Create temporary file containing Google credentials if GOOGLE_CREDENTIALS is provided
#180
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cyrilgdn
requested changes
May 4, 2022
There was a problem hiding this comment.
Hi,
Thanks for your work on that and sorry for the late response.
Could you merge master in your branch?
Even if writing credentials in a random file on disk does not seem really good in a security point of view, I'm ok with this workaround, but:
- I'd make it optional with a setting in the provider. Maybe not everyone wants they Google credentials written on the disk if they don't need it.
- Could you document it here
- I'm a bit worried about the fact that these files are not cleanup. I guess in the main purpose, i.e.: Terraform cloud, it's not a problem, but in another context, on every
terraformcommand, a new credentials file will be created and never cleaned up (except on computer restart). I don't see any way in the provider SDK to clean up stuff before leaving but if you have an idea?
|
|
||
| tmpFile, err := os.CreateTemp("", "") | ||
| if err != nil { | ||
| return err |
There was a problem hiding this comment.
Suggested change
| return err | |
| return fmt.Errorf("could not create temporary file: %w", err) |
|
|
||
| _, err = tmpFile.WriteString(rawGoogleCredentials) | ||
| if err != nil { | ||
| return err |
There was a problem hiding this comment.
Suggested change
| return err | |
| return fmt.Errorf("could not write in temporary file: %w", err) |
|
hi! any updates here? I have a similar issue with remote execution and have to make a sad hack around with pre-hook/post-hook so it'd be awesome to utilize at least this method |
|
I would also love to have this feature. I can try to incorporate the requested changes. |
@kevinjcash Feel free to do it 👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
On Terraform Cloud, we do not have access to the file system and thus cannot prepare a credentials file for this provider. The official GCP provider supports the
GOOGLE_CREDENTIALSenvironment variable which should contains the JSON key directly.This PR adds support for this environment variable, will create a temporary file containing the JSON key and will set the
GOOGLE_APPLICATION_CREDENTIALSto the path of this temporary file.This work was cherry-picked from @Deiz 's fork repository.
Closes #138