I am running an application inside of Docker that requires me to leverage google-bigquery. When I run it outside of Docker, I just have to go to the link below (redacted) and authorize. However, the link doesn't work when I copy-paste it from the Docker terminal. I have tried port mapping as well and no luck either.
Code:
credentials = service_account.Credentials.from_service_account_file(
key_path, scopes=["https://www.googleapis.com/auth/cloud-platform"],
)
# Make clients.
client = bigquery.Client(credentials=credentials, project=credentials.project_id,)
Response:
requests_oauthlib.oauth2_session - DEBUG - Generated new state
Please visit this URL to authorize this application:
Please see the available solutions on this page, it's constantly updated.
gcloud credential helper
Standalone Docker credential helper
Access token
Service account key
In short you need to use a service account key file. Make sure you either use a Secret Manager, or you just issue a service account key file for the purpose of the Docker image.
You need to place the service account key file into the Docker container either at build or runtime.
Related
I'm trying to make a request in Go client.AnnotateVideo(ctx, &annotateVideoRequest) to the Google Cloud Video Intelligence API using the package cloud.google.com/go/videointelligence/apiv1.
I noticed that if I'm on a Google VM, i don't need any credentials or environment variable because the API says:
For API packages whose import path is starting with "cloud.google.com/go",
such as cloud.google.com/go/storage in this case, if there are no credentials
provided, the client library will look for credentials in the environment.
But I guess I can't authenticate because I'm running a Docker Container inside the Google VM, and I don't know if I really need a credentials file in that docker container, because I don't know if the library automatically creates a credentials file, or it just check if there is a $GOOGLE_APPLICATION_CREDENTIALS and then use that (But that makes no sense. I'm on a GOOGLE VM, and I'm supposed to have that permission).
The error is:
PermissionDenied: The caller does not have permissions
Some links that might be helpful:
https://pkg.go.dev/cloud.google.com/go/storage
https://cloud.google.com/docs/authentication#environment-service-accounts
https://cloud.google.com/docs/authentication/production#auth-cloud-implicit-go
https://cloud.google.com/video-intelligence/docs/common/auth#adc
Thanks in advance!
When I use to run either command:
gcloud auth application-default login
OR for a specific docker container
docker exec -it 822c4c491383 /home/astro/google-cloud-sdk/bin/gcloud auth application-default login.
My command line would give me a link to a google response page where I'd copy the code they gave me and write it in the command line.
For some reason now, whenever I try to do either command I'm getting the follow error, saying I don't have access to web browser.
You are authorizing client libraries without access to a web browser. Please run the following command on a machine with a web browser and
copy its output back here. Make sure the installed gcloud version is
372.0.0 or newer.
gcloud auth application-default login --remote-bootstrap="https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&state=FmMFY6gvpOa9xndMXmWiNG3W1jDrCe&access_type=offline&code_challenge=zUI4n_pnYE5V7p0diDQLmL0X0Sk8XpTDzhz_vwtukOo&code_challenge_method=S256&token_usage=remote"
I've tried copying the link that's inside of this and place it in my web browser but I get a page saying.
Error 400: invalid request Missing required parameter: redirect uri
Edit: Though not sure why this is happening now, I added the option "--no-launch-browser" to the end of both commands and it gives me the link to place in my browser now manually and copy code.
On versions of gcloud >= 383.0.0 (26 Apr 2022), Google have removed support for the --console-only and --no-launch-browser flags on their CLI. As far as I can see, they do not give a reason for this, but it is likely security related.
The new intended method for authenticating on a machine without a web browser, is to use the --no-browser flag and copy the command it gives you onto a machine that has both gcloud >= 372.0 and a web browser installed. In other words, it is no longer possible to do this purely on a machine with no browser. See the following steps copied directly from their documentation:
Follow these steps:
Copy the long command that begins with gcloud auth login --remote-bootstrap=".
Paste and run this command on the command line of a different, trusted machine that has local installations of both a web browser and the gcloud CLI version 372.0 or later.
Copy the long URL output from the machine with the web browser.
Paste the long URL back to the first machine under the prompt, Enter the output of the above command, and press Enter to complete the authorization.
Use gcloud init --console-only
"--console-only" below still works even though it's deprecated:
gcloud init --console-only
And "--no-launch-browser" below still works even though it's deprecated:
gcloud init --no-launch-browser
"--no-browser" below doesn't work yet but "--no-browser" will replace "--console-only" and "--no-launch-browser" so in the future, "--no-browser" will work while "--console-only" and "--no-launch-browser" won't work in the future:
gcloud init --no-browser
Because the redirect uri does not contain the whole URL, this can happen. This can be fixed by adjusting the Custom URL Base.
The result will look like this:
https://my_company_artifactory:444/artifactory
You should also double-check that the Custom URL Base and /api/oauth2/loginResponse are included in your Google OAuth settings page's Authorized redirect URIs.
Reviewing for more information, you can add your localhost URL to the redirect URL, it would say it's not possible at this time. When setting the redirect URL before hitting the create button, it accepts it just fine.
I have a parent project that has an artifact registry configured for docker.
A child project has a cloud run service that needs to pull its image from the parent.
The child project also has a service account that is authorized to access the repository via an IAM role roles/artifactregistry.writer.
When I try to start my service I get an error message:
Google Cloud Run Service Agent must have permission to read the image,
europe-west1-docker.pkg.dev/test-parent-project/docker-webank-private/node:custom-1.
Ensure that the provided container image URL is correct and that the
above account has permission to access the image. If you just enabled
the Cloud Run API, the permissions might take a few minutes to
propagate. Note that the image is from project [test-parent-project], which
is not the same as this project [test-child-project]. Permission must be
granted to the Google Cloud Run Service Agent from this project.
I have tested manually connecting with docker login and using the service account's private key and the docker pull command works perfectly from my PC.
cat $GOOGLE_APPLICATION_CREDENTIALS | docker login -u _json_key --password-stdin https://europe-west1-docker.pkg.dev
> Login succeeded
docker pull europe-west1-docker.pkg.dev/bfb-cicd-inno0/docker-webank-private/node:custom-1
> OK
The service account is also attached to the cloud run service:
You have 2 types of service account used in Cloud Run:
The Google Cloud Run API service account
The Runtime service account.
In your explanation, and your screenshot, you talk about the runtime service account, the identity that will be used by the service when it runs and call Google Cloud API.
BUT before running, the service must be deployed. This time, it's a Google Cloud Run internal process that run to pull the container, create a revision and do all the required internal stuff. To do that job, a service account also exist, it's named "service agent".
In the IAM console, you can find it: the format is the following
service-<PROJECT_NUMBER>#serverless-robot-prod.iam.gserviceaccount.com
Don't forget to tick the checkbox in the upper right corner to include the Google Managed service account
If you want that this deployment service account be able to pull image in another project, grant on it the correct permission, not on the runtime service account.
I am trying to enable jwt authentication for my self-hosted (Docker) Jitsi server. There is a guide on self hosting with Docker and on that guide, it tells how to enable authentication. This is the guide: https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker
Now I will copy and paste the autentication part from that guide so that you can see it more clearly.
Authentication can be controlled with the environment
variables below. If guest access is enabled, unauthenticated users
will need to wait until a user authenticates before they can join a
room. If guest access is not enabled, every user will need to
authenticate before they can join.
Authentication using JWT tokens You can use JWT tokens to authenticate
users. To enable it you have to enable authentication with ENABLE_AUTH
and set AUTH_TYPE to jwt...
After these instructions, I changed my .env file. I did the configurations told above. Then I did docker-compose down. Then I removed the ~/.jitsi-meet-cfg and then created again with mkdir. Then I ran the command docker-compose up -d.
Then to try it, I am entering the URL:
https://{ip_add}:8443/room?jwt=randomwords
I am connecting to the server remotely thus I am accessing it with an ip. And because I did not provide a token, I should not be able to create/join to a meeting but I am able to. Whatever I write to the url I still can join.
Can someone help?
I'm running a docker private registry inside a kubernetes cluster using the standard registry:2 image. The image has basic functionality to provide user authentication using the Apache htpasswd utility.
In my case multiple users need to access the repository and therefore need to setup username passwords for multiple different users. What would be the best approach to implement this.
I got the single user htpsswd based authentication working, but does not seem to find a way to enable auth for multiple users i.e. having proper access control.
The registry is SSL enabled.(TLS at the ingress level)
There are multiple ways this could be done. First of all its possible to have multiple users in the htpasswd file. It was not working with docker becasue docker required the passwords to be hashed using bcrypt algorithm.
Use the -B flag while creating the htpasswd file.
sudo htpasswd -c -B /etc/apache2/.htpasswd <username1>
Another way this could be done, is using nginx authentication annotations.
nginx.ingress.kubernetes.io/auth-url: "url to auth service"
If the service return 200, nginx forwards the request or else returns authentication error response. With this you could have a lot of custom logic as you create and manage the authentication server.