I have just installed gcloud
on a docker container.
When I try to run a command locally, I get the following error (which makes sense)
root@3c4b9a147de7:/# gcloud projects list
ERROR: (gcloud.projects.list) You do not currently have an active account selected.
Please run:
$ gcloud auth login
to obtain new credentials, or if you have already logged in with a
different account:
$ gcloud config set account ACCOUNT
to select an already authenticated account to use.
If I set appropriately the service account (to the service which the container will run from) will the above command work?
At the moment, yes it's failing because the root account that you are using is running locally as you say so it doesn't have any permissions regarding your project.
When something is run through Cloud Run, then it's using by default the Compute Engine service account. If that account has the permissions needed, then the command will succeed. Take a look about authentication in Cloud Build here Something similar would apply for GKE regarding the service account as you can find here.
gcloud auth login
is not recommended in container because it references your identity. Prefer a service account. Store it in your container and define the environment variable GOOGLE_APPLICATION_CREDENTIAL
to point to this file.
You can also run a gcloud auth activate-service-account
with your service account file in param during your container build.
HOWEVER, it's not recommended to use this tool in container. With Cloud Run, it's even possible that this call will be blocked (I never try, but take care of the sandbox environment execution). Prefer the libs or the direct call to API.
If I set appropriately the service account (to the service which the container will run from) will the above command work?
I am not sure what you mean by "to the service which the container will run from". The service might have credentials assigned to it, but anything inside the container will not know this.
To use a service account with the Google Cloud SDK CLI, you need to configure the CLI to use the service account. The following command does this. Replace SA_EMAIL with your service account's email address. The email address can be found inside the service account JSON key file.
gcloud auth activate-service-account SA_EMAIL --key-file=service_account.json
After you run this command save the container so that the credentials will still be there the next time you launch this container.
If the docker container has gcloud sdk installed (google cloud SDK Shell) , run the google Cloud SDK to authenticate using $ gcloud auth login
after this you can run gcloud command line. check as well the path in Enviroments variable for the gcloud directory