Skip to content

Instantly share code, notes, and snippets.

@spmason spmason/README.md
Last active May 3, 2019

Embed
What would you like to do?
withGCloudCredentials Jenkins pipeline library plugin

This code is a Jenkins Shared Library plugin that allows you to run a command with specific gcloud credentials stored in Jenkins by the google-oauth-plugin

Note: You must have the "Google Cloud SDK" plugin installed, and a custom tool called gcloud setup for the activation to work (though this should work without that if you have another way of getting gcloud onto your slave machine)

Usage:

withGCloudCredentials(<projectName>, <credentialsId>) {
  sh "gcloud <command>"
  sh "gsutil <command>"
}

credentialsId is optional, if left out it defaults to the projectName given as the first arg

import java.io.File
import hudson.FilePath
import hudson.util.Secret
import jenkins.model.Jenkins
import com.cloudbees.plugins.credentials.CredentialsProvider
import com.google.jenkins.plugins.credentials.oauth.GoogleRobotPrivateKeyCredentials
import com.google.jenkins.plugins.credentials.oauth.GoogleOAuth2ScopeRequirement
import org.apache.commons.io.IOUtils
@NonCPS
private def getCredentials(credentialsId) {
def build = currentBuild.rawBuild
CredentialsProvider.findCredentialById(
credentialsId,
GoogleRobotPrivateKeyCredentials.class,
build,
new GoogleOAuth2ScopeRequirement() {
@Override
public Collection<String> getScopes() {
return null;
}
}
);
}
private def copyLocalKeyFile(keyFilePath) {
def channel = Jenkins.getInstance().getComputer('master')
remoteKeyFile = new FilePath(channel, keyFilePath)
json = Secret.decrypt(remoteKeyFile.readToString()).getPlainText()
writeFile encoding: 'UTF-8', file: '.auth/gcloud.json', text: json
return pwd() + "/.auth/gcloud.json"
}
def call(projectId, credentialsId = null, body) {
if (!credentialsId) {
credentialsId = projectId
}
def serviceAccount = getCredentials(credentialsId).getServiceAccountConfig();
def keyFile = copyLocalKeyFile(serviceAccount.getJsonKeyFile())
def accountId = serviceAccount.getAccountId()
def gcloud = tool 'gcloud'
withEnv(["PATH+GCLOUD=${gcloud}/bin","CLOUDSDK_CORE_PROJECT=$projectId","GOOGLE_APPLICATION_CREDENTIALS=$keyFile"]) {
sh "gcloud auth activate-service-account $accountId --key-file=$keyFile"
try {
body()
} finally {
sh "gcloud auth revoke $accountId && rm $keyFile"
}
}
}
import hudson.util.Secret
import com.cloudbees.plugins.credentials.CredentialsProvider
import com.google.jenkins.plugins.credentials.oauth.GoogleRobotPrivateKeyCredentials
import com.google.jenkins.plugins.credentials.oauth.GoogleOAuth2ScopeRequirement
@NonCPS
private def getCredentials(credentialsId) {
def build = currentBuild.rawBuild
CredentialsProvider.findCredentialById(
credentialsId,
GoogleRobotPrivateKeyCredentials.class,
build,
new GoogleOAuth2ScopeRequirement() {
@Override
public Collection<String> getScopes() {
return null;
}
}
);
}
private def writeKeyFile(jsonKey) {
def json = Secret.decrypt(new String(jsonKey.getPlainData())).getPlainText()
writeFile encoding: 'UTF-8', file: '.auth/gcloud.json', text: json
return pwd() + "/.auth/gcloud.json"
}
def call(projectId, credentialsId = null, body) {
if (!credentialsId) {
credentialsId = projectId
}
def serviceAccount = getCredentials(credentialsId).getServiceAccountConfig();
def keyFile = writeKeyFile(serviceAccount.getSecretJsonKey())
def accountId = serviceAccount.getAccountId()
def gcloud = tool 'gcloud'
withEnv(["PATH+GCLOUD=${gcloud}/bin","CLOUDSDK_CORE_PROJECT=$projectId","GOOGLE_APPLICATION_CREDENTIALS=$keyFile"]) {
sh "gcloud auth activate-service-account $accountId --key-file=$keyFile"
try {
body()
} finally {
sh "gcloud auth revoke $accountId && rm $keyFile"
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.