Cloud Build - 使用 exec wrapper 连接到 Cloud SQL Proxy + 其他 GCP 资源时出现凭据错误
Cloud Build - Credentials error using exec wrapper to connect to Cloud SQL Proxy + other GCP resources
我正在尝试在云构建步骤中使用 exec-wrapper 来 运行 云 SQL 代理和 运行 节点脚本来创建自定义数据库移民。这是我的云构建配置的样子:
steps:
- name: gcr.io/cloud-builders/docker
args: ['build', '-t', 'gcr.io/$PROJECT_ID/api-stg', '.']
- name: gcr.io/cloud-builders/docker
args: ['push', 'gcr.io/$PROJECT_ID/api-stg']
- name: gcr.io/cloud-builders/gcloud
args: ['app', 'deploy', 'app-stg.yaml', '--image-url=gcr.io/$PROJECT_ID/api-stg']
- name: "gcr.io/google-appengine/exec-wrapper"
args: ["-i", "gcr.io/$PROJECT_ID/api-stg",
"-s", "$PROJECT_ID:us-central1:<Cloud SQL Instance Name>",
"--", "scripts/management/custom_migration"]
images: ['gcr.io/$PROJECT_ID/api-stg']
timeout: 1200s # 20 minutes
在我的 custom_migration.js 文件中,我有这样的东西:
const {Storage} = require('@google-cloud/storage');
const storage = new Storage();
const bucket = storage.bucket(BUCKET_NAME);
const file = await bucket.file(key);
const result = await new Promise(resolve => file.download((err, data) => {...}));
...
这会导致 google-auth-library 出现以下错误:
Error: The file at /root/.google/credentials does not exist, or it is not a file.
Error: ENOENT: no such file or directory, lstat '/root/.google'
我的 App Engine Flexible 环境能够 运行 在新版本中部署此代码,但 Cloud Build 步骤中的相同代码未正确认证。如何允许 exec-wrapper 使用我的 App Engine 柔性环境的默认凭据?
这一步对我有用
steps:
- name: 'node:14-alpine'
entrypoint: 'sh'
args:
- -c
- |
wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O cloud_sql_proxy
chmod +x cloud_sql_proxy
./cloud_sql_proxy -instances=my-project-id:us-central1:vertx=tcp:5432 &
npm install @google-cloud/storage pg
node index-test.js
因为我不知道你自定义容器的内容,你可以尝试这样适配
steps:
- name: 'gcr.io/$PROJECT_ID/api-stg'
entrypoint: 'sh'
args:
- -c
- |
wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O cloud_sql_proxy
chmod +x cloud_sql_proxy
./cloud_sql_proxy -instances=my-project-id:us-central1:vertx=tcp:5432 &
npm install @google-cloud/storage pg
node scripts/management/custom_migration
关于标准库的问题,我的猜测是AppEngine环境和Cloud Build环境冲突。
如果您查看 Google Auth 库,您会看到 App Engine 凭据的一个案例,以及计算凭据的另一个案例。计算在任何 Google 云服务(Cloud 运行、Cloud Functions、Compute Engine、Cloud Build 等)上作为标准使用,但 App Engine 有其特殊性。
我正在尝试在云构建步骤中使用 exec-wrapper 来 运行 云 SQL 代理和 运行 节点脚本来创建自定义数据库移民。这是我的云构建配置的样子:
steps:
- name: gcr.io/cloud-builders/docker
args: ['build', '-t', 'gcr.io/$PROJECT_ID/api-stg', '.']
- name: gcr.io/cloud-builders/docker
args: ['push', 'gcr.io/$PROJECT_ID/api-stg']
- name: gcr.io/cloud-builders/gcloud
args: ['app', 'deploy', 'app-stg.yaml', '--image-url=gcr.io/$PROJECT_ID/api-stg']
- name: "gcr.io/google-appengine/exec-wrapper"
args: ["-i", "gcr.io/$PROJECT_ID/api-stg",
"-s", "$PROJECT_ID:us-central1:<Cloud SQL Instance Name>",
"--", "scripts/management/custom_migration"]
images: ['gcr.io/$PROJECT_ID/api-stg']
timeout: 1200s # 20 minutes
在我的 custom_migration.js 文件中,我有这样的东西:
const {Storage} = require('@google-cloud/storage');
const storage = new Storage();
const bucket = storage.bucket(BUCKET_NAME);
const file = await bucket.file(key);
const result = await new Promise(resolve => file.download((err, data) => {...}));
...
这会导致 google-auth-library 出现以下错误:
Error: The file at /root/.google/credentials does not exist, or it is not a file.
Error: ENOENT: no such file or directory, lstat '/root/.google'
我的 App Engine Flexible 环境能够 运行 在新版本中部署此代码,但 Cloud Build 步骤中的相同代码未正确认证。如何允许 exec-wrapper 使用我的 App Engine 柔性环境的默认凭据?
这一步对我有用
steps:
- name: 'node:14-alpine'
entrypoint: 'sh'
args:
- -c
- |
wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O cloud_sql_proxy
chmod +x cloud_sql_proxy
./cloud_sql_proxy -instances=my-project-id:us-central1:vertx=tcp:5432 &
npm install @google-cloud/storage pg
node index-test.js
因为我不知道你自定义容器的内容,你可以尝试这样适配
steps:
- name: 'gcr.io/$PROJECT_ID/api-stg'
entrypoint: 'sh'
args:
- -c
- |
wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O cloud_sql_proxy
chmod +x cloud_sql_proxy
./cloud_sql_proxy -instances=my-project-id:us-central1:vertx=tcp:5432 &
npm install @google-cloud/storage pg
node scripts/management/custom_migration
关于标准库的问题,我的猜测是AppEngine环境和Cloud Build环境冲突。
如果您查看 Google Auth 库,您会看到 App Engine 凭据的一个案例,以及计算凭据的另一个案例。计算在任何 Google 云服务(Cloud 运行、Cloud Functions、Compute Engine、Cloud Build 等)上作为标准使用,但 App Engine 有其特殊性。