Save application default credentials (ADC)

Question

Save application default credentials (ADC)

mering opened this issue 7 months ago · comments

TL;DR

Save ADC at ${HOME}/.config/gcloud/application_default_credentials.json instead of workspace.

Detailed design

Instead of saving the credentials file in the workspace which is prone to be overwritten for example by the checkout action, save it to the well-known location at ${HOME}/.config/gcloud/application_default_credentials.json.

We currently use the following step (which also deals with multi-line secrets correctly):

- name: Create service account credentials files
  env:
    ROBOT_JSON_KEY: ${{ secrets.ROBOT_JSON_KEY }}
  run: |
    mkdir -p "${HOME}/.config/gcloud"
    echo "${ROBOT_JSON_KEY}" > "${HOME}/.config/gcloud/application_default_credentials.json"
    gcloud auth activate-service-account --key-file "${HOME}/.config/gcloud/application_default_credentials.json"

We use it mainly with Bazel RBE via bazel --google_default_credentials=true.

It would be nice if we could replace this step by using google-github-actions/auth action instead.

Additional information

No response

github-actions · Answer 1 · Wed Jan 17 2024 21:41:39 GMT+0800 (China Standard Time)

Hi there @mering 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

Seth Vargo · Answer 2 · Thu Jan 18 2024 02:22:29 GMT+0800 (China Standard Time)

Hi @mering - thank you for opening an issue.

The auth action exports the GOOGLE_APPLICATION_CREDENTIALS environment variable, which all well-behaved Google Cloud client libraries respect.

As for why the credentials are stored in the workspace, it's the workspace is one of the only places that is reliably shared with Docker-based actions. We've explored environment variables and alternative file paths, but they all come with trade-offs, particularly around self-hosted runner threat models. Last time we tried to "fix" this, we accidentally broke all Docker-based actions.

For Service Account Key JSON, you could theoretically not use this entire action and just write the JSON file to disk and set $GOOGLE_APPLICATION_CREDENTIALS.

It would be nice if we could replace this step by using google-github-actions/auth action instead.

Have you tried? It looks like --google-default-credentials should "just work".

See also: #109, #123, #134, #212, #264, #315, #316, #333

Marcel · Answer 3 · Thu Jan 18 2024 02:35:13 GMT+0800 (China Standard Time)

Hi @sethvargo, thanks for your explanation.

As we do sometimes overwrite our workspace or publish packages via wildcards, extra care would need to be taken in our setup when the key is stored within the workspace.

While do currently do use only the SA JSON key, we plan to migrate towards WIF in the future so it might be a good intermediate step.

Maybe I will try to set credentials_file_path to some location outside of the workspace and see if this just works.

Seth Vargo · Answer 4 · Thu Jan 18 2024 04:58:03 GMT+0800 (China Standard Time)

Hi @mering - credentials_file_path is an output, not an input.

You could move the file somewhere else, but you'd need to update all the associated environment variables to the new path.

As we do sometimes overwrite our workspace or publish packages via wildcards, extra care would need to be taken in our setup when the key is stored within the workspace.

There are instructions in the TROUBLESHOOTING guide for excluding the credentials from a git push or docker build, for example.