withGCloudCredentials Jenkins pipeline library plugin

README.md

This code is a Jenkins Shared Library plugin that allows you to run a command with specific gcloud credentials stored in Jenkins by the google-oauth-plugin

Note: You must have the "Google Cloud SDK" plugin installed, and a custom tool called gcloud setup for the activation to work (though this should work without that if you have another way of getting gcloud onto your slave machine)

Usage:

withGCloudCredentials(<projectName>, <credentialsId>) {
  sh "gcloud <command>"
  sh "gsutil <command>"
}

credentialsId is optional, if left out it defaults to the projectName given as the first arg

withGCloudCredentials-google-oauth-plugin-0.7.groovy

import java.io.File
import hudson.FilePath
import hudson.util.Secret
import jenkins.model.Jenkins
import com.cloudbees.plugins.credentials.CredentialsProvider
import com.google.jenkins.plugins.credentials.oauth.GoogleRobotPrivateKeyCredentials
import com.google.jenkins.plugins.credentials.oauth.GoogleOAuth2ScopeRequirement
import org.apache.commons.io.IOUtils

@NonCPS
private def getCredentials(credentialsId) {
    def build = currentBuild.rawBuild
    CredentialsProvider.findCredentialById(
      credentialsId,
      GoogleRobotPrivateKeyCredentials.class,
      build,
      new GoogleOAuth2ScopeRequirement()  {
            @Override
            public Collection<String> getScopes() {
              return null;
            }
          }
      );
}
private def copyLocalKeyFile(keyFilePath) {
    def channel = Jenkins.getInstance().getComputer('master')
    remoteKeyFile = new FilePath(channel, keyFilePath)
    json = Secret.decrypt(remoteKeyFile.readToString()).getPlainText()

    writeFile encoding: 'UTF-8', file: '.auth/gcloud.json', text: json
    return pwd() + "/.auth/gcloud.json"
}

def call(projectId, credentialsId = null, body) {
  if (!credentialsId) {
    credentialsId = projectId
  }
  def serviceAccount = getCredentials(credentialsId).getServiceAccountConfig();
  def keyFile = copyLocalKeyFile(serviceAccount.getJsonKeyFile())
  def accountId = serviceAccount.getAccountId()
  def gcloud = tool 'gcloud'

  withEnv(["PATH+GCLOUD=${gcloud}/bin","CLOUDSDK_CORE_PROJECT=$projectId","GOOGLE_APPLICATION_CREDENTIALS=$keyFile"]) {
    sh "gcloud auth activate-service-account $accountId --key-file=$keyFile"

    try {
      body()
    } finally {
      sh "gcloud auth revoke $accountId && rm $keyFile"
    }
  }
}

withGCloudCredentials-google-oauth-plugin-0.8.groovy

import hudson.util.Secret
import com.cloudbees.plugins.credentials.CredentialsProvider
import com.google.jenkins.plugins.credentials.oauth.GoogleRobotPrivateKeyCredentials
import com.google.jenkins.plugins.credentials.oauth.GoogleOAuth2ScopeRequirement

@NonCPS
private def getCredentials(credentialsId) {
    def build = currentBuild.rawBuild
    CredentialsProvider.findCredentialById(
      credentialsId,
      GoogleRobotPrivateKeyCredentials.class,
      build,
      new GoogleOAuth2ScopeRequirement()  {
            @Override
            public Collection<String> getScopes() {
              return null;
            }
          }
      );
}
private def writeKeyFile(jsonKey) {
    def json = Secret.decrypt(new String(jsonKey.getPlainData())).getPlainText()

    writeFile encoding: 'UTF-8', file: '.auth/gcloud.json', text: json
    return pwd() + "/.auth/gcloud.json"
}

def call(projectId, credentialsId = null, body) {
  if (!credentialsId) {
    credentialsId = projectId
  }
  def serviceAccount = getCredentials(credentialsId).getServiceAccountConfig();
  def keyFile = writeKeyFile(serviceAccount.getSecretJsonKey())
  def accountId = serviceAccount.getAccountId()
  def gcloud = tool 'gcloud'

  withEnv(["PATH+GCLOUD=${gcloud}/bin","CLOUDSDK_CORE_PROJECT=$projectId","GOOGLE_APPLICATION_CREDENTIALS=$keyFile"]) {
    sh "gcloud auth activate-service-account $accountId --key-file=$keyFile"

    try {
      body()
    } finally {
      sh "gcloud auth revoke $accountId && rm $keyFile"
    }
  }
}