Coder Social home page Coder Social logo

Comments (5)

sethvargo avatar sethvargo commented on July 20, 2024 2

Hi @caquino

Thanks for sending that information over. As the error implies, the "Request had insufficient authentication scopes."

There are two "levels" of auth, oauth scopes and service account permissions. You provided the following scopes to the VM:

None of those scopes provide access to the KMS API. You need to add the following scope to the list:

Since GCP already has fine-grained IAM permissions and you are using a dedicated service account, you may want to drop all scopes and use the generic cloud-platform scope instead. Either way, adding the cloudkms scope will solve this issue. Thanks and let me know if you have any questions!

from berglas.

sethvargo avatar sethvargo commented on July 20, 2024

Hi @caquino

Thanks for opening an issue. From where are you running Container-Optimized OS? Is this inside GKE or GCP?

from berglas.

caquino avatar caquino commented on July 20, 2024

Hi @sethvargo

I'm running it directly on GCP and I've been bumping in corners while trying to make it work.

I'm provisioning a GCP instance running the Container-Optimized OS and starting a container running berglas in exec mode for Atlantis.

I managed to run it with the --local flag, but for then I started to bump on some other issues, like for example that containers running on the Container-Optimized OS can't easily use the service account linked to the instance.

Any pointers on the right direction will be more than welcome, thanks!

from berglas.

sethvargo avatar sethvargo commented on July 20, 2024

Berglas only auto-detects Cloud Functions and Cloud Run because, to the best of my knowledge, you can't set environment variables on an instance. I was investigating using instance metadata as an alternative, but then the destination is unclear.

Can you share some of the errors you are getting? You shouldn't need the service account directly, everything should work provided it has the right permissions.

from berglas.

caquino avatar caquino commented on July 20, 2024

Actually, you can set environment variables for the containers running on the instance, but as you said for the instance would require metadata/cloud-config, this is the gcloud command used, I'm going to change some of the data, but I can share all the info if necessary.

gcloud beta compute --project=$(PROJECT_ID) instances create-with-container atlantis \
	--zone=us-central1-c --machine-type=f1-micro \
	--metadata=google-logging-enabled=true --maintenance-policy=MIGRATE \
	--service-account=<service account> \
	--scopes=https://www.googleapis.com/auth/devstorage.read_only,\
	https://www.googleapis.com/auth/logging.write,\
	https://www.googleapis.com/auth/monitoring.write,\
	https://www.googleapis.com/auth/servicecontrol,\
	https://www.googleapis.com/auth/service.management.readonly,\
	https://www.googleapis.com/auth/trace.append, \
	--container-image=gcr.io/<repo>/atlantis:latest \
	--container-restart-policy=always \
	--container-env="ATLANTIS_GH_TOKEN=berglas://<bucket>/gh-token,ATLANTIS_GH_USER=berglas://<bucket>/gh-user,ATLANTIS_GH_WEBHOOK_SECRET=berglas://<bucket>/gh-webhook-secret,ATLANTIS_REPO_WHITELIST='github.com/<org>/*'"

This is the error I'm receiving:

failed to access secret <bucket>/gh-webhook-secret: failed to decrypt dek: rpc error: code = PermissionDenied desc = Request had insufficient authentication scopes.

I've checked the permissions on the bucket and KMS, and this berglas command line worked fine on Cloud Run. I'm not running this on Cloud Run because sadly Atlantis needs persistence.

I'm aware that I could be running this on GKE (using your repo), but I'm looking for a solution with a smaller footprint that will let me run most, if not all terraform, from Atlantis itself, to solve a chicken & egg problem.

And this is how I'm using berglas on my Dockerfile:

FROM runatlantis/atlantis:latest

COPY --from=gcr.io/berglas/berglas:latest /bin/berglas /bin/berglas

ENTRYPOINT exec /bin/berglas exec --local -- /usr/local/bin/docker-entrypoint.sh server

Thanks!

from berglas.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.