-
Using GCP services with Dagster requires authentication. How do you handle authenticating to GCP services in Dagster? One approach:
Step 2: export GCP_CREDS_JSON_CREDS_BASE64="$(cat $GOOGLE_AUTH_CREDENTIALS | base64)" Step 3: import os
import json
import base64
AUTH_FILE = "/tmp/gcp_creds.json"
with open(AUTH_FILE, "w") as f:
json.dump(json.loads(base64.b64decode(os.getenv("GCP_CREDS_JSON_CREDS_BASE64"))), f)
os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = AUTH_FILE A benefit to this approach is that it allows you to add the encoded GCP credentials as an environment variable either locally or in Dagster Cloud. |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments 6 replies
-
Answer in first post! (See the "Google Workload Identity" suggestion below as well) |
Beta Was this translation helpful? Give feedback.
-
thanks @slopp, it worked here you know why we just can't use |
Beta Was this translation helpful? Give feedback.
-
I would instead use Google workload identity. It's much easier to implement and maintain. With Google workload identity you can assign GCP permissions to Kubernetes service accounts. It's not necessary to deal with keys and JSON files. As long as dagster is using the right Kubernetes service account, it will have the right permissions. |
Beta Was this translation helpful? Give feedback.
-
@slopp thanks so much for this guide. in step 3, how do you view the b64 encoded string to paste it into a dagster cloud environment variable? I tried using cat and printf to write the b64 string to a file but the code above throws a decoding error when I try to use it. It works if I don't change the env variable set by |
Beta Was this translation helpful? Give feedback.
-
@slopp How do you test with this? This works fine locally and on serverless but we don't want to expose our usual environment to our test suite and this runs eagerly. |
Beta Was this translation helpful? Give feedback.
Answer in first post! (See the "Google Workload Identity" suggestion below as well)