1

I am very new to GCP and I would greatly appreciate some help here ...

I have a docker containerized application that runs in AWS/Azure but needs to access gcloud SDK as well as through "Google cloud client libraries".

what is the best way to setup gcloud authentication from an application that runs outside of GCP?

In my Dockerfile, I have this (cut short for brevity)

ENV CLOUDSDK_INSTALL_DIR /usr/local/gcloud/ 
RUN curl -sSL https://sdk.cloud.google.com | bash
ENV PATH $PATH:$CLOUDSDK_INSTALL_DIR/google-cloud-sdk/bin
RUN gcloud components install app-engine-java kubectl

This container is currently provisioned from an Azure app service & AWS Fargate. When a new container instance is spawned, we would like it to be gcloud enabled with a service account attached already so our application can deploy stuff on GCP using its deployment manager.

  1. I understand gcloud requires us to run gcloud auth login to authenticate to your account. How we can automate the provisioning of our container if this step has to be manual?

  2. Also, from what I understand, for cloud client libraries, we can store the path to service account key json file in an environment variable (GOOGLE_APPLICATION_CREDENTIALS). So this file either has to be stored inside the docker image itself OR has to be mounted from an external storage at the very least?

How safe is it to store this service account key file in an external storage. What are the best practices around this?

Vikram
  • 170
  • 1
  • 12
  • Hi there! Are you using Kubernetes or running your Docker container directly on your VM? If I understand correctly you are running this on AWS Fargate? Do you have the chance to use a secret manager as [AWS Secret Manager](https://aws.amazon.com/es/secrets-manager/) or [Azure Key Vault](https://azure.microsoft.com/es-mx/services/key-vault/) ? – Armando Cuevas Jul 08 '21 at 17:56
  • Hi @ArmandoCuevas - thanks for your response. Yes I am using App Service in Azure and AWS fargate. and yes, I can use either of secret manager or vault. Please advise how can they can be used in this situation. – Vikram Jul 09 '21 at 13:16

1 Answers1

0

There are two main means of authentication in Google Cloud Platform:

  • User Accounts: Belong to people, represent people involved in your project and they're associated to a Google Account
  • Service Accounts: Used by an application or an instance.

Learn more about their differences here.

Therefore, you are not required to use the command gcloud auth login to perform gcloud commands.

You should be using gcloud auth activate-service-account instead, along with the --key-file=<path-to-key-file> flag, which will allow you to authenticate without the need of signing into a Google Account with access to your project every time you need to call an API.

This key should be stored securely, preferably encrypted in the platform of your choice. Learn how to do it in GCP here following these steps as an example.

Take a look at these useful links for storing secrets in Microsoft Azure and AWS.

On the other hand, you can deploy services to GCP programmatically either using Cloud Libraries with your programming language of choice, or using Terraform is very intuitive if you prefer to do so over using the Google Cloud SDK through the CLI.

Hope this helped.

santi
  • 119
  • 6