Pass Google Application Default Credentials to Docker

All of the Google Cloud Client Libraries use Google Application Default Credentials. The Google Cloud SDK did too until recently. Developers usually install the SDK, which provides access to the gcloud and gsutil command-line tools. When you `gcloud auth login`, it saves the credentials to file named `credentials` in `%appdata%\gcloud` on Windows and in `$HOME\.config\gcloud` on Linux. After the breaking change, you need to use `gcloud auth application-default login` which saves a file named `application_default_credentials.json` to the same directory. If you want to pass those credentials into a Docker container, simply pass those credentials in using a Docker volume.

Windows

To pass in Google Application Default Credentials to a container using Docker for Windows:

docker run --rm -it -v "$env:appdata/gcloud\:/.config/gcloud" google/cloud-sdk

This demonstrates using the gsutil from the sdk and then a simple gsutil I put together for this blog that uses the Go library for Google Storage. It uses the Application Default Credentials.

You will need to change `/.config/gcloud` to be `/root/.config/gcloud`, `/home/myuser/.config/gcloud/` or whatever $HOME is for the user in the container you are running. For google/cloud-sdk, $HOME was set to /.

Linux

To pass in Google Application Default Credentials to a container on Linux:

docker run --rm -it -v ~/.config/gcloud:/.config/gcloud google/cloud-sdk

Google Cloud Shell

The Google Cloud Shell can be very useful for development tasks too. Since it is a Google hosted VM, the credentials come from the network and not from files. You can pass those credential along to a docker container like so:

docker run --rm -it --net host -e DEVSHELL_CLIENT_PORT=$DEVSHELL_CLIENT_PORT google/cloud-sdk

The `DEVSHELL_CLIENT_PORT` environment variable is only need by the SDK and not by my Go app.

My gsutil Test App

As mentioned before, I put together a simple `gsutil` test app in Go. Here is the gist:

Loading gist ...