'GCloud authentication race conditions

I'm trying to avoid race conditions with gcloud / gsutil authentication on the same system but different CI/CD jobs on my Gitlab-Runner on a Mac Mini.

I have tried setting the auth manually with

RUN gcloud auth activate-service-account --key-file="gitlab-runner.json"
RUN gcloud config set project $GCP_PROJECT_ID

for the Dockerfile (in which I'm performing a download operation from a Google Cloud Storage bucket).

I'm using a configuration in the bash script to run the docker command and in the same script for authenticating I'm using

gcloud config configurations activate $TARGET

Where I've previously done the above two commands to save them to the configuration.

The configurations are working fine if I start the CI/CD jobs one after the other has finished. But I want to trigger them for all clients at the same time, which causes race conditions with gcloud authentication and one of the jobs trying to download from the wrong project bucket.

How to avoid a race condition? I'm already authenticating before each gsutil command but still its causing the race condition. Do I need something like CloudBuild to separate the runtime environments?

gcloudgsutil


Solution 1:[1]

You can use Cloud Build to get separate execution environments but this might be an overkill for your use case, as a Cloud Build worker uses an entire VM which might be just too heavy, linux containers / Docker can provide necessary isolation as well.

You should make sure that each container you run has a unique config file placed in the path expected by gcloud. The issue may come from improper volume mounting (all the containers share the same location from the host/OS), or maybe you should mount a directory containing their configuration file (unique for each bucket) on running an image, or perhaps you should run gcloud config configurations activate in a Dockerfile step (thus creating image variants for different buckets if it’s feasible).

Alternatively, and I think this solution might be easier, you can switch from Cloud SDK distribution to standalone gsutil distribution. That way you can provide a path to a boto configuration file through an environment variable. Such variables can be specified on running a Docker image.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Priyashree Bhadra

Related Questions

What is the difference between gcloud and gsutil?

How to create a empty folder in google storage(bucket) using gsutil command?

gsutil cp command error, CommandException: NO URLs matched:

gsutil ServiceException: 401 Anonymous caller does not have storage.objects.list access to bucket even though I'm loggedin in gcloud

gcloud promote a version

Completely Uninstall Google Cloud SDK Mac

What is the difference between gcloud and gsutil?

gcloud: The user does not have access to service account "default"

Use google cloud aiplatform with golang

How can I specify the region of a Google Cloud Function?

gsutil ServiceException: 401 Anonymous caller does not have storage.objects.list access to bucket even though I'm loggedin in gcloud

`docker-credential-gcloud` not in system PATH

zipfile write dont find files in gcloud

How can i edit and reduce gcloud SQL instance size (ssd storage)

How to set path to kubectl when installed using gcloud components install?