Anybody run into this issue with GCP service accou...
# general
Anybody run into this issue with GCP service account credentials?
I cannot see what is going on there, but I can tell you that I created a script for local use in switching clusters that will obtain the extra access token that I use for getting to the kubernetes dashboard. This script bridges some pulumi stack outputs with the local gcloud config and kube config:
^^^ is for dev purposes only, not for use in ci etc
Hrm - that's unfortunate design from GCP there:
Because the formatting differs between each method, it's easiest to generate a key using the same method you plan to use when making future API calls. For example, if you're using gcloud, also generate your key using gcloud. To use a key for one method that's been generated using a different method (such as using a REST-generated key with gcloud), you'll need to edit the key to match the appropriate format.
You can of course shell out to the CLI as part of a DyanmicProvider if really needed. It may actually be easier to post-process the data programmatically to turn it into the other format. (the description above makes it seem like all the required data is there - it's just in the wrong format).
@orange-tailor-85423 I just ran into this - my ruby code in-cluster trying to utilize a service account and receiving
Unable to read the credential file specified by GOOGLE_APPLICATION_CREDENTIALS: the json is missing the 'type' field
. Seems to be the same thing, I verified the json in-cluster looks like the one you referenced did you end up modifying this with code? It’s feasible for me since I have to turn around and store it as a k8s secret. Got any code that works to convert it?
I’ll work on a bit of ts code
Yes, I got it worked out
did you code a converter or something else?
so it turns out that the creds you get from the REST API contain the creds in the format that an application wants
it’s just the private key field in the JSON
Copy code
 * Create a Key for aan IAM Service account
 * @export
 * @param {string} name Name of the pulumi resource to create
 * @param {gcp.serviceAccount.Account} serviceAccountId IAM Service Account to create the key for.
 * @returns
export function createKey(
    name: string,
    serviceAccountId: gcp.serviceAccount.Account
) {
    return new gcp.serviceAccount.Key(`${name}-key`, {

 * Create a secret from an account key
 * @export
 * @param {gcp.serviceAccount.Key} key The service account key to create a secret from.
 * @returns {pulumi.Output<string>}
export function getPrivateKey(
    key: gcp.serviceAccount.Key
): pulumi.Output<string> {
    return key.privateKey.apply(k =>
        JSON.parse(Buffer.from(k, 'base64').toString('ascii'))
    ) as pulumi.Output<string>;
ah, ok thanks
see above - so I output that secret from our “IAM” stack for consumption by another stack or human or put in a bucket etc
lol, I already had that in my
component, I was just using the wrong one.
you did - that’s where I got it from - LOL
the circle is complete
😂 1