Search code examples
google-cloud-platformgithub-actionsgoogle-cloud-run

Google Cloud Run: Cannot authenticate with github ci-cd, ValueError: Could not deserialize key data, using gcloud auth login --cred-file

I was trying to deploy my project using github actions, i have ci-cd.yml like this :

name: CI/CD Project
on:
  push:
    branches: [master]
  pull_request:
    branches: [master]
    types: [opened, synchronize, reopened]
  workflow_dispatch:

jobs:
  build-deploy:
    runs-on: ubuntu-latest
    steps:          
      - name: Code Checkout
        uses: actions/checkout@master
      - name: create credentials
        working-directory: backend
        run: |-
          echo > credentials.txt && echo "${{secrets.GOOGLE_APPLICATION_CREDENTIALS}}" >> credentials.txt

My secrets.GOOGLE_APPLICATION_CREDENTIALS in github secrets is a json like:

{
  "type": "service_account",
  "project_id": "xxx",
  "private_key_id": "xxx",
  "private_key": "xxx",
  "client_email": "[email protected]",
  "client_id": "xxx",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/github-actions%40xxx.iam.gserviceaccount.com",
  "universe_domain": "googleapis.com"
}

In my window, with Google Cloud SDK Shell, I logon with gcloud auth login --cred-file=[my credentials file path] and it successfully.

When github perform action, i got error:

Run gcloud auth login --cred-file=credentials.txt
  gcloud auth login --cred-file=credentials.txt
  shell: /usr/bin/bash -e ***0***
  env:
    CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
    CLOUDSDK_METRICS_ENVIRONMENT_VERSION: 1.1.1
ERROR: gcloud crashed (ValueError): ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [<OpenSSLError(code=503841036, lib=60, reason=524556, reason_text=unsupported)>])

Note that my secrets was added successfully.

Solution

  • ERROR: gcloud crashed (ValueError): ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [<OpenSSLError(code=503841036, lib=60, reason=524556, reason_text=unsupported)>])

    Apparently, the private_key format is not correct. You need to verify and fix that.

    Also, make sure to use single quotes around ${{...}} expressions. Depending on the shell being used, in your case it's Bash (ubuntu-latest), the expression may contain characters expandable by the shell which may not be desirable.

    Apart from that, echo > credentials.txt is redundant. You can skip it altogether and dump credentials directly like this:

    echo '${{ secrets.GOOGLE_APPLICATION_CREDENTIALS }}' > credentials.txt

    You might want to use the .json extension instead of .txt as the contents of the file are a valid JSON:

    credentials.txt => credentials.json