docker build gsutil authentication problem

[Øyvind Harboe]

I have successfully used gsutil cp during a docker build from Google Cloud Build when using the kaniko build step, but as kaniko caching is counterproductive to performance in my case(it includes copying around 100's of gigabytes of data), I would like to use the gcr.io/cloud-builders/docker approach instead.

However, when I try to use gsutil cp from a docker build under Google Cloud Build, but I'm getting the error message below:

ServiceException: 401 Anonymous caller does not have storage.objects.get access ...

This is my google cloud build step:

steps:
  - name: 'gcr.io/cloud-builders/docker'
    args: [ 'build', '-t', 'gcr.io/$PROJECT_ID/quartus:latest', '-f', 'workflow/cloudbuild/quartus.Dockerfile', '.' ]

Q: how can I add the credentials that kaniko is obviously adding to the build step above?

Cheers,

[Jad El Houssami]

Hello, 

This error is being thrown because the docker build doesn’t have permission to copy from the bucket. You will need to create a service account and use it to identify requests coming from the docker build in question. Don’t forget to include the following line in your Dockerfile before any ‘gsutil cp’ operations, [PATH] should point towards the JSON file that contains your service account key:

RUN export GOOGLE_APPLICATION_CREDENTIALS="[PATH]"

Additionally, you’ll want to give the service account the necessary Cloud Storage permissions to perform ‘gsutil cp’, you may refer to this page for the list of required permissions to execute the operation. 

For future posts, please keep in mind that Google Groups are generally reserved for discussions and opinions about Google products, you may want to refer to Stack Exchange for how-to and technical questions since the answer-question format on those sites will give your question greater visibility. Hopefully, this information helps point you in the right direction.