https://pulumi.com logo
Title
e

eager-keyboard-30823

02/21/2023, 2:02 PM
Hey, when using OIDC with GCP, what kind of credentials are stored in
GOOGLE_CREDENTIALS
? Trying to figure out how to login to the docker registry on the deployment runner.
b

brainy-church-78120

02/21/2023, 5:54 PM
are the bottom of these docs helpful? or do you need more info than whats there? https://www.pulumi.com/docs/guides/oidc/gcp/
e

eager-keyboard-30823

02/21/2023, 10:17 PM
So my question is actually based on that part of the docs!
The fetched credentials are published as a credential configuration in the
GOOGLE_CREDENTIALS
environment variable.
I’m unsure of what these fetched credentials actually are. Are they the path to a credentials file, are they the base64 encoded JSON credentials, or some third option?
Ideally I’d be able to use the value in that variable to authenticate with docker as per the GCP documentation: https://cloud.google.com/container-registry/docs/advanced-authentication
To clarify, I’m trying to build and push some images as a part of my pulumi program, but now that it’s running via deployments I don’t have the credentials set up in the same way that I do on our own runners.
b

brainy-church-78120

02/22/2023, 3:11 AM
@microscopic-florist-22719 can you help with this?
e

eager-keyboard-30823

02/24/2023, 2:02 PM
Just to follow up: I was able to use the OIDC token to request an access token and pipe that to the
docker login
command. It didn’t work for GCR, but works fine for the artifact registry.
Following up again. Artifact Registry responds with
Login successful
- but then pushing images fails later. 😩
a

acoustic-lock-52416

02/24/2023, 10:31 PM
m unsure of what these fetched credentials actually are. Are they the path to a credentials file, are they the base64 encoded JSON credentials, or some third option?
@eager-keyboard-30823 to answer this, they are the base64 encoded JSON creds. Have any additional context on the error received from Artifact Registry on push? Rest of the deploy team is back on Monday and we will have additional brain trust if it’s a relatively obscure error
e

eager-keyboard-30823

02/24/2023, 10:58 PM
Hey, sure. Here’s the error.
#6 importing cache manifest from <redacted>
#6 ERROR: failed to authorize: rpc error: code = Unknown desc = failed to fetch oauth token: unexpected status: 403 Forbidden
The weird thing is that if I just use
gcloud auth print-access-token
impersonating the service account that the OIDC pool uses, logging in and pushing to docker locally works just fine.
Here’s the script I’m using to trigger a deployment. This exchanges the OIDC token for what I would think would be the appropriate access token to authenticate with docker, but 🤷. Would be happy to know if you have some insight into making this easier. The script language is nushell
a

acoustic-lock-52416

02/24/2023, 11:18 PM
Thanks. Taking a look--if I don’t spot anything this afternoon, rest of deploy team returns from holiday on Monday and can give this an extra set of eyes.
e

eager-keyboard-30823

02/24/2023, 11:18 PM
Yeah no rush. Thanks for looking into this! 🙂
@witty-candle-66007 context for the issue, I’m sure I’m just missing something simple here. 😄
a

acoustic-lock-52416

03/02/2023, 7:26 PM
@eager-keyboard-30823 hey there! Were you able to work this out with Mitch?
e

eager-keyboard-30823

03/02/2023, 7:47 PM
@acoustic-lock-52416 hey! I haven’t. We had a meeting where I mentioned this was a blocker, and I tagged it to give him context on the issue, but we haven’t taken it any further.
w

witty-candle-66007

03/03/2023, 7:12 PM
@eager-keyboard-30823 I spoke to the engineer who worked on the OIDC stuff for deployments. he suggests trying the following for your prerun script (so as to enable the docker login stuff):
preRunCommands: [
            "# install the gcloud CLI - see: <https://cloud.google.com/sdk/docs/install>",
            "echo \"$GOOGLE_CREDENTIALS\" >/google-creds.json",
            "gcloud auth login --brief --cred-file=/google-creds.json",
            "gcloud auth configure-docker"
            "npm --prefix ./src/infra install ./src/infra",
        ],
e

eager-keyboard-30823

03/03/2023, 7:30 PM
Thanks! I’ll try this now.
Works! Thanks 🙏
For reference, this is the full list of steps that lead to success (including cloud sdk installation)
w

witty-candle-66007

03/03/2023, 10:15 PM
Great news!