Default credentials not found in Cloud Run

Question content

I am writing a program that uses postgres dialect to talk to cloud spanner. My application is a gin server and I'm using pgadapter to connect as described in this document.

My application runs fine locally. But when I deploy it to the cloud to run, I receive the following log.

This error mainly comes from the startpgadapterwithcredentials function.

func StartPGAdapter(ctx context.Context, project, instance string) (port int, cleanup func(), err error) {
    credentials, err := google.FindDefaultCredentials(ctx)
    fmt.Println("credentials " + (credentials.ProjectID) + "json " + utils.ToString(credentials.JSON) + "ts " + utils.ToString(credentials.TokenSource))
    if err != nil {
        return 0, func() {}, err
    }
    return StartPGAdapterWithCredentials(ctx, project, instance, credentials)
}
func StartPGAdapterWithCredentials(ctx context.Context, project, instance string, credentials *google.Credentials) (port int, cleanup func(), err error) {
    if credentials == nil {
        return 0, func() {}, fmt.Errorf("credentials cannot be nil")
    }
    if credentials.JSON == nil || len(credentials.JSON) == 0 {
        return 0, func() {}, fmt.Errorf("only JSON based credentials are supported")
    }
    credentialsFile, err := os.CreateTemp(os.TempDir(), "pgadapter-credentials")
    if err != nil {
        return 0, func() {}, err
    }

On my local system, google_application_credentials is set up so it is able to get the credentials. However, this does not work when running in the cloud.

How to make it run in cloud run?

Additional information: Follow the examples provided here.

Correct Answer

It looks like you are trying to start the PGAdapter in an embedded container on Cloud Run and then copy the service account credentials from your environment to the PGAdapter Embedded container. The problem is that Cloud Run does not provide access to the underlying service account files. Instead, you should let the Google Cloud library obtain the environment's default credentials.

The difficult part in your example is that you are starting the PGAdapter in an embedded container, which means there are no default credentials in that environment. The recommended way to run a PGAdapter on Cloud Run is to include it in the main container. This will enable the PGAdapter to obtain only the default credentials provided by Cloud Run. This means that you should not specify the -c /path/to/credentials.json parameter when starting the PGAdapter.

There are (at least) two ways to include a PGAdapter in the main container:

1. Add the Java .jar file build to your Docker image and start the PGAdapter in the container. See [this example] to learn how to start a PGAdapter directly from a .jar file. This also requires you to add the Java JRE to the Docker image.
2. Let your Docker build extend the PGAdapter base Docker image. This will automatically include all dependencies required by the PGAdapter. You must override the ENTRYPOINT of the base image.

See Go's PGAdapter Cloud Run Example for an extensive (runnable) example of the latter option.

The above is the detailed content of Default credentials not found in Cloud Run. For more information, please follow other related articles on the PHP Chinese website!