According to https://cloud.google.com/docs/authentication/production, in a Cloud Run environment, by default, if the GOOGLE_APPLICATION_CREDENTIALS environment variable is not set, the default Compute Service account is used.
I just deployed a basic node container image, which uses the googleapis library like so:
const { google } = require('googleapis')
const auth = new google.auth.GoogleAuth({
scopes: [],
});
const client = await auth.getClient();
However, in the Cloud Run log, I can see the container failed to start with the following error:
Error: The file at credentials/service_account.json does not exist, or it is not a file. ENOENT: no such file or directory, lstat '/app/credentials' at Object.realpathSync (fs.js:1546:7) at GoogleAuth._getApplicationCredentialsFromFilePath (/app/node_modules/google-auth-library/build/src/auth/googleauth.js:250:27) at GoogleAuth._tryGetApplicationCredentialsFromEnvironmentVariable (/app/node_modules/google-auth-library/build/src/auth/googleauth.js:192:25) at GoogleAuth.getApplicationDefaultAsync (/app/node_modules/google-auth-library/build/src/auth/googleauth.js:130:33) at GoogleAuth.getClient (/app/node_modules/google-auth-library/build/src/auth/googleauth.js:502:28) at Object.authorize (/app/api.js:18:29) at Object.<anonymous> (/app/index.js:547:4) at Module._compile (internal/modules/cjs/loader.js:1158:30) at Object.Module._extensions..js (internal/modules/cjs/loader.js:1178:10) at Module.load (internal/modules/cjs/loader.js:1002:32) {
So for some reason, it seems like the default service account is not being used. Does anyone know what I might be missing here?
Turns out, I was including the .env file in the build. That file contains the environment variable GOOGLE_APPLICATION_CREDENTIALS. Excluding that file from the docker build fixed the issue.