Google Cloud Authentication for Docker

README.md

These instructions are to create a local, named Docker volume that stores authenticated Google service account credentials, for mounting to local Docker containers. This setup should only be required once, as the volume persists even after connected containers are stopped/removed.

TREAT THIS VOLUME AS CREDENTIALS. The volume stores sensitive information and should never leave your local machine.

Steps

1. Create the service account credentials file to authenticate google services.
   This file should be saved in ~/.config/gcloud/ on Mac/Linux, or C:\Users\ on Windows.

2. Download and save one of the scripts below into the same directory as your credentials. Use the bash script on Mac, Linux, or via properly configured Git BASH or WSL2 on Windows. Use the powershell script on Windows otherwise.

3. Run the script. Note the quotes around the Windows path are required.

   Mac/Linux:

   cd ~
   chmod 775 local-credentials-setup.sh
   ./local-credentials-setup.sh /Users/<YOUR USER>/.config/gcloud/<YOUR SERVICE ACCOUNT FILE>.json <YOUR GOOGLE PROJECT>

   Windows:

   ./local-credentials-setup.ps1 "C:\Users\<YOUR USERD>\<YOUR SERVICE ACCOUNT FILE>.json"
   

4. Test that setup worked.

   $ docker run -v credentials-gcloud:/root/.config/gcloud google/cloud-sdk:latest gcloud config list
   [core]
   account = xxx@zxxx.iam.gserviceaccount.com
   disable_usage_reporting = True
   project = <YOUR PROJECT>
   
   Your active configuration is: [default]
   

5. (Optional) Delete the setup script.

local-credentials-setup.ps1

$SERVICE_ACCT_PATH = $args[0]

# Create volume that will store Google authorization.
docker volume create --name=credentials-gcloud

# Create temporary container so we can add files to our named volumes
docker container create --name temp -v credentials-gcloud:/root/.config/gcloud google/cloud-sdk:latest

# Add local files to named volumes
docker cp $SERVICE_ACCT_PATH temp:/root/.config/gcloud/application_default_credentials.json

# Remove container
docker rm temp

local-credentials-setup.sh

#!/bin/bash

: '''
Script to set up gcloud auth inside local containers.
Usable on Mac, Linux, or via properly configured Git BASH or WSL2 on Windows.
Note: Windows requires this script and credential files to be in the User directory,
      unless you have manually configured other paths to mount w/ the Docker VM.
For a version for Windows using Powershell, see local-credentials-setup.ps1.

Args:
    $1: The full local path to the google service account json file.
        Note: On Docker only mounts the User folder by default on Windows,
              so the service account json file should live in a subdirectory of that folder,
              unless you have added additional local volume mounts. 
    $2: Your desired Google project.
'''

set -e
 
if [ -z $1 ] ; then
    echo "Need to pass the full path to the google service account json file."
    exit 1
fi

LOCAL_SERVICE_ACCT_PATH="$1"
PROJECT="$2"
CONTAINER_SERVICE_ACCT_PATH="/root/.config/gcloud/application_default_credentials.json"
 
# Create a volume that will store Google authorization.
docker volume create --name=credentials-gcloud

# Create temporary container so we can add files to our named volume
docker container create --name temp \
--volume credentials-gcloud:/root/.config/gcloud \
google/cloud-sdk:latest

# Add local files to named volumes
# The backslash before $LOCAL_SERVICE_ACCT_PATH is required for Windows systems
docker cp /$LOCAL_SERVICE_ACCT_PATH temp:$CONTAINER_SERVICE_ACCT_PATH

# Auth gcloud and docker with the service account
# This saves additional auth files inside /root/.config
docker run --detach --volume credentials-gcloud:/root/.config/gcloud \
google/cloud-sdk gcloud auth activate-service-account --key-file=$CONTAINER_SERVICE_ACCT_PATH --project=$PROJECT

# Remove container
docker rm temp