Save application default credentials (ADC)
mering opened this issue · comments
TL;DR
Save ADC at ${HOME}/.config/gcloud/application_default_credentials.json
instead of workspace.
Detailed design
Instead of saving the credentials file in the workspace which is prone to be overwritten for example by the checkout action, save it to the well-known location at ${HOME}/.config/gcloud/application_default_credentials.json
.
We currently use the following step (which also deals with multi-line secrets correctly):
- name: Create service account credentials files
env:
ROBOT_JSON_KEY: ${{ secrets.ROBOT_JSON_KEY }}
run: |
mkdir -p "${HOME}/.config/gcloud"
echo "${ROBOT_JSON_KEY}" > "${HOME}/.config/gcloud/application_default_credentials.json"
gcloud auth activate-service-account --key-file "${HOME}/.config/gcloud/application_default_credentials.json"
We use it mainly with Bazel RBE via bazel --google_default_credentials=true
.
It would be nice if we could replace this step by using google-github-actions/auth
action instead.
Additional information
No response
Hi there @mering 👋!
Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.
Hi @mering - thank you for opening an issue.
The auth
action exports the GOOGLE_APPLICATION_CREDENTIALS
environment variable, which all well-behaved Google Cloud client libraries respect.
As for why the credentials are stored in the workspace, it's the workspace is one of the only places that is reliably shared with Docker-based actions. We've explored environment variables and alternative file paths, but they all come with trade-offs, particularly around self-hosted runner threat models. Last time we tried to "fix" this, we accidentally broke all Docker-based actions.
For Service Account Key JSON, you could theoretically not use this entire action and just write the JSON file to disk and set $GOOGLE_APPLICATION_CREDENTIALS.
It would be nice if we could replace this step by using google-
github-actions/auth
action instead.
Have you tried? It looks like --google-default-credentials
should "just work".
Hi @sethvargo, thanks for your explanation.
As we do sometimes overwrite our workspace or publish packages via wildcards, extra care would need to be taken in our setup when the key is stored within the workspace.
While do currently do use only the SA JSON key, we plan to migrate towards WIF in the future so it might be a good intermediate step.
Maybe I will try to set credentials_file_path
to some location outside of the workspace and see if this just works.
Hi @mering - credentials_file_path
is an output, not an input.
You could move the file somewhere else, but you'd need to update all the associated environment variables to the new path.
As we do sometimes overwrite our workspace or publish packages via wildcards, extra care would need to be taken in our setup when the key is stored within the workspace.
There are instructions in the TROUBLESHOOTING guide for excluding the credentials from a git push or docker build, for example.