I have built an app that works locally as well as deployed on CloudRun. I am running a workflow in github as part of my CI/CD.
Currently, the test fail because Github is not authenticated
This code
publisher = pubsub_v1.PublisherClient()
triggers
google.auth.exceptions.DefaultCredentialsError: File *** was not found.
/opt/hostedtoolcache/Python/3.10.13/x64/lib/python3.10/site-packages/google/cloud/pubsub_v1/publisher/client.py:139: in __init__
super().__init__(**kwargs)
/opt/hostedtoolcache/Python/3.10.13/x64/lib/python3.10/site-packages/google/pubsub_v1/services/publisher/client.py:492: in __init__
self._transport = Transport(
/opt/hostedtoolcache/Python/3.10.13/x64/lib/python3.10/site-packages/google/pubsub_v1/services/publisher/transports/grpc.py:153: in __init__
super().__init__(
/opt/hostedtoolcache/Python/3.10.13/x64/lib/python3.10/site-packages/google/pubsub_v1/services/publisher/transports/base.py:104: in __init__
credentials, _ = google.auth.default(
/opt/hostedtoolcache/Python/3.10.13/x64/lib/python3.10/site-packages/google/auth/_default.py:615: in default
credentials, project_id = checker()
/opt/hostedtoolcache/Python/3.10.13/x64/lib/python3.10/site-packages/google/auth/_default.py:608: in <lambda>
lambda: _get_explicit_environ_credentials(quota_project_id=quota_project_id),
/opt/hostedtoolcache/Python/3.10.13/x64/lib/python3.10/site-packages/google/auth/_default.py:228: in _get_explicit_environ_credentials
credentials, project_id = load_credentials_from_file(
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
filename = '***'
scopes = None, default_scopes = None, quota_project_id = None, request = None
def load_credentials_from_file(
filename, scopes=None, default_scopes=None, quota_project_id=None, request=None
):
"""Loads Google credentials from a file.
The credentials file must be a service account key, stored authorized
user credentials, external account credentials, or impersonated service
account credentials.
Args:
filename (str): The full path to the credentials file.
scopes (Optional[Sequence[str]]): The list of scopes for the credentials. If
specified, the credentials will automatically be scoped if
necessary
default_scopes (Optional[Sequence[str]]): Default scopes passed by a
Google client library. Use 'scopes' for user-defined scopes.
quota_project_id (Optional[str]): The project ID used for
quota and billing.
request (Optional[google.auth.transport.Request]): An object used to make
HTTP requests. This is used to determine the associated project ID
for a workload identity pool resource (external account credentials).
If not specified, then it will use a
google.auth.transport.requests.Request client to make requests.
Returns:
Tuple[google.auth.credentials.Credentials, Optional[str]]: Loaded
credentials and the project ID. Authorized user credentials do not
have the project ID information. External account credentials project
IDs may not always be determined.
Raises:
google.auth.exceptions.DefaultCredentialsError: if the file is in the
wrong format or is missing.
"""
if not os.path.exists(filename):
> raise exceptions.DefaultCredentialsError(
"File {} was not found.".format(filename)
)
E google.auth.exceptions.DefaultCredentialsError: File *** was not found.
/opt/hostedtoolcache/Python/3.10.13/x64/lib/python3.10/site-packages/google/auth/_default.py:116: DefaultCredentialsError
I have followed this part of the tutorial, setting the action to authenticate Github as the first steps of the workflow
Step 5 of the tutorial seems to be the step where access is actually granted to resoures but the example is too specific. So the issue persists. I am using Pub/Sub, what should the command it be ?
Because principalSet is not listed as a supported principal of gcloud pubsub topics add-iam-policy-binding, I had to use the service account method
I replaced the last step by
gcloud secrets add-iam-policy-binding "my-secret" \ --project="${PROJECT_ID}" \ --role="roles/pubsub.publisher" \ --member="serviceAccount:my-service-account@${PROJECT_ID}.iam.gserviceaccount.com"