在构建期间将文件从GCS复制到Cloud Run docker容器中 [英] Copy files from GCS into a Cloud Run docker container during build

问题描述

我正在尝试使用 gsutil 在构建步骤中将文件从GCS复制到运行容器中.

I am trying to use gsutil to copy a file from GCS into a Run container during the build step.

我尝试过的步骤:

RUN pip install gsutil
RUN gsutil -m cp -r gs://BUCKET_NAME $APP_HOME/artefacts

错误:

ServiceException: 401 Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object.
CommandException: 1 file/object could not be transferred.
The command '/bin/sh -c gsutil -m cp -r gs://BUCKET_NAME $APP_HOME/artefacts' returned a non-zero code: 1
ERROR
ERROR: build step 0 "gcr.io/cloud-builders/docker" failed: step exited with non-zero status: 1

该服务帐户(默认计算和Cloudbuild)确实可以访问GCS，并且我还尝试了 gsutil config -a 以及其他各种标志，但均未成功！

The service account (default compute & cloudbuild) does have access to GCS, and I have also tried to gsutil config -a and with various other flags with no success!

我不确定应该如何进行身份验证才能成功访问存储桶.

I am not sure on exactly how I should authenticate to successfully access the bucket.

推荐答案

这是我的github动作

Here my github action job

jobs:
  build:
    name: Build image
    runs-on: ubuntu-latest

    env:
      BRANCH: ${GITHUB_REF##*/}
      SERVICE_NAME: ${{ secrets.SERVICE_NAME }}
      PROJECT_ID: ${{ secrets.PROJECT_ID }}

    steps:
      - name: Checkout
        uses: actions/checkout@v2

      # Setup gcloud CLI
      - uses: google-github-actions/setup-gcloud@master
        with:
          service_account_key: ${{ secrets.SERVICE_ACCOUNT_KEY }}
          project_id: ${{ secrets.PROJECT_ID }}
          export_default_credentials: true

      # Download the file locally
      - name: Get_file
        run: |-
          gsutil cp gs://BUCKET_NAME/path/to/file .


      # Build docker image
      - name: Image_build
        run: |-
          docker build -t gcr.io/$PROJECT_ID/$SERVICE_NAME .

      # Configure docker to use the gcloud command-line tool as a credential helper
      - run: |
          gcloud auth configure-docker -q

      # Push image to Google Container Registry
      - name: Image_push
        run: |-
          docker push gcr.io/$PROJECT_ID/$SERVICE_NAME

您必须设置3个秘密:

• SERVICE_ACCOUNT_KEY:这是您的服务帐户密钥文件
• SERVICE_NAME:您的容器的名称
• PROJECT_ID:将映像部署到的项目

由于您是在本地下载文件，因此该文件在Docker构建中本地存在.然后，只需在docker文件中将其复制并执行所需操作即可.

Because you download the file locally, the file is locally present in the Docker build. Then, simply COPY it in the docker file and do what you want with it.

更新

如果您想在docker中进行此操作，则可以像这样实现

If you want to do this in docker, you can achieve this like that

Dockerfile

Dockerfile

FROM google/cloud-sdk:alpine as gcloud
WORKDIR /app
ARG KEY_FILE_CONTENT
RUN echo $KEY_FILE_CONTENT | gcloud auth activate-service-account --key-file=- \
  && gsutil cp gs://BUCKET_NAME/path/to/file .

....
FROM <FINAL LAYER>
COPY --from=gcloud /app/<myFile> .
....

Docker构建命令

The Docker build command

docker build --build-arg KEY_FILE_CONTENT="YOUR_KEY_FILE_CONTENT" \
  -t gcr.io/$PROJECT_ID/$SERVICE_NAME .

YOUR_KEY_FILE_CONTENT 取决于您的环境.这里有一些注入它的解决方案:

YOUR_KEY_FILE_CONTENT depends on your environment. Here some solution to inject it:

• 在Github上操作: $ {{secrets.SERVICE_ACCOUNT_KEY}}
• 在您的本地环境中: $(cat my_key.json)

这篇关于在构建期间将文件从GCS复制到Cloud Run docker容器中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！