I have a Java Spring Boot Application deployed in GCP Cloud Run that tries to access Cloud KMS, However when the below code is executed it fails,
KeyManagementServiceClient client = KeyManagementServiceClient.create()
The error that occurs is,
java.io.IOException: The Application Default Credentials are not available.
They are available if running in Google Compute Engine.
Otherwise, the environment variable GOOGLE_APPLICATION_CREDENTIALS
must be defined pointing to a file defining the credentials. See https://developers.google.com/accounts/docs/application-default-credentials
for more information.
at com.google.auth.oauth2.DefaultCredentialsProvider.getDefaultCredentials(DefaultCredentialsProvider.java:134)
at com.google.auth.oauth2.GoogleCredentials.getApplicationDefault(GoogleCredentials.java:125)
at com.google.auth.oauth2.GoogleCredentials.getApplicationDefault(GoogleCredentials.java:97)
at com.google.api.gax.core.GoogleCredentialsProvider.getCredentials(GoogleCredentialsProvider.java:70)
at com.google.api.gax.rpc.ClientContext.create(ClientContext.java:168)
at com.google.cloud.kms.v1.stub.GrpcKeyManagementServiceStub.create(GrpcKeyManagementServiceStub.java:458)
at com.google.cloud.kms.v1.stub.KeyManagementServiceStubSettings.createStub(KeyManagementServiceStubSettings.java:668)
at com.google.cloud.kms.v1.KeyManagementServiceClient.<init>(KeyManagementServiceClient.java:191)
at com.google.cloud.kms.v1.KeyManagementServiceClient.create(KeyManagementServiceClient.java:173)
at com.google.cloud.kms.v1.KeyManagementServiceClient.create(KeyManagementServiceClient.java:164)
at ..................................................................................
In my understanding, as long as the Service Account using which the Cloud Run Service runs has the required role(s) to access the other GCP service(s), this scenario should work fine.
Why is that the KeyManagementServiceClient creation process expecting an explicit GOOGLE_APPLICATION_CREDENTIALS environment variable pointing to the Service Account Key file here?
Please advise.
After deploying the cloud run application using gcloud run deploy with proxy settings like below --set-env-vars "_JAVA_OPTIONS=-Dhttps.proxyHost=<<https proxy>> -Dhttp.proxyHost=<<http proxy>> -Dhttps.proxyPort=<<https port>> -Dhttp.proxyPort=<<http port>>, the exception is gone.
It appears like the GoogleCredentials.getApplicationDefault() call makes an authentication call to Google APIs using the Cloud Run's service account and for this call to work, it needs the Internet Proxy as our GCP environment resides inside our VPN.
Related
I'm trying to connect an automated build. In the app I connect to a google api and in Cloud Run I access secrets both using different service accounts. It's just a test app so nothing major but I keep getting hung up with cloud build using the service account that I use to access the api to run the app. Anybody know of a way to dictate which service account is used to run the app while still using the key to access the api. My thinking is it has to be done in the build process with something in my cloudbuild.yaml or maybe can't be done?
The cloud build process is carried out by a special service account that handles everything. You can delegate the auth to other accounts but there really isn't any need. Running the container in cloud run and choosing a service account to access secrets is easy (from Cloud Run choose edit and deploy => security tab) and that service account has no bearing on how you access other api's with creds.json you add at runtime.
Although I've gave Owner role to that specific service, I can't use the permissions from my instances that I connect with SSH from my local.
Also can't upload my files to Storage bucket which I've created in cloud platform.
Here is the screenshots of the problem:
The problem might be caused by the access token not having the appropriate permission scopes to conduct the required activity. To make sure you're using the auth scope of this service account appropriately, I recommend doing the following:
Run the command in the Google documentation inside the VM to
create a new key for the service account. This will create a .json
file inside the current directory containing the private
authentication key for the service account.
Run the command in the Google documentation to activate the
service account.
Run the command: $gcloud auth list to check if this worked.
In the output you should see an asterisk before the service
account’s name, indicating that this is the service account you are
currently using.
Now refer to the Google documentation and run the $env:GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"
Google Cloud Compute VMs have a setting for Access Scopes. This feature can limit the permissions that a service account has when attached to a virtual machine.
Go to the Google Cloud Console GUI, select your VM, stop the VM and then edit Acess Scopes to grant the permissions you require.
Access scopes
I would like to connect to a Cloud SQL instance from Cloud Run, using a service account. The connection used to be created within the VPC and we would just provide a connection string with a user and a password to our PostgreSQL client. But now we want the authentication to be managed by Google Cloud IAM, with the service account associated with the Cloud Run service.
On my machine, I can use the enable_iam_login argument to use my own service account. The command to run the Cloud SQL proxy would look like this:
./cloud_sql_proxy -dir=/cloudsql -instances=[PROJECT-ID]:[REGION]:[INSTANCE] \
-enable_iam_login -credential_file=${HOME}/.config/gcloud/application_default_credentials.json
The problem is that I can't seem to find a way to use the IAM authentication method to run the Cloud SQL Proxy from Cloud Run, I can just provide an instance name. Has anyone face this problem before?
Unfortunately, there isn't a way to configure Cloud Run's use of the Cloud SQL proxy to do this for you.
If you are using Java, Python, or Go, there are language specific connectors you can use from Cloud Run. These all have the option to use IAM DB AuthN as part of them.
For anyone using NodeJS on Cloud Run :
you can't enable the -enable_iam_login option in Cloud Run (cf accepted answer), which means you have to use a connector.
AFAIK, there is no NodeJS connector right now.
Which means you have 2 options :
write a connector yourself (good luck) or wait for Google to do it
use built-in database authentication for now.
I know this question is probably a bit vague. I was trying to run one of the examples of Google NLP Library in Google Shell.
I have 0 experience with using API, JSON, Nodejs... I don't understand what they are and how to use them.
Please help
Here is the snapshot of the error:
The error message means that you are using user credentials instead of service account credentials.
When you connect to Google Cloud Shell, you are using your Google Accounts User Credentials. Those credentials are the ones that you used to log in to the Google Cloud Console. When you run an application in Google Cloud Shell, your application is using those credentials unless you explicitly specify different credentials.
The solution is to create a service account in the Google Cloud Console. Then in your program use the service account for credentials for your application.
Google Cloud Service Accounts
When you do not specify the application credentials, the Google Client libraries use a method to locate credentials called ADC (Application Default Credentials). I wrote an article that might help you understand ADC:
Google Cloud Application Default Credentials
The simplest method for you is to create the environment variable GOOGLE_APPLICATION_CREDENTIALS to point to the service account full path location before running your application. Change the path below to point to where the service account is stored on Cloud Shell. You will need to first create the service acount, download it and then upload to Cloud Shell.
export GOOGLE_APPLICATION_CREDENTIALS="$HOME/service-account.json"
Managing files with Cloud Shell
This link will provide more information on how to write applications that use service accounts.
Setting Up Authentication for Server to Server Production Applications
I'm attempting to connect to a Google Cloud SQL instance via a MySQL client which requires me to connect via the Google Cloud proxy. I have followed all instructions on the Google Cloud Docs, yet after running the command to start the proxy (using correct INSTANCE_CONNECTION_NAME and PATH_TO_KEY_FILE), I receive the following error.
Command :
./cloud_sql_proxy -dir=/cloudsql -instances=INSTANCE_CONNECTION_NAME \ - credential_file=PATH_TO_KEY_FILE &
Error :
couldn't connect to "INSTANCE_CONNECTION_NAME": ensure that the account has access to "INSTANCE_CONNECTION_NAME" (and make sure there's no typo in that name). Error during createEphemeral for INSTANCE_CONNECTION_NAME: googleapi: Error 403: Access Not Configured. Cloud SQL Administration API has not been used in project 563584335869 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/sqladmin.googleapis.com/overview?project=563584335869 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry., accessNotConfigured
I have confirmed that the Google Cloud SQL API is enabled on the console for the project, but the weird thing is my project name is not 563584335869, and I have already set the correct project name via the GC CLI to no avail. So when visiting https://console.developers.google.com/apis/api/sqladmin.googleapis.com/overview?project=563584335869, I see:
The API "sqladmin.googleapis.com" doesn't exist or you don't have permission to access it
I also created a service account under the role Cloud SQL Client, and downloaded the private key which PATH_TO_KEY_FILE points to.
Can you confirm that you have enabled the "Cloud SQL API" (sqladmin.googleapis.com) and not "Cloud SQL" API? (sql-component.googleapis.com)?
Can you also give some more information as to your environment? Are you running this from your local machine or are you working in Cloud Shell?