Hi All,
We are running Jenkins as a workload deployed using helm chart within google cloud environment and have setup workload identity to access Google Cloud APIs in Cloud. The service account say is service-account-project.iam.gserviceaccount.com.
Now we have a step in the jenkins as below
withCredentials([file(credentialsId: 'credentials-jenkins-001_service-account-project', variable: 'GOOGLE_APPLICATION_CREDENTIALS')]) { sh(""" gcloud auth configure-docker europe-docker.pkg.dev docker build -t ${imageTag} --secret id=adc,src=$GOOGLE_APPLICATION_CREDENTIALS . """)
and the credential credentials-jenkins-001_service-account-project in jenkins is pointed to the downloaded json key of the service account. The credentials i can see in manage jenkins—>manage credentials section.
So can someone help me in setting this authentication without the need of the downloaded json key(credentials-jenkins-001_service-account-project)? We have already setup workload identity to access the gcp apis and the jenkins is already running in Google cloud with in a GKE cluster. Please help how we can achieve this?
Are you trying to authenticate to Artifact Registry from jenkins in order to pull and push docker images?
yes trying to authenticate to Artifact Registry to pull images.
basically trying to poetry install from artifact registry(private repository) for python packages
should i use the in build service account variable - /var/run/secrets/kubernetes.io/serviceaccount/token
as somehow if no secret is passed like 'docker build -t ${imageTag} .'getting the below error
"Failed to find credentials, Please run: `gcloud auth application-default login or export GOOGLE_APPLICATION_CREDENTIALS=<path/to/service/account/key>`"
Download the service account private key file. Then take the text from that file and save it as an environment variable value. So key will be something like ARTIFACT_REGISTRY_KEY and value will be the contents of the service account file that you downloaded.
Try everything locally before you do it in jenkins.
See that you can push if you use the contents of that service account file in an environment variable.
Let me know if you get it working else I can try find my old notes.