I'm developing a Cloud Run Job on Windows (.NET/C#).
It is interacting with Cloud Storage so I must be authenticated.
I've set up Application Default Credentials via gcloud auth application-default login and it is running fine locally with dotnet run.
Then I containerize the code, but of course it won't run inside Docker as the application_default_credentials.json is local to the host.
So I've copied this credentials file to the build directory, and added a COPY instruction in the Dockerfile: COPY application_default_credentials.json /root/.config/gcloud/.
It is running fine.
But this solution is not satisfactory:
COPY can't access files outside the Build Context which is the current directory),COPY instruction should be only for local build as it is not necessary once the container is run by Cloud Run in pre-production and production.I've thought of mounting a volume mapping local %APPDATA%\gcloud to container /root/.config/gcloud which should solve both issues but any other input is welcome.
Yes, you can mount (don't copy) the Application Default Credentials file only (on Linux: ~/.config/gcloud/application_default_credentials.json) into your container.
Your approach (by using Application Default Credentials ADCs) is correct. The primary advantage is that your code is simplified when it assumes the use of ADC and this simplification creates portability off/on Google Cloud.
You should consider running the process in your container as a non-root user, as this will impact the location of the key. You can additionally set the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to the key:
podman run \
--env=GOOGLE_APPLICATION_CREDENTIALS=/secrets/key.json \
--volume=${HOME}/.config/gcloud/application_default_credentials.json:/secrets/key.json \
...
When you run containers that leverage ADC on Google Cloud compute services, authentication is achieved by integration with the Metadata service and you should not set GOOGLE_APPLICATION_CREDENTIALS nor reference|mount keys.