Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
e
eager-keyboard-30823
02/21/2023, 2:02 PMHey, when using OIDC with GCP, what kind of credentials are stored in
GOOGLE_CREDENTIALSb
brainy-church-78120
02/21/2023, 5:54 PMare the bottom of these docs helpful? or do you need more info than whats there?
https://www.pulumi.com/docs/guides/oidc/gcp/
e
eager-keyboard-30823
02/21/2023, 10:17 PMSo my question is actually based on that part of the docs!
The fetched credentials are published as a credential configuration in theI’m unsure of what these fetched credentials actually are. Are they the path to a credentials file, are they the base64 encoded JSON credentials, or some third option?environment variable.GOOGLE_CREDENTIALS
Ideally I’d be able to use the value in that variable to authenticate with docker as per the GCP documentation: https://cloud.google.com/container-registry/docs/advanced-authentication
To clarify, I’m trying to build and push some images as a part of my pulumi program, but now that it’s running via deployments I don’t have the credentials set up in the same way that I do on our own runners.
b
brainy-church-78120
02/22/2023, 3:11 AM@microscopic-florist-22719 can you help with this?
e
eager-keyboard-30823
02/24/2023, 2:02 PMJust to follow up: I was able to use the OIDC token to request an access token and pipe that to the
docker loginFollowing up again. Artifact Registry responds with
Login successfula
acoustic-lock-52416
02/24/2023, 10:31 PMm unsure of what these fetched credentials actually are. Are they the path to a credentials file, are they the base64 encoded JSON credentials, or some third option?@eager-keyboard-30823 to answer this, they are the base64 encoded JSON creds. Have any additional context on the error received from Artifact Registry on push? Rest of the deploy team is back on Monday and we will have additional brain trust if it’s a relatively obscure error
e
eager-keyboard-30823
02/24/2023, 10:58 PMHey, sure. Here’s the error.
#6 importing cache manifest from <redacted>
#6 ERROR: failed to authorize: rpc error: code = Unknown desc = failed to fetch oauth token: unexpected status: 403 ForbiddenThe weird thing is that if I just use
gcloud auth print-access-tokenHere’s the script I’m using to trigger a deployment. This exchanges the OIDC token for what I would think would be the appropriate access token to authenticate with docker, but 🤷.
Would be happy to know if you have some insight into making this easier. The script language is nushell
a
acoustic-lock-52416
02/24/2023, 11:18 PMThanks. Taking a look--if I don’t spot anything this afternoon, rest of deploy team returns from holiday on Monday and can give this an extra set of eyes.
e
eager-keyboard-30823
02/24/2023, 11:18 PMYeah no rush. Thanks for looking into this! 🙂
@witty-candle-66007 context for the issue, I’m sure I’m just missing something simple here. 😄
a
acoustic-lock-52416
03/02/2023, 7:26 PM@eager-keyboard-30823 hey there! Were you able to work this out with Mitch?
e
eager-keyboard-30823
03/02/2023, 7:47 PM@acoustic-lock-52416 hey! I haven’t. We had a meeting where I mentioned this was a blocker, and I tagged it to give him context on the issue, but we haven’t taken it any further.
w
witty-candle-66007
03/03/2023, 7:12 PM@eager-keyboard-30823 I spoke to the engineer who worked on the OIDC stuff for deployments. he suggests trying the following for your prerun script (so as to enable the docker login stuff):
preRunCommands: [
"# install the gcloud CLI - see: <https://cloud.google.com/sdk/docs/install>",
"echo \"$GOOGLE_CREDENTIALS\" >/google-creds.json",
"gcloud auth login --brief --cred-file=/google-creds.json",
"gcloud auth configure-docker"
"npm --prefix ./src/infra install ./src/infra",
],e
eager-keyboard-30823
03/03/2023, 7:30 PMThanks! I’ll try this now.
Works! Thanks 🙏
For reference, this is the full list of steps that lead to success (including cloud sdk installation)
w
witty-candle-66007
03/03/2023, 10:15 PMGreat news!