Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Authenticating standalone gsutil in containers in Cloud ML Engine on Kubernetes with Workload Identity

Tags:

kubernetes

gsutil

google-cloud-ml

google-cloud-ai

I'm launching container images on Google Cloud AI Training (Cloud ML Engine)

Inside those containers I need to use gsutil. Some containers have gsutil. In that case I can use it right away without any authentication steps.

Some containers do not have gsutil, so I have to install it. The problem is that the installed gsutil does not work.

When I'm using the official cloud-sdk image, gsutil works without any auth steps.

When I use the python:3.7 image and install gsutil from PyPI it does not work:

python -m pip install gsutil --quiet
gsutil cp a gs://b/c

ServiceException: 401 Anonymous caller does not have storage.objects.get access to ...

How can I make it so that the standalone gsutil obtains the needed credentials?

Most guides focus on manually calling gcloud auth, copying URL and copying back the token. This is not the solution that I seek (which should be automated). I know that the automated solution is possible since in some images gsutil works out of the box.

like image 777
Ark-kun Avatar asked Apr 23 '20 10:04

Ark-kun

People also ask

How does workload identity work?

Workload Identity allows a Kubernetes service account in your GKE cluster to act as an IAM service account. Pods that use the configured Kubernetes service account automatically authenticate as the IAM service account when accessing Google Cloud APIs.

1 Answers

This is because that pip install gsutil alone does not configure the credentials, which is why it's anonymous user as the error says. You'll want to configure credentials to access protected data.

Put following line in your docker file and it should work:

RUN echo '[GoogleCompute]\nservice_account = default' > /etc/boto.cfg

It's to configure gsutil to use the default service account.

like image 158
Bo yang Avatar answered Oct 06 '22 08:10

Bo yang
Sign in to Comment

Related questions

Kubernetes get nodeport mappings in a pod
where to override .Release.Name in helm
Advantage of using configmaps for environment variables with Kubernetes/Helm
Kubernetes metrics-server: Error from server (ServiceUnavailable): the server is currently unable to handle the request
Make systemctl work from inside a container in a debian stretch image
Permissions on GKE cluster
Authenticating to GKE master in Python
Failing K8s rabbitmq-peer-discovery-k8s clustering
Is there any way to exec into an initContainer in Kubernetes
How can I manually set values on a Kubernetes object using kubectl create?
Is it possible to have the same PVC as two volumes in kubernetes?
How to get programmatically the current GKE project id from one of its clusters?
How do I move pods to a new node pool/ instance group
Kubernetes Job failed with no logs, no termination reason, no events
python kubernetes watch pod logs not working
Kubernetes jobs and back-off limit values: is the value a number of retries or minutes?
eks iam roles for services account not working
Monitor only one namespace metrics - Prometheus with Kubernetes
How can I create a Kubernetes Secret with Ansible?
Limit the number of pods per node

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!