How to Properly Inject Service Account Credentials in Google Cloud Build for Cloud Run Deployment?
I’m deploying a Laravel application to Google Cloud Run using Google Cloud Build. During the Docker build process, I need to access Google Secret Manager to inject secrets into the application code automatically. However, the build process fails with the following error:
Failed to load secrets: cURL error 28: Failed to connect to 169.***.***.** port 80 after 130458 ms: Couldn't connect to server (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for http://169.***.***.**/computeMetadata/v1/instance/service-accounts/default/token?scopes=https://www.googleapis.com/auth/cloud-platform
As I understand it, the build process is trying to access the Google Cloud Instance Metadata Server at 169...** to retrieve a token for the default service account. However, the metadata server is not available in Cloud Build, as it doesn’t run on a virtual machine.
I’m not sure how to correctly inject these credentials into the Docker build process for this specific scenario.
What I’m Trying to Achieve:
- Build a Docker image for the Laravel app using Cloud Build. ❌
- Access secrets from Secret Manager during the build (e.g., database credentials, API keys). ✅
- Inject the secrets into the Docker image automatically for use in the application. ✅
Steps 2 and 3 work perfectly in local development (via gcloud auth application-default login) and Dockerized environments (by mounting a JSON file with Service Account credentials).
Build via Cloud Build fails due to application not being able to access secrets manager.
What I’ve Tried:
- Created a Service Account with all necessary permissions for Secret Manager (roles/secretmanager.secretAccessor).
- Stored the Service Account key JSON file securely.
- Modified my cloudbuild.yaml to inject the GOOGLE_APPLICATION_CREDENTIALS environment variable during the build process.
However, the build process still fails, as Cloud Build cannot access the metadata server.
Current Workflow:
Here’s what I expect and currently envision as the workflow:
What I Need:
- Guidance on the best way to inject Service Account credentials into the Cloud Build process.
- Should I use a Service Account JSON key directly, or is there a way to configure the Cloud Build Service Account to access Secret Manager during the build?
Any help or insights on this would be greatly appreciated.
Thanks in advance!
The issue was primarily related to how services were being injected, which caused the build process to sometimes fail before reaching the required entry point.
Additionally, the cloudbuild.yaml configuration was incomplete. Expecting the automatic injection of a Service Account (SA) to specific CI/CD steps is totally accurate.
Here’s an example of a complete cloudbuild.yaml that resolved the issue:
options:
logging: CLOUD_LOGGING_ONLY
dynamicSubstitutions: true
steps:
# Step 1: Build the Docker image for the application
- name: gcr.io/cloud-builders/docker
id: Build
args:
- build
- '--no-cache'
- '-f'
- Dockerfile
- '-t'
- ${_IMAGE_NAME}
- .
# Step 2: Push the Docker image to Google Artifact Registry
- name: gcr.io/cloud-builders/docker
id: Push
args:
- push
- ${_IMAGE_NAME}
# Step 3: Deploy the Docker image to Cloud Run with secrets management
- name: gcr.io/cloud-builders/gcloud
id: Deploy
args:
- run
- deploy
- ${_SERVICE_NAME}
- '--image'
- ${_IMAGE_NAME}
- '--platform=managed'
- '--region'
- ${_REGION}
- '--allow-unauthenticated'
- '--memory=1024Mi'
- '--set-secrets=EXAMPLE_API_KEY=my-api-key:latest'
# Step 4: Execute a Cloud Run Job for database migrations
- name: gcr.io/google.com/cloudsdktool/cloud-sdk
id: Migrate
entrypoint: /bin/bash
args:
- '-c'
- |
gcloud run jobs execute migrate-job \
--region ${_REGION}
substitutions:
_ARTIFACT_REGISTRY: 'example-europe-north1-registry'
_SERVICE_NAME: 'example-service-name'
_REGION: 'europe-north1'
_IMAGE_NAME: '${_REGION}-docker.pkg.dev/${PROJECT_ID}/${_ARTIFACT_REGISTRY}/${_SERVICE_NAME}:${SHORT_SHA}'
images:
- ${_IMAGE_NAME}
Key Notes
Local Testing with Docker:
- When running locally in a Dockerized environment, mount a
service-account.jsonfile indocker-compose.ymlto authenticate.
Local Non-Docker Testing:
- Use
gcloud auth application-default loginto ensure your local environment is authenticated with GCP.
Service Account Injection:
- In this setup, the Service Account (SA) is injected automatically where needed, ensuring all steps can authenticate successfully, and not following an anti-pattern of using
GOOGLE_APPLICATION_CREDENTIALSas mentioned by @DazWilkin.
Secrets Management:
- After deployment, the application can successfully access the Secrets Manager API to retrieve and map secrets.
This configuration resolved the issue, ensuring both the CI/CD pipeline and the deployed application worked seamlessly with the necessary Service Account permissions.
- Laravel composer install giving error "Your lock file does not contain a compatible set of packages please run composer update"
- Laravel Valet 502 Bad Gate Way nginx/1.15.7
- laravel api to update data is not working
- Laravel 11 migration: preserving original attributes when updating existing column
- In voyager admin panel how to solve directory separator issue
- Installing font-awesome with Laravel 9 (Vite)
- I have issue in creating admin user for Voyager Admin panel package in Laravel 5.4
- How to run Laravel auth attempt with multiple check and specific error messages
- PDOException SQLSTATE[HY000] [2002] No such file or directory
- Laravel - how to assert with phpunit and mockery what is passed as constructor argument to another service when it is created?
- Undefined variable $data in Blade component despite passing data from controller
- Order by row and limit result in Laravel 5
- Laravel Custom Package Problem Call to undefined method
- Laravel 11 custom error page handling problem
- Laravel API Not Found
- How do I automatically insert the auth user id when creating a new model with a foreign key in Laravel?
- convert csv file to json object with Laravel
- Display hidden not working with flex in Tailwind
- Livewire 2.2: Undefined variable slot in app.blade.php
- How to express Larvel subqueries to use within a whereIn
- SQL Query, or Eloquent Query a foreach loop
- Laravel update specific data from model where it doesn't have array of ids
- How to use Laravels spatie/laravel analytics package
- Up vote and down vote in Laravel eloquent
- Add 2 array values in Laravel
- How to upload multiple images at once using cloudinary and lumen
- can not use pagination() for an array object in laravel
- SQL query to get users who are following someone and being followed back by same person
- store and update an array as json in mysql database laravel 9
- How to create laravel storage symbolic link for production or sub domain system?