#iam-service-account-keys-create-rest did you end up modifying this with code? It’s feasible for me since I have to turn around and store it as a k8s secret. Got any code that works to convert it?
I’ll work on a bit of ts code
o

orange-tailor-85423

03/26/2019, 8:44 PM
Yes, I got it worked out
i

important-leather-28796

03/26/2019, 8:44 PM
did you code a converter or something else?
o

orange-tailor-85423

03/26/2019, 8:45 PM
so it turns out that the creds you get from the REST API contain the creds in the format that an application wants
it’s just the private key field in the JSON
Copy code
/**
 * Create a Key for aan IAM Service account
 *
 * @export
 * @param {string} name Name of the pulumi resource to create
 * @param {gcp.serviceAccount.Account} serviceAccountId IAM Service Account to create the key for.
 * @returns
 */
export function createKey(
    name: string,
    serviceAccountId: gcp.serviceAccount.Account
) {
    return new gcp.serviceAccount.Key(`${name}-key`, {
        serviceAccountId: serviceAccountId.name
    });
}

/**
 * Create a secret from an account key
 *
 * @export
 * @param {gcp.serviceAccount.Key} key The service account key to create a secret from.
 * @returns {pulumi.Output<string>}
 */
export function getPrivateKey(
    key: gcp.serviceAccount.Key
): pulumi.Output<string> {
    return key.privateKey.apply(k =>
        JSON.parse(Buffer.from(k, 'base64').toString('ascii'))
    ) as pulumi.Output<string>;
}
i

important-leather-28796

03/26/2019, 8:46 PM
ah, ok thanks
o

orange-tailor-85423

03/26/2019, 8:47 PM
see above - so I output that secret from our “IAM” stack for consumption by another stack or human or put in a bucket etc
i

important-leather-28796

03/26/2019, 8:48 PM
lol, I already had that in my
Identity
component, I was just using the wrong one.
o

orange-tailor-85423

03/26/2019, 8:48 PM
you did - that’s where I got it from - LOL
the circle is complete
😂 1
🙂