TechQA.

How do I retrieve assets from a Google Storage bucket within a Google Container Registry automated build?

540 views Asked by At

I've created a mirrored GitHub repo in Google's Container Registry and then created a Build Trigger. The dockerfile in the repo includes gsutil -m rsync -r gs://asset-bucket/ local-dir/ so that I can move shared private assets into the container. But I get an error:

ServiceException: 401 Anonymous caller does not have storage.objects.list access to asset-bucket

I have an automatically created service account (@cloudbuild.gserviceaccount.com) for building and it has the Cloud Container Builder role. I tried adding Storage Object Viewer, but I still get the error.

Shouldn't the container builder automatically have the appropriate permissions?

google-container-registry google-container-builder
Original Q&A
2

There are 2 answers

2
David Bendory On BEST ANSWER

Are you using the gcr.io/cloud-builders/gsutil build step to do this? That should use default credentials properly and it should Just Work.

steps:
  - name: 'gcr.io/cloud-builders/gsutil'
    args: [ "-m", "rsync", "gs://asset-bucket/", "local-dir/" ]

Alternatively, you could try the GCS Fetcher.

1
dk. On

Just to be specific about the answer from @david-bendory, privileged calls cannot occur inside a dockerfile. I created a cloudbuild.yaml that looks like this:

steps:
- name: 'gcr.io/cloud-builders/gsutil'
  args: [ "-m", "rsync", "-r", "gs://my-assets/", "." ]
  dir: "static"
- name: 'gcr.io/cloud-builders/docker'
  args: ['build', '-t', 'gcr.io/$PROJECT_ID/project-name', '.']
images: ['gcr.io/$PROJECT_ID/project-name']

and a dockerfile that includes

COPY static/* www/

Related Questions in GOOGLE-CONTAINER-REGISTRY

Related Questions in GOOGLE-CONTAINER-BUILDER

Popular Questions

Trending Questions