Comments (5)
Hi @caquino
Thanks for sending that information over. As the error implies, the "Request had insufficient authentication scopes."
There are two "levels" of auth, oauth scopes and service account permissions. You provided the following scopes to the VM:
- https://www.googleapis.com/auth/devstorage.read_only
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
- https://www.googleapis.com/auth/servicecontrol
- https://www.googleapis.com/auth/service.management.readonly
- https://www.googleapis.com/auth/trace.append
None of those scopes provide access to the KMS API. You need to add the following scope to the list:
Since GCP already has fine-grained IAM permissions and you are using a dedicated service account, you may want to drop all scopes and use the generic cloud-platform
scope instead. Either way, adding the cloudkms
scope will solve this issue. Thanks and let me know if you have any questions!
from berglas.
Hi @caquino
Thanks for opening an issue. From where are you running Container-Optimized OS? Is this inside GKE or GCP?
from berglas.
Hi @sethvargo
I'm running it directly on GCP and I've been bumping in corners while trying to make it work.
I'm provisioning a GCP instance running the Container-Optimized OS and starting a container running berglas in exec mode for Atlantis.
I managed to run it with the --local flag, but for then I started to bump on some other issues, like for example that containers running on the Container-Optimized OS can't easily use the service account linked to the instance.
Any pointers on the right direction will be more than welcome, thanks!
from berglas.
Berglas only auto-detects Cloud Functions and Cloud Run because, to the best of my knowledge, you can't set environment variables on an instance. I was investigating using instance metadata as an alternative, but then the destination is unclear.
Can you share some of the errors you are getting? You shouldn't need the service account directly, everything should work provided it has the right permissions.
from berglas.
Actually, you can set environment variables for the containers running on the instance, but as you said for the instance would require metadata/cloud-config, this is the gcloud command used, I'm going to change some of the data, but I can share all the info if necessary.
gcloud beta compute --project=$(PROJECT_ID) instances create-with-container atlantis \
--zone=us-central1-c --machine-type=f1-micro \
--metadata=google-logging-enabled=true --maintenance-policy=MIGRATE \
--service-account=<service account> \
--scopes=https://www.googleapis.com/auth/devstorage.read_only,\
https://www.googleapis.com/auth/logging.write,\
https://www.googleapis.com/auth/monitoring.write,\
https://www.googleapis.com/auth/servicecontrol,\
https://www.googleapis.com/auth/service.management.readonly,\
https://www.googleapis.com/auth/trace.append, \
--container-image=gcr.io/<repo>/atlantis:latest \
--container-restart-policy=always \
--container-env="ATLANTIS_GH_TOKEN=berglas://<bucket>/gh-token,ATLANTIS_GH_USER=berglas://<bucket>/gh-user,ATLANTIS_GH_WEBHOOK_SECRET=berglas://<bucket>/gh-webhook-secret,ATLANTIS_REPO_WHITELIST='github.com/<org>/*'"
This is the error I'm receiving:
failed to access secret <bucket>/gh-webhook-secret: failed to decrypt dek: rpc error: code = PermissionDenied desc = Request had insufficient authentication scopes.
I've checked the permissions on the bucket and KMS, and this berglas command line worked fine on Cloud Run. I'm not running this on Cloud Run because sadly Atlantis needs persistence.
I'm aware that I could be running this on GKE (using your repo), but I'm looking for a solution with a smaller footprint that will let me run most, if not all terraform, from Atlantis itself, to solve a chicken & egg problem.
And this is how I'm using berglas on my Dockerfile:
FROM runatlantis/atlantis:latest
COPY --from=gcr.io/berglas/berglas:latest /bin/berglas /bin/berglas
ENTRYPOINT exec /bin/berglas exec --local -- /usr/local/bin/docker-entrypoint.sh server
Thanks!
from berglas.
Related Issues (20)
- [removed] HOT 1
- Downloaded binary is sometimes broken. HOT 6
- berglas: cannot execute binary file: Exec format error HOT 1
- Checksum in sum.golang.org is different from download without proxy/checksum database (GOPRIVATE=*) HOT 7
- Unable to use the mutation webhook method with kubernetes 1.21.5 and admissionregistration.k8s.io/v1 on GKE HOT 11
- Download berglas seems to be broken with exec format error: HOT 1
- Berglas interacts badly with tools that rely on process wrapping like Argo-workflows HOT 3
- About the latest release HOT 2
- 1.0.0 image breaks kubernetes integration HOT 6
- New version not published to https://storage.googleapis.com/berglas HOT 1
- using secret account credentials.json instead of workflow identity HOT 1
- CrashLoopBackOff when setting command in my deployments HOT 2
- version only shows as "source" if i go install HOT 3
- I would like a new release. HOT 1
- Setting KMS key location for golang library
- Mutating webhook does not run if secrets are only set through a configMap HOT 1
- Multiple CVEs in docker image HOT 4
- Please provide new release with newest go version HOT 3
- Support rich JSON secrets
- invalid value "fatal" for log level: no such level "fatal"
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from berglas.