Skaffold: CloudBuild uses application default credentials ONLY
CloudBuild without application default credentials throws error
time="2019-04-16T21:53:31+09:00" level=fatal msg="build failed: building [gcr.io/xxx/go-hello-world]: getting google client: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information."
Expected behavior
Check if active account is set. If so, use it. If not, try using application default creds
Actual behavior
Trying to use application default creds even though there is an active account set.
Information
- Skaffold version: 0.26.0
- Operating system: Windows (Repros on any OS)
- Contents of skaffold.yaml:
apiVersion: skaffold/v1beta6
kind: Config
build:
tagPolicy:
sha256: {}
# defines where to find the code at build time and where to push the resulting image
artifacts:
- image: python-guestbook-backend
context: src/backend
- image: python-guestbook-frontend
context: src/frontend
# defines the Kubernetes manifests to deploy on each run
deploy:
kubectl:
manifests:
- ./kubernetes-manifests/**.yaml
profiles:
# use the cloudbuild profile to build images using Google Cloud Build
- name: cloudbuild
build:
googleCloudBuild: {}
Steps to reproduce the behavior
Deploy from "Cloud Code" without default application creds.
redborian
All 6 comments
Thanks for filing this!
- Active user
Trying to use application default creds even though there is an active account set.
What do you mean by active account set? The active user logged in for gcloud?
We are using google's client library under the hood that follows the standard ADC flow: https://github.com/GoogleContainerTools/skaffold/blob/master/vendor/golang.org/x/oauth2/google/default.go#L77
I guess skaffold could detect an auth error and then ask if the user wants to run "gcloud auth application-default login" but that is not necessarily the best idea either as it's promoting a potentially dangerous pattern: it is _good_ to have the user explicitly define that "yes, use my user credentials for application development", because user creds tend to be more powerful than the service accounts.
- You can use service accounts for accessing the cloud: You should be able to set GOOGLE_APPLICATION_CREDENTIALS env var pointing to the service account json
More info: https://developers.google.com/accounts/docs/application-default-credentials
balopat
on 18 Apr 2019
We use active user from gcloud auth list. Although I understand that Skaffold prefers ADC, it would be if you can expose a way to let Skaffold know which account to use.
redborian
on 22 Apr 2019
I get this issue also. I followed the vs code cloud extension setup. I use the skaffold profile cloudbuild.
Error is :
msg="build failed: building [gcr.io/cloud-build-1/helloworld]: getting google client: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information."
shavo007
on 1 May 2019
dug into this one a little bit, it looks like there's problems on both ends here. in skaffold we're creating the oauth client for making cloud build requests using the default credentials only, which obviously isn't right. but it turns out that the flow for creating a client from authenticated user credentials from the oauth stdlib is broken, because it's hardcoded to use a credentials file which has been deprecated from the cloud SDK for a while: https://github.com/golang/oauth2/issues/382.
for now, it looks like the best workaround is to run gcloud auth application-default login, which will generate ADCs on your host machine and allow skaffold to create an oauth client successfully. sorry we don't have a better answer for you right now 馃槥
nkubala
on 7 May 2019
So, it looks like this is cropping up more and more for users and also gives an inconsistent experience in VSCode Cloud Code, that uses gcloud config config-helper to extract the token for the active account. At least for Cloud Code we should provide a way to call skaffold with "active user authentication" - with a "--gcloud-active-user-auth" flag. @redborian are you falling back to Active user when ADC fails or you are always using Active user? we should align on this.
balopat
on 17 Jul 2019
@balopat we always use "active" user. If the user does not have an "active" account, we complain "Not logged in".
redborian
on 17 Jul 2019
Related issues
heroic
路
4Comments
nathanph
路
3Comments
garvincasimir
路
4Comments
Morriz
路
3Comments
gbird3
路
3Comments
Most helpful comment
Thanks for filing this!
What do you mean by active account set? The active user logged in for gcloud?
We are using google's client library under the hood that follows the standard ADC flow: https://github.com/GoogleContainerTools/skaffold/blob/master/vendor/golang.org/x/oauth2/google/default.go#L77
I guess skaffold could detect an auth error and then ask if the user wants to run "gcloud auth application-default login" but that is not necessarily the best idea either as it's promoting a potentially dangerous pattern: it is _good_ to have the user explicitly define that "yes, use my user credentials for application development", because user creds tend to be more powerful than the service accounts.
More info: https://developers.google.com/accounts/docs/application-default-credentials