0

During build executed by Cloud Build I need to authenticate my custom Java code to use Google Cloud Storage API. The code uses Cloud Storage JSON API client.

I would like to use Cloud Build service account for authentication, but it's not clear how to achieve this in Java code without passing around service account key file as encrypted resource.

Is it possible to authenticate with Cloud Build service account from Java code that executed in Cloud Build docker container?

Igor Dvorzhak
  • 4,360
  • 3
  • 17
  • 31

1 Answers1

1

By default, CloudBuild containers execute with the permissions allocated to the CloudBuild Service Account.

Theres some more info about it here, but you shouldn't need to explicitly "use" the permissions, the environment your code is running in should have the permissions allocated already, if your service account has the right roles.

For example, you could allocate GCS roles roles/storage.objectCreator & roles/storage.objectViewer to your CloudBuild Service account, and then it should be able to read/write to GCS in the selected project/bucket

Jaboy
  • 212
  • 1
  • 6
  • Thank you for answer, it's good to know that Cloud Build container executed with Cloud Build service account. Do you know how to take advantage of this in Java program? I.e. what I need to do to authenticate Cloud Storage API calls in Java program with Cloud Build service account? – Igor Dvorzhak Jun 23 '19 at 19:54
  • 1
    Sarcastic remarks aside, your code should inherit the permissions from the environment its running in. If you can't run it locally, call `gcloud auth application-default login` and it will set your credentials where the SDK will check. This is already done for you in the cloud build container. – Jaboy Jun 29 '19 at 10:47