GOOGLE_APPLICATION_CREDENTIALS Undefined in Cloud Run Container

Question

I am trying to log into gcloud from inside of a Cloud Run container. I know this is not the best thing to do, but it is what the situation requires.

When accessing the GOOGLE_APPLICATION_CREDENTIALS in my entrypoint script inside of the container

gcloud auth activate-service-account --key-file="$GOOGLE_APPLICATION_CREDENTIALS"
gcloud config set project "$PROJECT_ID"

authenticatin fails because GOOGLE_APPLICATION_CREDENTIALS is not set to anything. It is empty; undefined. No path.

These are the commands I am using to deploy (with the env vars set obviously):

gcloud builds submit --tag "gcr.io/${GOOGLE_CLOUD_PROJECT}/tester"
gcloud run deploy --image "gcr.io/${GOOGLE_CLOUD_PROJECT}/tester" --service-account "testerkey@${GOOGLE_CLOUD_PROJECT}.iam.gserviceaccount.com" --platform managed

I have also tried to deploy without specifying the service account to use the default one, and that does not seem to work either.

Any advice appreciated! Thanks!

Answer 1

Services running inside Google services do not use GOOGLE_APPLICATION_CREDENTIALS, they have a metadata server that provides the token for the service account without injecting the private key. Defined here

You can just use gcloud without using the gcloud auth activate-service-account command