Save application default credentials (ADC)

[mering]

TL;DR

Save ADC at ${HOME}/.config/gcloud/application_default_credentials.json instead of workspace.

Detailed design

Instead of saving the credentials file in the workspace which is prone to be overwritten for example by the checkout action, save it to the well-known location at ${HOME}/.config/gcloud/application_default_credentials.json.

We currently use the following step (which also deals with multi-line secrets correctly):

- name: Create service account credentials files
  env:
    ROBOT_JSON_KEY: ${{ secrets.ROBOT_JSON_KEY }}
  run: |
    mkdir -p "${HOME}/.config/gcloud"
    echo "${ROBOT_JSON_KEY}" > "${HOME}/.config/gcloud/application_default_credentials.json"
    gcloud auth activate-service-account --key-file "${HOME}/.config/gcloud/application_default_credentials.json"

We use it mainly with Bazel RBE via bazel --google_default_credentials=true.

It would be nice if we could replace this step by using google-github-actions/auth action instead.

Additional information

No response

[github-actions]

Hi there @mering 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[sethvargo]

Hi @mering - thank you for opening an issue.

The auth action exports the GOOGLE_APPLICATION_CREDENTIALS environment variable, which all well-behaved Google Cloud client libraries respect.

As for why the credentials are stored in the workspace, it's the workspace is one of the only places that is reliably shared with Docker-based actions. We've explored environment variables and alternative file paths, but they all come with trade-offs, particularly around self-hosted runner threat models. Last time we tried to "fix" this, we accidentally broke all Docker-based actions.

For Service Account Key JSON, you could theoretically not use this entire action and just write the JSON file to disk and set $GOOGLE_APPLICATION_CREDENTIALS.

It would be nice if we could replace this step by using google-github-actions/auth action instead.

Have you tried? It looks like --google-default-credentials should "just work".

See also: #109, #123, #134, #212, #264, #315, #316, #333

[mering]

Hi @sethvargo, thanks for your explanation.

As we do sometimes overwrite our workspace or publish packages via wildcards, extra care would need to be taken in our setup when the key is stored within the workspace.

While do currently do use only the SA JSON key, we plan to migrate towards WIF in the future so it might be a good intermediate step.

Maybe I will try to set credentials_file_path to some location outside of the workspace and see if this just works.

[sethvargo]

Hi @mering - credentials_file_path is an output, not an input.

You could move the file somewhere else, but you'd need to update all the associated environment variables to the new path.

As we do sometimes overwrite our workspace or publish packages via wildcards, extra care would need to be taken in our setup when the key is stored within the workspace.

There are instructions in the TROUBLESHOOTING guide for excluding the credentials from a git push or docker build, for example.