10

I have made a Dockerfile for deploying my node.js application into google container engine .It looks like as below

FROM node:0.12
COPY google-cloud-sdk /google-cloud-sdk
RUN /google-cloud-sdk/bin/gcloud init
COPY bpe /bpe
CMD cd /bpe;npm start

I should use gcloud init inside Dockerfile because my node.js application is using gcloud-node module for creating buckets in GCS . When i am using the above dockerfile and doing docker built it is failing with following errors

sudo docker build -t gcr.io/[PROJECT_ID]/test-node:v1 .

Sending build context to Docker daemon 489.3 MB
Sending build context to Docker daemon 
Step 0 : FROM node:0.12
 ---> 57ef47f6c658
Step 1 : COPY google-cloud-sdk /google-cloud-sdk
 ---> f102b82812f5
Removing intermediate container 4433b0f3627f
Step 2 : RUN /google-cloud-sdk/bin/gcloud init
 ---> Running in 21aead97cf65
Welcome! This command will take you through the configuration of gcloud.

Your current configuration has been set to: [default]

To continue, you must log in. Would you like to log in (Y/n)?  
Go to the following link in your browser:

    https://accounts.google.com/o/oauth2/auth?redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&prompt=select_account&response_type=code&client_id=32555940559.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute&access_type=offline


ERROR: There was a problem with web authentication.
ERROR: (gcloud.auth.login) invalid_grant
ERROR: (gcloud.init) Failed command: [auth login --force --brief] with exit code [1]

I done it working by hard coding the authentication key inside google-cloud-sdk source code.Please let me know the proper way to solve this issue .

Priyesh Karatha
  • 604
  • 5
  • 18
  • You can't do that since gcloud init is a dynamic script, you can see that it is waiting for user input. My guess is that you have to perform a `gcloud init` outside docker, gather every file generated, and put them in your docker image. Or you could use /usr/bin/expect in order to automatically answer the scripts questions – michael_bitard May 25 '16 at 09:56
  • how to make docker image using the files generated?? and if i do gcloud init, what are the files generated and modified??Is any idea on this? – Priyesh Karatha May 25 '16 at 11:19

2 Answers2

19

gcloud init is a wrapper command which runs

gcloud config configurations create MY_CONFIG
gcloud config configurations activate MY_CONFIG
gcloud auth login
gcloud config set project MY_PROJECT

which allows user to choose configuration, login (via browser) and choose a project.

For your use case you probably do not want to use gcloud init, instead you should download service account key file from https://console.cloud.google.com/iam-admin/serviceaccounts/project?project=MY_PROJECT, make it accessible inside docker container and activate it via

gcloud auth activate-service-account --key-file my_service_account.json
gcloud config set project MY_PROJECT
cherba
  • 8,681
  • 3
  • 27
  • 34
  • 1
    @cherba What are the security implications for keeping the key file inside the docker container? – kiran May 27 '16 at 09:12
  • This issue is not specific to gcloud. To mitigate it somewhat, you can mount a volume when running docker image and set CLOUDSDK_CONFIG environment variable to point to it. That way all configuration and credentials for gcloud can be externalized and even shared. You can also active service account even before starting the container. – cherba May 27 '16 at 11:25
  • which is the bare minimum permission for the service account that allow this? (I need it only for Firebase TestLab) – Daniele Segato Mar 29 '17 at 08:44
  • It might be worth looking at the secrets directive in docker-compose, which provides a handy way to inject secrets (like this key) into containers at start time: https://docs.docker.com/compose/compose-file/#secrets – MatrixManAtYrService Nov 01 '18 at 15:58
3

Better way to use gcs from container engine is give permission to cluster. For example, if you had created your VM with devstorage.read_only scope, trying to write to a bucket would fail, even if your service account has permission to write to the bucket. You would need devstorage.full_control or devstorage.read_write.

while creating cluster we can use following command

gcloud container clusters create catch-world \
        --num-nodes 1 \
        --machine-type n1-standard-1 \
        --scopes https://www.googleapis.com/auth/devstorage.full_control
Priyesh Karatha
  • 604
  • 5
  • 18