Reputation: 19329
How to authenticate Docker container with Google Service
The Docker container runs a Python server and publishes messages to Google Pubsub message service.
In order for this container to be able to use Google Pubsub service I set GOOGLE_APPLICATION_CREDENTIALS environment variable pointing it to service_key.json file that I downloaded after creating a Service Account Key by opening Google Cloud Console and then navigation to:
API's & Services > Credentials > Create Credentials > Service Account Key.
The service_key.json file needs to be copied to a container's local disk otherwise it won't be able to read it.
While this approach works and the Docker container is now authorized to use Google Pubsub service with the service_key.json file credentials I believe it is not a very secure solution since the service_key.json file is now hosted on a cloud with the container itself.
Is there a way to authorize the Docker container with the Google Service credentials without copying service_key.json file to its local disk?
Upvotes: 3
Views: 4560
Answers (2)
Reputation: 31
Based on there documentation
https://googleapis.dev/ruby/google-cloud-pubsub/latest/file.AUTHENTICATION.html
set the contents of the json file to this variable
PUBSUB_CREDENTIALS - Path to JSON file, or JSON contents
This other POST may help you address multi-line issues when tring to set this with docker run (this post references "docker build", but same idea)
Upvotes: 0
Reputation: 40061
Are you doing something like this?
docker run ...
--volume=${LOCAL_PATH}/secrets/service_key.json:/secrets/key.json \
--env=GOOGLE_APPLICATION_CREDENTIALS=/service/key.json \
mycontainerimage
NB Remapping service_key.json --> key.json for clarity of intent
This doesn't address the need to mount the key on the host running the container but it does address the need to put the key in the container.
As long as you can secure the host (!), the key will be reasonably secure. You should include a process whereby you rotate keys frequently too. This requires more work in (re)distributing keys but it reduces the risk of lost keys.
Using keys, you're always going to have to protect the key while exposing it at potentially insecure locations.
If your containers are running on a Google Cloud Platform compute service (App Engine, Compute, Kubernetes, Run), Application Default Credentials can use the resource's service account (no key).
For other types of credentials (to my knowledge not Google Service Accounts), you may also consider key management services including Cloud KMS, HashiCorp Vault.
Upvotes: 5
Related Questions
- "OSError" whilst trying to run a Python app inside a Docker container using Application Default Credentials
- Authenticate Google Cloud service account on docker image
- How to authenticate google cloud SDK on a docker Ubuntu image?
- Error Setup Google Cloud Credentials in Dockerfile
- How to authenticate to GCP from a containerized Dockerfile
- Using ImpersonatedCredentials with python api for GCP PubSub SubscriberClient
- pip install google-cloud-pubsub fails install in docker container
- Problem authenticating Google GCP with Dockers
- can't get google auth to work inside docker to publish to pubsub
- PubSub in GCP Standard Environment (Python)