-
Notifications
You must be signed in to change notification settings - Fork 195
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Save application default credentials (ADC) #383
Comments
Hi there @mering 👋! Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps. |
Hi @mering - thank you for opening an issue. The As for why the credentials are stored in the workspace, it's the workspace is one of the only places that is reliably shared with Docker-based actions. We've explored environment variables and alternative file paths, but they all come with trade-offs, particularly around self-hosted runner threat models. Last time we tried to "fix" this, we accidentally broke all Docker-based actions. For Service Account Key JSON, you could theoretically not use this entire action and just write the JSON file to disk and set $GOOGLE_APPLICATION_CREDENTIALS.
Have you tried? It looks like |
Hi @sethvargo, thanks for your explanation. As we do sometimes overwrite our workspace or publish packages via wildcards, extra care would need to be taken in our setup when the key is stored within the workspace. While do currently do use only the SA JSON key, we plan to migrate towards WIF in the future so it might be a good intermediate step. Maybe I will try to set |
Hi @mering - You could move the file somewhere else, but you'd need to update all the associated environment variables to the new path.
There are instructions in the TROUBLESHOOTING guide for excluding the credentials from a git push or docker build, for example. |
TL;DR
Save ADC at
${HOME}/.config/gcloud/application_default_credentials.json
instead of workspace.Detailed design
Instead of saving the credentials file in the workspace which is prone to be overwritten for example by the checkout action, save it to the well-known location at
${HOME}/.config/gcloud/application_default_credentials.json
.We currently use the following step (which also deals with multi-line secrets correctly):
We use it mainly with Bazel RBE via
bazel --google_default_credentials=true
.It would be nice if we could replace this step by using
google-github-actions/auth
action instead.Additional information
No response
The text was updated successfully, but these errors were encountered: