Authenticate Google Cloud service account on docker image
I’m finding different behavior from within and outside of a docker image for authenticating a google service account.
C:\Users\Ben\AppData\Local\Google\Cloud SDK>gcloud auth activate-service-account email@example.com --key-file C:/Users/Ben/Dropbox/Google/MeerkatReader-d77c0d6aa04f.json --project api-project-773889352370 Activated service account credentials for: [firstname.lastname@example.org]
Run docker container, pass the .json key to tmp directory.
C:\Users\Ben\AppData\Local\Google\Cloud SDK>docker run -it -v C:/Users/Ben/Dropbox/Google/MeerkatReader-d77c0d6aa04f.json:/tmp/MeerkatReader-d77c0d6aa04f.json --rm -p "127.0.0.1:8080:8080" --entrypoint=/bin/bash gcr.io/cloud-datalab/datalab:local-20161227
From within docker, confirm the file is there
root@4a4a9314f15c:/tmp# ls MeerkatReader-d77c0d6aa04f.json npm-24-b7aa1bcf npm-45-fd13ef7c npm-7-22ec336e
Run the same command as before. Fails.
root@4a4a9314f15c:/tmp# gcloud auth activate-service-account email@example.com t.com --key-file MeerkatReader-d77c0d6aa04f.json --project api-project-773889352370 ERROR: (gcloud.auth.activate-service-account) Failed to activate the given service account. Please ensure provided key file is valid.
What might cause this error? More broadly, what is the suggested strategy for passing credentials. I’ve tried this and it fails as well. I’m using the cloudml API and cloud vision, and i’d like to avoid manual gcloud init at the beginning of every run.
EDIT: To show gcloud info
root@7ff49b26484f:/# gcloud info --run-diagnostics Network diagnostic detects and fixes local network connection issues. Checking network connection...done. Reachability Check passed. Network diagnostic (1/1 checks) passed.
confirmed same behavior
root@7ff49b26484f:/tmp# gcloud auth activate-service-account firstname.lastname@example.org --key-file MeerkatReader-d77c0d6aa04f.json --project api-project-773889352370 ERROR: (gcloud.auth.activate-service-account) Failed to activate the given service account. Please ensure provided key file is valid.
2 Solutions collect form web for “Authenticate Google Cloud service account on docker image”
Have you attempted to put the credential in the image from the beginning? Is that a similar outcome?
On the other hand, have you tried using
--key-file /tmp/MeerkatReader-d77c0d6aa04f.json? Since it appears you’re putting the json file in
You might also consider checking the network configuration inside the container and with docker from the outside.
This is probably due to a clock skew of the docker VM. I debugged the activate-service-account function of the google SDK and got the following error message:
There was a problem refreshing your current auth tokens: invalid_grant: Invalid JWT: Token must be a short-lived token and in a reasonable timeframe Please run: $ gcloud auth login to obtain new credentials, or if you have already logged in with a different account: $ gcloud config set account ACCOUNT to select an already authenticated account to use.
After rebooting the VM, it worked like a charm.