This is the dockerfile that I'm using:
FROM google/cloud-sdk:latest
COPY . /app
WORKDIR /app
# Copy your credentials file
COPY project-key.json /app/project-key.json
# Set the environment variable for the credentials
ENV GOOGLE_APPLICATION_CREDENTIALS /app/project-key.json
# Download the file from GCS using the gsutil command
RUN gsutil cp gs://project-id/file.txt /app/file.txt
RUN apt-get update && apt-get install -y python3
RUN apt-get update && apt-get install -y python3-pip
RUN apt-get update && apt-get install -y git
RUN pip install -r /app/requirements.txt
EXPOSE 8080
CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8080"]
It works when building from Cloud Shell, but not when running from Cloud Build. I get the following error:
ServiceException: 401 Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object. Permission 'storage.objects.get' denied on resource (or it may not exist). The command '/bin/sh -c gsutil cp gs://project-id/file.txt /app/file.txt' returned a non-zero code: 1
Where are the credentials/roles missing?
Before you run your Docker step, do this:
- name: gcr.io/cloud-builders/gsutil
args: ['cp', 'gs://mybucket/my_file', 'my_file']