0

I have plumbeR API running in cloud run, and I would like to access files in a google storage bucket within the same project. The API runs fine, but I cannot get through the authentication. I am trying to use the googleAuthR and gargle libraries, but I am doing something wrong.

Here is my api.R

#* @get /
function(){
  text <- "Hello, this is from a cloud run function...."
  return ( text )
}

#* @get /haveToken
function(){
  require(googleAuthR)
  require(googleCloudStorageR)
  require(gargle)
  text <- paste0("Do I have a token: ",gar_has_token())
  #gcs_auth(token = token_fetch())
  gar_auth( gar_gce_auth_default()  )
  text <- paste0(text,"<br>Do I have a token: ",gar_has_token())
  return ( gcs_list_buckets(projectId = "<MYPROJECT>") )
}

My dockerfile is:

FROM gcr.io/gcer-public/googlecloudrunner:master
COPY api.R .
ENTRYPOINT ["R", "-e", "pr <- plumber::plumb(commandArgs()[4]); pr$run(host='0.0.0.0', port=as.numeric(Sys.getenv('PORT')))"]
CMD ["api.R"]

docker build -t gcs_test1 .
docker image tag gcs_test1:latest gcr.io/<MYPROJECT>/gcscr:latest
gcloud run deploy gcs-test1 --image=gcr.io/<MYPROJECT>/gcscr:latest  --platform managed --allow-unauthenticated --service-account=gcs-sa@<MYPROJECT>.iam.gserviceaccount.com

my service account currently has editor role, but I would like to cut it down to Storage Admin + Cloud Run Service Agent.

If you have any advice on how to access GCS, I would greatly appreciate it.

HowYaDoing
  • 820
  • 2
  • 7
  • 15
  • What's your error? a 401? What's the policy of your Bucket? Fined Grained or Uniform? – guillaume blaquiere Mar 06 '21 at 12:54
  • simpleError: Non-interactive session and no authentication email selected. Setup JSON service email auth or specify email in gar_auth(email='me@preauthenticated.com')> – HowYaDoing Mar 06 '21 at 16:40
  • Do you have a service account key file? If so, did you try to add the full path to the file in the environment variable `GOOGLE_APPLICATION_CREDENTIALS`? – guillaume blaquiere Mar 06 '21 at 19:08
  • When I run on my laptop, I can do that. Is it safe to put the key file in a docker image? We were burned once when another developer checked in a key to github (that was ugly) – HowYaDoing Mar 06 '21 at 19:47
  • It was just to check if it was one of issues (to be sure that the lib that you use work correctly!). But yes, it's not safe to put this in a container. On Cloud Run, you can use the metadata server that expose API to get security token from the service account deployed with the service. I think that your auth library doesn't use this metadata server. That's why the check with the service account key file is only a test, not a solution! – guillaume blaquiere Mar 06 '21 at 21:34
  • thank you @guillaumeblaquiere I'll check out the metadata server. – HowYaDoing Mar 08 '21 at 20:44
  • 1
    The auth library does use the metadata server if you use `googleAuthR::gar_gce_auth()` to authenticate – MarkeD Mar 15 '21 at 22:34

1 Answers1

1

Use googleAuthR::gar_gce_auth() to get a token from a machine running on the Google Cloud

MarkeD
  • 2,500
  • 2
  • 21
  • 35