[英]How to pass google cloud application credentials file to docker container
I would like to pass my Google Cloud Platform's service account JSON credentials file to a docker container so that the container can access a cloud storage bucket.我想将我的 Google Cloud Platform 服务帐户 JSON 凭证文件传递给 docker 容器,以便该容器可以访问云存储桶。 So far I tried to pass the file as an environment parameter on the run command like this:
到目前为止,我尝试将文件作为运行命令的环境参数传递,如下所示:
docker run -p 8501:8501 --env GOOGLE_APPLICATION_CREDENTIALS=/Users/gcp_credentials.json" -t -i image_name
docker run -p 8501:8501 --env GOOGLE_APPLICATION_CREDENTIALS=/Users/gcp_credentials.json" -t -i image_name
docker run -p 8501:8501 -e GOOGLE_APPLICATION_CREDENTIALS=/Users/gcp_credentials.json" -t -i image_name
docker run -p 8501:8501 -e GOOGLE_APPLICATION_CREDENTIALS=/Users/gcp_credentials.json" -t -i image_name
But nothing worked, and I always get the following error when running the docker container:但是没有任何效果,我在运行 docker 容器时总是得到以下错误:
W external/org_tensorflow/tensorflow/core/platform/cloud/google_auth_provider.cc:184] All attempts to get a Google authentication bearer token failed, returning an empty token.
W external/org_tensorflow/tensorflow/core/platform/cloud/google_auth_provider.cc:184] 获取 Google 身份验证承载令牌的所有尝试均失败,返回空令牌。 Retrieving token from files failed with "Not found: Could not locate the credentials file.".
从文件中检索令牌失败,显示“未找到:无法找到凭据文件。”。
How to pass the google credentials file to a container running locally on my personal laptop?如何将 google 凭据文件传递到在我的个人笔记本电脑上本地运行的容器?
You cannot "pass" an external path, but have to add the JSON into the container.您不能“传递”外部路径,但必须将 JSON 添加到容器中。
Two ways to do it:两种方法:
secrets - work with docker swarm mode.秘密- 使用 docker 群模式。
Advantage being, secrets are encrypted.优点是,秘密是加密的。 Secrets are decrypted when mounted to containers.
秘密在安装到容器时被解密。
I log into gcloud in my local environment then share that json file as a volume in the same location in the container.我在本地环境中登录 gcloud,然后将该 json 文件作为卷共享到容器中的同一位置。
Here is great post on how to do it with relevant extract below: Use Google Cloud user credentials when testing containers locally这是一篇关于如何使用以下相关摘录进行操作的好帖子: 在本地测试容器时使用 Google Cloud 用户凭据
Login locally本地登录
To get your default user credentials on your local environment, you have to use the gcloud SDK. You have 2 commands to get authentication:
要在本地环境中获取默认用户凭据,您必须使用 gcloud SDK。您有 2 个命令来获取身份验证:
gcloud auth login to get authenticated on all subsequent gcloud commands gcloud auth application-default login to create your ADC locally, in a “well-known” location.
gcloud auth login 以在所有后续 gcloud 命令上进行身份验证 gcloud auth application-default login 以在“众所周知”的位置本地创建您的 ADC。
Note location of credentials注意凭据的位置
The Google auth library tries to get a valid credentials by performing checks in this order
Google 授权库尝试通过按此顺序执行检查来获取有效凭据
Look at the environment variable
GOOGLE_APPLICATION_CREDENTIALS
value.查看环境变量
GOOGLE_APPLICATION_CREDENTIALS
值。 If exists, use it, else… Look at the metadata server (only on Google Cloud Platform).如果存在,则使用它,否则……查看元数据服务器(仅在 Google Cloud Platform 上)。 If it returns correct HTTP codes, use it, else… Look at “well-know” location if a user credential JSON file exists The “well-known” locations are
如果它返回正确的 HTTP 代码,请使用它,否则...如果存在用户凭证 JSON 文件,请查看“知名”位置“知名”位置是
On linux:
~/.config/gcloud/application_default_credentials.json
On Windows:%appdata%/gcloud/application_default_credentials.json
在 linux 上:
~/.config/gcloud/application_default_credentials.json
在 Windows 上:%appdata%/gcloud/application_default_credentials.json
Share volume with container与容器共享卷
Therefore, you have to run your local docker run command like this
因此,您必须像这样运行本地 docker 运行命令
ADC=~/.config/gcloud/application_default_credentials.json \ docker run \
ADC=~/.config/gcloud/application_default_credentials.json\docker运行\
-e GOOGLE_APPLICATION_CREDENTIALS=/tmp/keys/FILE_NAME.json-e GOOGLE_APPLICATION_CREDENTIALS=/tmp/keys/FILE_NAME.json
-v ${ADC}:/tmp/keys/FILE_NAME.json:ro \ <IMAGE_URL>-v ${ADC}:/tmp/keys/FILE_NAME.json:ro \ <IMAGE_URL>
NB: this is only for local development, on Google Cloud Platform the credentials for the service are automatically inserted for you.注意:这仅适用于本地开发,在 Google Cloud Platform 上,服务的凭据会自动为您插入。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.