4

I am using Firebase in my GoLang project hosted on Google Kubernetes Engine.

Steps I followed:

  1. Enable firebase admin SDK on the firebase account. It generated a service account JSON for me. This also created a service account under my Google console service credentials.

  2. Followed this answer and add a new secret key using kubectl create secret generic google-application-credentials --from-file=./sample-project.json

  3. Made changes to my deployment.YAML file (added volume mounts, and environment variable in)

    spec:
  containers:
  - image: gcr.io/sample-ee458/city:0.27
  name: city-app
  volumeMounts:
  - name: google-application-credentials-volume
    mountPath: /etc/gcp
    readOnly: true 
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
  value: /etc/gcp/application-credentials.json

  4. setup volume in the same file

    volumes:
- name: google-application-credentials-volume
secret:
  secretName: google-application-credentials
  items:
  - key: application-credentials.json # default name created by the create secret from-file command
  path: application-credentials.json

  5. Run kubectl apply -f deployment.yaml and deploy using docker push command.

It's throwing me error getting credentials using google_application_credentials environment variable gke. What am I missing here? Anny hint would be appreciable.

Improve this question

3 Answers 3

Reset to default
7

Finally, I figure out how to copy it and use the environment variable. Here is. the updated YAMLfile

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: my-app
spec:
  template:
    spec:
      volumes:
      - name: google-cloud-keys
        secret:
          secretName: gac-keys
      containers:
      - name: my-app
        image: us.gcr.io/my-app
        volumeMounts:
        - name: google-cloud-keys
          mountPath: /var/secrets/google
          readOnly: true
        env:
        - name: GOOGLE_APPLICATION_CREDENTIALS
          value: /var/secrets/google/new-file-name.json
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

You can use a Secret in two different ways:

  • Mount the Secret as a volume and access it as a file
  • Map the Secret to environment variables and access it by reading the variable

You seem to have mixed them both. Decide if you want to access it as a file (recommended) or as an environment variable.

See examples of both in the documentation:

Example - accessing it as an environment variable

First, create the Secret, this can be done as you did:

kubectl create secret generic google-application-credentials --from-file=./application-credentials.json

I want to access it as an environment variable.

To expose the secret as an environment variable in the Pod or Deployment, write your Pod template as:

  containers:
  - name: city-app
    image: gcr.io/sample-ee458/city:0.27
    env:
      - name: GOOGLE_APPLICATION_CREDENTIALS
        valueFrom:
          secretKeyRef:
            name: google-application-credentials  # name of the Secret
            key: application-credentials.json

When accessing the Secret as an environment variable, you don't need to add it as a volume.

Improve this answer

6 Comments

Thanks for the answer. I want to access it as an environment variable. Does that mean kubectl create secret generic.... command will create a secret key in GKE. Where and how. should I map the GOOGLE_APPLICATION_CREDENTIALS with json file?
Ah! Understand. BTW what is application-credentials.json here? Are you referring to sample-project.json?
Yeah, you have mixed names there too. I updated so my kubectl create secret and the Pod-yaml has the same file name now.
Something is wrong: After applying the above configuration I am getting this: google: error getting credentials using GOOGLE_APPLICATION_CREDENTIALS environment variable: open open {\n \"type\": \"service_account\",\n \"project_id\": ....: file name too long"}* Closing connection 0 It is pickinng up the file content instead of entire file using name.
Yes, that is how it works when you access the content through an environment variable
|
2

The current answer is correct about secret, env vars and volumes. However, if you try to load authentication in GKE, I absolutely don't recommend to use Service account key file.

On GKE, there is a powerful feature named workload identity. It act exactly as metadata server on a compute engine instance (and other product) but at pod and namespace level (create a proxy that intercept the metadata server call and redirect them to the correct credential, configured with workload identity).

It's more secure and you don't have to keep and manage secret file, with all the constraints and the risk that involve.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.