I’m developing a Cloud Run Job on Windows (in .NET/C#).
It is interacting with Cloud Storage so I must be authenticated.
I’ve set up Application Default Credentials via gcloud auth application-default login and it is running fine locally with dotnet run.
Then I containerize the code, but of course it won’t run inside Docker as the application_default_credentials.json is local to the host.
So I’ve copied this credentials file to the build directory, and added a COPY instruction in the Dockerfile: COPY application_default_credentials.json /root/.config/gcloud/
It is running fine.
But this solution is not satisfactory:
I have to copy the file manually first (as COPY can’t access files outside the Build Context which is the current directory)
This COPY instruction should be only for local build as it is not necessary once the container is run by Cloud Run in pre-production and production
I recommend using a bind mount to expose your ADC file to the container.
Optionally, you can use a dedicated service account with limited permissions and bind-mount its JSON key instead along with setting GOOGLE_APPLICATION_CREDENTIALS.
That’s not the best solution. You should not have to add the service account json file inside your container.
What you need to do is make sure the Cloud Run Default Service Account (Typically the default compute SA which has a name like xxxxxxxxxxx-compute@developer.gserviceaccount.com where xxxxxxxxx is the project number). Has the right permissions on the bucket.
If your app uses one of our auth libraries than Application Default Credentials should just work!
@abdelfettah, I totally agree for deployed environments but OP’s question is specifically about local development.
I’m unsure how granting permissions to the default service account helps locally, since the application won’t use it unless explicitly impersonated or provided credentials. Am I missing something ?
