Authenticate Google Cloud service account on docker image

I’m finding different behavior from within and outside of a docker image for authenticating a google service account.

Outside. Succeeds.

  • Which approach is better for discovering container readiness?
  • How to use rabbitmqctl to connect to the rabbitmqserver in the docker container?
  • Only receiving MQTT messages in interactive mode within a docker container
  • How to remove all docker volumes?
  • Can I clone a paused Docker container?
  • How to setup a simple reverse proxy in docker?
  • C:\Users\Ben\AppData\Local\Google\Cloud SDK>gcloud auth activate-service-account 773889352370-compute@developer.gserviceaccount.com --key-file C:/Users/Ben/Dropbox/Google/MeerkatReader-d77c0d6aa04f.json --project api-project-773889352370
    Activated service account credentials for: [773889352370-compute@developer.gserviceaccount.com]
    

    Run docker container, pass the .json key to tmp directory.

    C:\Users\Ben\AppData\Local\Google\Cloud SDK>docker run -it -v C:/Users/Ben/Dropbox/Google/MeerkatReader-d77c0d6aa04f.json:/tmp/MeerkatReader-d77c0d6aa04f.json  --rm -p "127.0.0.1:8080:8080" --entrypoint=/bin/bash  gcr.io/cloud-datalab/datalab:local-20161227
    

    From within docker, confirm the file is there

    root@4a4a9314f15c:/tmp# ls
    MeerkatReader-d77c0d6aa04f.json  npm-24-b7aa1bcf  npm-45-fd13ef7c  npm-7-22ec336e
    

    Run the same command as before. Fails.

    root@4a4a9314f15c:/tmp# gcloud auth activate-service-account 773889352370-compute@developer.gserviceaccoun
    t.com --key-file MeerkatReader-d77c0d6aa04f.json --project api-project-773889352370
    ERROR: (gcloud.auth.activate-service-account) Failed to activate the given service account. Please ensure provided key file is valid.
    

    What might cause this error? More broadly, what is the suggested strategy for passing credentials. I’ve tried this and it fails as well. I’m using the cloudml API and cloud vision, and i’d like to avoid manual gcloud init at the beginning of every run.

    EDIT: To show gcloud info

    root@7ff49b26484f:/# gcloud info --run-diagnostics
    Network diagnostic detects and fixes local network connection issues.
    Checking network connection...done.
    Reachability Check passed.
    Network diagnostic (1/1 checks) passed.
    

    confirmed same behavior

    root@7ff49b26484f:/tmp# gcloud auth activate-service-account 773889352370-compute@developer.gserviceaccount.com --key-file MeerkatReader-d77c0d6aa04f.json --project api-project-773889352370
    ERROR: (gcloud.auth.activate-service-account) Failed to activate the given service account. Please ensure provided key file is valid.
    

  • deis images with dependencies of etcd have error executing bin/boot script: “waiting for etcd at :4001…”
  • docker image of sonarqube is not running with mysql db configuration
  • Giving a Docker container configuration access to a device
  • docker registry v2, where do buffered or pushed images get stored
  • docker-compose: links option not working
  • Java.lang.ExceptionInInitializerError while listing docker images
  • 2 Solutions collect form web for “Authenticate Google Cloud service account on docker image”

    Have you attempted to put the credential in the image from the beginning? Is that a similar outcome?

    On the other hand, have you tried using --key-file /tmp/MeerkatReader-d77c0d6aa04f.json? Since it appears you’re putting the json file in /tmp.

    You might also consider checking the network configuration inside the container and with docker from the outside.

    This is probably due to a clock skew of the docker VM. I debugged the activate-service-account function of the google SDK and got the following error message:

    There was a problem refreshing your current auth tokens: invalid_grant:  
    Invalid JWT: Token must be a short-lived token and in a reasonable timeframe
    Please run:
    $ gcloud auth login
    
    to obtain new credentials, or if you have already logged in with a different account:
    
    $ gcloud config set account ACCOUNT
    
    to select an already authenticated account to use.
    

    After rebooting the VM, it worked like a charm.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.