Authentication
You need authentication while using octue to:
Access data from Google Cloud Storage
Use, run, or deploy Twined services
Authentication is provided by a GCP service account.
Creating a service account
By setting up your Twined service network with the Twined Terraform modules, a set of maintainer service accounts have already been created with the required permissions.
Using a service account
Locally
Access your service accounts here, making sure the correct project is selected
Click on the relevant service account, go to the “Keys” tab, and create (download) a JSON key for it - it will be called
<project-name>-XXXXX.json.
Danger
It’s best not to store this in your project to prevent accidentally committing it or building it into a docker image layer. Instead, keep it somewhere else on your local system with any other service account keys you already have.
If you must keep within your project, it’s good practice to name the file gcp-credentials.json and make
sure that gcp-cred* is in your .gitignore and .dockerignore files.
If you’re developing in a container (like a VSCode
devcontainer), mount the file into the container. You can make gcloud available too - check out this tutorial.Set the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable to the absolute path of the key file. If using adevcontainer, make sure this is the path inside the container and not the path on your local machine.
On GCP infrastructure / deployed services
Credentials are automatically provided when running code or services on GCP infrastructure, including the Kubernetes cluster
octueuses these when when running on these platforms, so there’s no need to upload a service account key or include one in service docker images