#How to inject JSON GCP credentials into a container via Secrets without getting ETOOBIG

1 messages · Page 1 of 1 (latest)

frank flame Jan 9, 2025, 1:10 AM

Hi all! First time poster as I try to work out the idiomatic way to solve what is probably a very normal thing. I have a GCP Service Account JSON key that I need to make available to a function. What is the normal way to pass a secret that is a file? I am trying to pass it in via a file: directive of the dagger call for a parameter that is a dagger.Secret. But when I run my pipeline this way, the step trying to authenticate using the injected file fails silently in the way that would happen if there was no such auth key present.

I notice this suspicious ETOOBIG message in the output for the with_new_file:

.withNewFile(contents: ETOOBIG:sha256:<sha>, path: "/gcloud_jsonkey.json")

which was called like so:

    async def build_env(self, source: dagger.Directory, gcloudkey: dagger.Secret) -> dagger.Container:
        """Build a ready-to-use development environment"""
        gcloud_secret = await gcloudkey.plaintext()

        return (
            self.base_cuda_img(source)
            .with_new_file("/gcloud_jsonkey.json", gcloud_secret)
            .with_exec(["gcloud", "auth", "activate-service-account", "--key-file", "/gcloud_jsonkey.json"])
            .with_directory("/src", source)
            .with_workdir("/src")
            .with_exec(["poetry", "install"])
        )

There are several aspeects to this which I can imagine are not quite the idiom however ❤️

How to inject JSON GCP credentials into a container via Secrets without getting ETOOBIG

deep cloak Jan 9, 2025, 1:28 AM

Hey!

ETOOBIG

This is a common thing that happens because there is a limit to the amount of contents that we will show in a given span. Its not a part of the issue here.

.with_new_file("/gcloud_jsonkey.json", gcloud_secret)

I suspect the problem may be here. Can you please try to use with_mounted_secret instead of with_new_file?

In either case i'd also suggest calling this function and append terminal so that you can pop into a shell and debug (if you have not already, its the best part of dagger functions :D)

something like this:

dagger call build-env --source . gcloudkey = file:glcoud.json terminal

frank flame Jan 9, 2025, 1:39 AM

Amazing. Thanks! That indeed both solves my problem and reveals the clear and idiomatic way. I simply didn't know about the with_mounted_secret. I found it in the API reference, but is it documented somewhere in the more verbose docs page? Maybe i can submit a PR mentioning it on the secrets page once github recovers from their outage ...