0

I'm automating our build process. Before push is executed, I run the following script that logs the correct service account in.

if [[ "${DEPLOY_ENV}" == "production" ]]; then
    gcloud auth activate-service-account --key-file "$DIR/production-secret.json"
else
    gcloud auth activate-service-account --key-file "$DIR/test-secret.json"
fi

However, no matter which login, I'm always pushing to our "test" account's registry when I execute this command

gcloud docker -- push gcr.io/talk-like-humans/api:${IMAGE_VERSION}

Is there another command I need to run to set my push endpoint to be in the correct account?

Thanks, Todd

tnine
  • 156
  • 9

1 Answers1

0

The repository you push to is determined by the image name, not the credential used. Your command

gcloud docker -- push gcr.io/talk-like-humans/api:${IMAGE_VERSION}

means that you will always push an image called api:${IMAGE_VERSION} to the talk-like-humans repository (in the gcr.io registry). If both your test and production credentials have write access there, they will both succeed.

It sounds to me like you want something like this:

if [[ "${DEPLOY_ENV}" == "production" ]]; then
    gcloud auth activate-service-account --key-file "$DIR/production-secret.json"
    REPO="${PROD_REPO}"
else
    gcloud auth activate-service-account --key-file "$DIR/test-secret.json"
    REPO="${TEST_REPO}"
fi
`gcloud docker -- push "gcr.io/${REPO}/api:${IMAGE_VERSION}"`

In addition, I would revoke access from ${PROD_REPO} for the service account in test-secret.json -- this way your dev process can't accidentally push to production.

David Bendory
  • 1,258
  • 8
  • 14