8

Within my code, I am attempting to gather the Application Default Credentials from the associated service account in Cloud Build:

from google.auth import default

credentials, project_id = default()

This works fine in my local space because I have set the environment variable GOOGLE_APPLICATION_CREDENTIALS appropriately. However, when this line is executed (via a test step in my build configuration) within Cloud Build, the following error is raised:

google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials. 
Please set GOOGLE_APPLICATION_CREDENTIALS or explicitly create credentials and re-run the application. 
For more information, please see https://cloud.google.com/docs/authentication/getting-started

This is confusing me because, according to the docs:

By default, Cloud Build uses a special service account to execute builds on your behalf. This service account is called the Cloud Build service account and it is created automatically when you enable the Cloud Build API in a Google Cloud project. Read Here

If the environment variable GOOGLE_APPLICATION_CREDENTIALS isn't set, ADC uses the service account that is attached to the resource that is running your code. Read Here

So why is the default call not able to access the Cloud Build service account credentials?

Michael Howlard
  • 217
  • 2
  • 8

3 Answers3

14

There is a trick: you have to define the network to use in your Docker build. Use the parameter --network=cloudbuild, like that

steps:
  - name: gcr.io/cloud-builders/docker
    entrypoint: 'docker'
    args: 
      - build
      - '--no-cache'
      - '--network=cloudbuild'
      - '-t'
      - '$_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA'
      - .
      - '-f' 
      - 'Dockerfile'
...

You can find the documentation here

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
0

Application Default Credentials (ADC) defines the method for searching for credentials.

The Cloud Build VM instance is fetching credentials from metadata via network calls to 169.254.169.254. The container you are running does not have access to the host's network, meaning the code running inside the Docker container cannot access the host's metadata. Since there are no other credentials inside your container, ADC fails with the message Could not automatically determine credentials.

Solution: Provide credentials there are accessible inside the Docker container.

One method is to store a service account JSON key file in Cloud Storage. Then configure Cloud Build to download the file. Configure the Dockerfile to copy the file into the image.

Cloud Build YAML:

- name: gcr.io/cloud-builders/gsutil
  args: ['cp', 'gs://bucketname/path/service-account.json', 'service-account.json']

Dockerfile:

COPY ./service-account.json /path/service-account.json

Google provides additional services such as Secret Manager that can also be used. I prefer Cloud Storage as the ease of storing and updating credentials provides for easy documentation and management.

In considering issues regarding security, separation of privilege, and management Google Cloud offers several methods.

Another method is the one posted by Guillaume Blaquiere.

In environments with relaxed security and developers are granted broad permissions (IAM Roles), Guillaume's answer is simple and easy to implement. In tightly controlled security environments, granting Cloud Build broad permissions is a security risk.

Security often is a tradeoff between security, implementation, and ease of use. Granting IAM Roles requires careful thought on how permissions are to be used and by what/who.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • 1
    Hey my friend, I always disagree when a solution uses a service account key file, it makes me sick!! I already discussed with the Cloud Build team about that point and they provided me the solution (provided in my answer) already documented and weirdly known. Anyway, it works great! – guillaume blaquiere Nov 28 '21 at 19:17
  • @guillaumeblaquiere - Since the container is built by Cloud Build, using a service account JSON key file is secure - maybe even more secure because Cloud Build requires fewer permissions in its service account. However, you are correct, service account key files require knowledge and management to be implemented correctly. There is often a tradeoff between security, feasibility, and convenience. Too bad we cannot combine answers. – John Hanley Nov 28 '21 at 19:21
  • No it isn't secure, it stores it in the docker image layer. That's not what we want. The idea is for cloudbuild to automatically act as the GOOGLE_APPLICATION_CREDENTIALS within any operation that is scripted in the Dockerfile, such as a bundle install for ruby, where secrets manager is initialized. If Google can't address CI/CD then the entire point of using workload identity is defeated in a single step. Unfortunately we use kaniko which doesn't include the Docker flag. – Nathan McKaskle Dec 01 '22 at 15:09
  • @NathanMcKaskle - As my answer explains there are several methods. The key is that some APIs require the private key which might not be available from default credentials. Regarding credentials in a Docker layer that is easy to solve via a multi-stage build. The key is to know the available solutions and then chose one that meets your objectives. There is no one solution that fits all use cases. – John Hanley Dec 01 '22 at 20:13
0

Cloud Build can securing builds by encrypting your key and decrypting when build using Cloud KMS

After setup encrypted key, you can retrieve it by a build step in cloudbuild.yaml

steps:
- name: gcr.io/cloud-builders/gcloud
  args:
  - kms
  - decrypt
  - "--ciphertext-file=ENCRYPTED_PASSWORD_FILE"
  - "--plaintext-file=PLAINTEXT_PASSWORD_FILE"
  - "--location=global"
  - "--keyring=KEYRING_NAME"
  - "--key=KEY_NAME"
- name: gcr.io/cloud-builders/docker
  entrypoint: bash
  args:
  - "-c"
  - docker login --username=DOCKER_USERNAME --password-stdin < PLAINTEXT_PASSWORD_FILE
tiboo
  • 8,213
  • 6
  • 33
  • 43