During build executed by Cloud Build I need to authenticate my custom Java code to use Google Cloud Storage API. The code uses Cloud Storage JSON API client.
I would like to use Cloud Build service account for authentication, but it's not clear how to achieve this in Java code without passing around service account key file as encrypted resource.
Is it possible to authenticate with Cloud Build service account from Java code that executed in Cloud Build docker container?
By default, CloudBuild containers execute with the permissions allocated to the CloudBuild Service Account.
Theres some more info about it here, but you shouldn't need to explicitly "use" the permissions, the environment your code is running in should have the permissions allocated already, if your service account has the right roles.
For example, you could allocate GCS roles roles/storage.objectCreator & roles/storage.objectViewer to your CloudBuild Service account, and then it should be able to read/write to GCS in the selected project/bucket