Giter VIP home page Giter VIP logo

Comments (4)

github-actions avatar github-actions commented on June 9, 2024

Hi there @mering ๐Ÿ‘‹!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

from auth.

sethvargo avatar sethvargo commented on June 9, 2024

Hi @mering - thank you for opening an issue.

The auth action exports the GOOGLE_APPLICATION_CREDENTIALS environment variable, which all well-behaved Google Cloud client libraries respect.

As for why the credentials are stored in the workspace, it's the workspace is one of the only places that is reliably shared with Docker-based actions. We've explored environment variables and alternative file paths, but they all come with trade-offs, particularly around self-hosted runner threat models. Last time we tried to "fix" this, we accidentally broke all Docker-based actions.

For Service Account Key JSON, you could theoretically not use this entire action and just write the JSON file to disk and set $GOOGLE_APPLICATION_CREDENTIALS.

It would be nice if we could replace this step by using google-github-actions/auth action instead.

Have you tried? It looks like --google-default-credentials should "just work".

See also: #109, #123, #134, #212, #264, #315, #316, #333

from auth.

mering avatar mering commented on June 9, 2024

Hi @sethvargo, thanks for your explanation.

As we do sometimes overwrite our workspace or publish packages via wildcards, extra care would need to be taken in our setup when the key is stored within the workspace.

While do currently do use only the SA JSON key, we plan to migrate towards WIF in the future so it might be a good intermediate step.

Maybe I will try to set credentials_file_path to some location outside of the workspace and see if this just works.

from auth.

sethvargo avatar sethvargo commented on June 9, 2024

Hi @mering - credentials_file_path is an output, not an input.

You could move the file somewhere else, but you'd need to update all the associated environment variables to the new path.

As we do sometimes overwrite our workspace or publish packages via wildcards, extra care would need to be taken in our setup when the key is stored within the workspace.

There are instructions in the TROUBLESHOOTING guide for excluding the credentials from a git push or docker build, for example.

from auth.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.