dockergoogle-cloud-platformgoogle-cloud-buildgoogle-container-registrygoogle-artifact-registry

GCP Cloud Build can't connect to GCS bucket with file during build stage in dockerfile


This is the dockerfile that I'm using:

FROM google/cloud-sdk:latest
COPY . /app
WORKDIR /app

# Copy your credentials file
COPY project-key.json /app/project-key.json

# Set the environment variable for the credentials
ENV GOOGLE_APPLICATION_CREDENTIALS /app/project-key.json

# Download the file from GCS using the gsutil command
RUN gsutil cp gs://project-id/file.txt /app/file.txt

RUN apt-get update && apt-get install -y python3
RUN apt-get update && apt-get install -y python3-pip
RUN apt-get update && apt-get install -y git

RUN pip install -r /app/requirements.txt
EXPOSE 8080
CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8080"]

It works when building from Cloud Shell, but not when running from Cloud Build. I get the following error:

ServiceException: 401 Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object. Permission 'storage.objects.get' denied on resource (or it may not exist). The command '/bin/sh -c gsutil cp gs://project-id/file.txt /app/file.txt' returned a non-zero code: 1

Where are the credentials/roles missing?


Solution

  • Before you run your Docker step, do this:

    - name: gcr.io/cloud-builders/gsutil
      args: ['cp', 'gs://mybucket/my_file', 'my_file']