I am working on AWS ECS. I have uploaded Keycloak image to aws ecs, but when i run task and open that using public id, i am getting problem in administration account. There is no admin account at first and i am not able to create it.
What i have done : I have created task definition using jboss/keycloak:latest image url. Then created one cluster and run task using above task definition.
Issue : creating admin account on running task.
Thanks for your help.
If you are using official keycloak image here then you can pass folowing environment variables to generate admin user:
KEYCLOAK_USER=admin
KEYCLOAK_PASSWORD=password
Or if you don't use keycloak image (maybe you build yourself), you can also run the following command directly which does the same
/opt/jboss/keycloak/bin/add-user-keycloak.sh --user "admin" --password "password"
Related
I use a workflow to create a batch job using a docker image hosted in a docker registry.
All of this happens within the same google cloud project.
My batch job fails with this error :
"docker: Error response from daemon: Head "https://us-west1-docker.pkg.dev/v2/entity/docker-registry/image-name/manifests/latest": denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/project-id/locations/us-west1/repositories/docker-registry" (or it may not exist).
See 'docker run --help'.
From google documentation I understand that Compute Engine's service account doesn't have the roles/artifactregistry.admin : Jobs default to using the Compute Engine default service account
I get the same error after giving the role to the service account :
gcloud projects add-iam-policy-binding project-id \
--member=serviceAccount:compute#developer.gserviceaccount.com \
--role=roles/artifactregistry.admin
While digging service accounts I found another service another service account and also gave it the role : service-xxxx#gcp-sa-cloudbatch.iam.gserviceaccount.com.
It does not solve the problem.
How can I see which service account is used ?
Can I see logs about denied permissions ?
The error occurs when you are trying to push an image on a repository in which a specific hostname associated with its repository location is not yet authenticated and specified in the credential helper.You may refer to this Setting up authentication for Docker .You may check and confirm the service account to make sure you are still impersonating the correct one ,run below as mentioned in document
gcloud auth list
This command will show the active account, along with the other
accounts that are authorized to access your Google Cloud project. The
active account will be marked with an asterisk (*).
Try to run the authentication using a command specifying the location of your repository.You may try to run the configure-docker command against the auth group and see.
gcloud auth configure-docker <location>-docker.pkg.dev
And then try pulling the Docker image again.
Refer Authenticating to a repository for more information and you can see these logs permission denied logs in Cloud logging for more details.
I am trying to deploy some GCP resources using terraform.
Executed gcloud auth login (authenticated with my gcp
account, assigned gcp project).
Executed gcloud auth application-default login.
Assigned roles to my useraccount (user99#gmail.com) at project level and the Terraform Service Account at organisation level.
Now, when I run terraform scripts from my CLI on my local machine, I get the "Error 403: The caller does not have permissions" error.
My question is:
When running terraform commands from my local machines CLI, which account is terraform using to deploy resources (user99#gmail.com or Terraform Service Account)?
Is Terraform complaining about missing permissions for my user99#gmail.com or the Terraform Service Account?
Is there a way to check which account is being used to deploy resources on GCP?
Without changing the project on gcloud auth login, can we deploy resources in other GCP projects?
If you're running on a (e.g. local) host (i.e. that's not on GCP):
with gcloud and you've gcloud auth application-default-login then (!) Terraform should be using that user's credentials (gcloud config get-value account).
and the environment exports GOOGLE_APPLICATION_CREDENTIALS (and this correctly points to a service account's key), then the Service Account will be used.
If you're running Terraform on GCP (e.g. on Compute Engine) then the Compute Engine's service account will be automatically determined by ADCs (see below).
Google Provider Configuration Authentication
Application Default Credentials (ADCs) Finding Credentials Automatically
Is there a way to check which account is being used to deploy resources on GCP?
This simple code will show you which account is used to terraform resources:
data "google_client_openid_userinfo" "me" {
}
output "my-email" {
value = data.google_client_openid_userinfo.me.email
}
Without changing the project on gcloud auth login, can we deploy resources in other GCP projects?
Actually, you can rely on self_links that contain full path with the project itself, so you can specify different projects. However, the proper way would be to use different provider aliases for each of the project.
Reference: https://www.terraform.io/language/providers/configuration#alias-multiple-provider-configurations
I am trying to deploy the new changes to kubernetes cluster using the Google Cloud Provider CloudBuild. Whenever I make some changes the trigger is working fine and its starting a new build but here is the issue I am getting with this cloudbuild.yaml.
cloudbuild.yaml
steps:
#step1
- name: 'gcr.io/cloud-builders/docker'
args: [ 'build', '-t', 'gcr.io/$PROJECT_ID/cloudbuildtest-image', '.' ]
#step 2
- name: 'gcr.io/cloud-builders/docker'
args: ['push', 'gcr.io/$PROJECT_ID/cloudbuildtest-image']
#step 3 for testing
name: 'gcr.io/cloud-builders/kubectl'
args: ['get', 'pods']
env:
- 'CLOUDSDK_COMPUTE_ZONE=us-central1-a'
- 'CLOUDSDK_CONTAINER_CLUSTER=cloudbuild-test'
#STEP-4
images:
- 'gcr.io/$PROJECT_ID/cloudbuildtest-image'
Step 1 and 2 are working fine but the issue is with the step3 where for testing purpose I simply ran the get pods command to test if it will work or not. Here is the issue I am getting in the logs.
Running: gcloud container clusters get-credentials --project="journeyfoods-io" --zone="us-central1-a" "cloudbuild-test"
Fetching cluster endpoint and auth data.
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/XXXX/zones/us-central1-a/clusters/cloudbuild-test".
What permissions is it looking for? Do I need to do some
authentication before running the steps or What exactly am I missing?
The steps of a Cloud Build build are executed using with the [PROJECT_NUMBER]#cloudbuild.gserviceaccount.com service account. From the Cloud Build documentation page about this topic:
When you enable the Cloud Build API, the service account is
automatically created and granted the Cloud Build Service Account role
for your project. This role is sufficient for several tasks,
including:
Fetching code from your project's Cloud Source Repository
Downloading files from any Cloud Storage bucket owned by your project
Saving build logs in Cloud Logging
Pushing Docker images to Container Registry
Pulling base images from Container Registry
But this service account does not have permissions for certain actions by default ( in particular the container.clusters.get permission is not grated by default). So you need to grant it with a proper IAM role. In your case the Kubernetes Engine Developer role contains the container.clusters.get permission as you can see in this page.
I am trying to build CI/CD using AWS CodePipeline.
I am integrating the Git lab with AWS S3.I am using this link -
https://aws.amazon.com/quickstart/architecture/git-to-s3-using-webhooks/
When the code is pushed into a specific branch, the AWS API is called. ( I can see in the CloudWatch logs). But I am getting below error -
Failed to authenticate SSH session: Waiting for USERAUTH response:
GitError
Do I need to configure the GITlab username/keys anywhere on AWS/S3/Cloudformation side?
I have configured GIT PULL URL ( GitPullWebHookApi) on the Gitlab Webhooks side.
I have configured, the PublicSSHKey from AWS S3 Cloudformation into the Secret Token in Gitlab.
Am I missing any step?
Is there any document which specifies the steps to configure the Gitlab keys/user credentials for this integration?
Add the SSH public key resource "PublicSSHKey" generated by the Cloudformation Stack in the Gitlab user public key settings. Please remember that the public needs to added to each user's account who need to invoke the pipeline when committing a change in the Git repository. The Outputs tab for the CloudFormation stack contain the two webhook endpoint URLs, the output bucket name, and the public SSH key [1].
[1] https://aws-quickstart.s3.amazonaws.com/quickstart-git2s3/doc/git-to-amazon-s3-using-webhooks.pdf
I am attempting to setup a simple Elastic Beanstalk application with the following settings:
Web server environment
Predefined configuration: docker
Environment type: single instance
My Dockerrun.aws.json has the authentication block, which was created by running the docker login command on my local machine. I have added those credentials in the form of a .dockercfg file to an S3 bucket and given the necessary IAM roles to the EC2 instance so that it can access the config file with the authentication information.
However, when I attempt to start up the instance, the creation process fails and the log tells me:
Error: image mydockeruser/my-docker-app:latest not found
It says the image can't be found, but the image IS there (in a private repo), with the "latest" tag. To prove it to myself, I can go to https://hub.docker.com/r/mydockeruser/my-docker-app/tags/ and I can see the image with tag name of "latest" including the size of the image, etc.
Any idea why Elastic Beanstalk wouldn't be able to find the image during the application setup process?
I had the wrong format in my .dockercfg file. They changed the format from (I believe) Docker 1.6 and later.
{
"https://index.docker.io/v1/" :
{
"auth" : "mywackyauthcode",
"email" : "myemail#email.org"
}
}