This message was deleted.
# pulumi-deployments
s
This message was deleted.
b
are the bottom of these docs helpful? or do you need more info than whats there? https://www.pulumi.com/docs/guides/oidc/gcp/
e
So my question is actually based on that part of the docs!
The fetched credentials are published as a credential configuration in the
GOOGLE_CREDENTIALS
environment variable.
I’m unsure of what these fetched credentials actually are. Are they the path to a credentials file, are they the base64 encoded JSON credentials, or some third option?
👍🏻 1
Ideally I’d be able to use the value in that variable to authenticate with docker as per the GCP documentation: https://cloud.google.com/container-registry/docs/advanced-authentication
To clarify, I’m trying to build and push some images as a part of my pulumi program, but now that it’s running via deployments I don’t have the credentials set up in the same way that I do on our own runners.
👍🏻 1
b
@microscopic-florist-22719 can you help with this?
e
Just to follow up: I was able to use the OIDC token to request an access token and pipe that to the
docker login
command. It didn’t work for GCR, but works fine for the artifact registry.
Following up again. Artifact Registry responds with
Login successful
- but then pushing images fails later. 😩
a
m unsure of what these fetched credentials actually are. Are they the path to a credentials file, are they the base64 encoded JSON credentials, or some third option?
@eager-keyboard-30823 to answer this, they are the base64 encoded JSON creds. Have any additional context on the error received from Artifact Registry on push? Rest of the deploy team is back on Monday and we will have additional brain trust if it’s a relatively obscure error
e
Hey, sure. Here’s the error.
Copy code
#6 importing cache manifest from <redacted>
#6 ERROR: failed to authorize: rpc error: code = Unknown desc = failed to fetch oauth token: unexpected status: 403 Forbidden
The weird thing is that if I just use
gcloud auth print-access-token
impersonating the service account that the OIDC pool uses, logging in and pushing to docker locally works just fine.
👀 1
Here’s the script I’m using to trigger a deployment. This exchanges the OIDC token for what I would think would be the appropriate access token to authenticate with docker, but 🤷. Would be happy to know if you have some insight into making this easier. The script language is nushell
a
Thanks. Taking a look--if I don’t spot anything this afternoon, rest of deploy team returns from holiday on Monday and can give this an extra set of eyes.
e
Yeah no rush. Thanks for looking into this! 🙂
❤️ 1
@witty-candle-66007 context for the issue, I’m sure I’m just missing something simple here. 😄
🙏 1
a
@eager-keyboard-30823 hey there! Were you able to work this out with Mitch?
e
@acoustic-lock-52416 hey! I haven’t. We had a meeting where I mentioned this was a blocker, and I tagged it to give him context on the issue, but we haven’t taken it any further.
👍 1
w
@eager-keyboard-30823 I spoke to the engineer who worked on the OIDC stuff for deployments. he suggests trying the following for your prerun script (so as to enable the docker login stuff):
Copy code
preRunCommands: [
            "# install the gcloud CLI - see: <https://cloud.google.com/sdk/docs/install>",
            "echo \"$GOOGLE_CREDENTIALS\" >/google-creds.json",
            "gcloud auth login --brief --cred-file=/google-creds.json",
            "gcloud auth configure-docker"
            "npm --prefix ./src/infra install ./src/infra",
        ],
e
Thanks! I’ll try this now.
Works! Thanks 🙏
woohoo 1
For reference, this is the full list of steps that lead to success (including cloud sdk installation)
w
Great news!